diff --git a/.azure-pipelines/1ES.Build.yml b/.azure-pipelines/1ES.Build.yml index d3647ee15..3aa2e3fc7 100644 --- a/.azure-pipelines/1ES.Build.yml +++ b/.azure-pipelines/1ES.Build.yml @@ -92,8 +92,8 @@ extends: # (mxc-binaries-) so Package_MXC_NPM_SDK can consume it. - template: .azure-pipelines/templates/Mac.Build.Job.yml@self - - stage: Package_MXC_NPM_SDK - displayName: 'Package Npm Sdk' + - stage: Package_MXC + displayName: 'Package MXC' dependsOn: Build_Binaries jobs: - template: .azure-pipelines/templates/Package.NpmSdk.Job.yml@self @@ -112,6 +112,8 @@ extends: ESRPInfo: ${{ parameters.ESRPInfo }} + - template: .azure-pipelines/templates/Mxc.Binary.Packaging.Job.yml@self + - stage: SDK_Unit_Tests displayName: 'SDK Unit Tests' dependsOn: [] @@ -122,7 +124,7 @@ extends: - stage: SDK_Integration_Tests displayName: 'SDK Integration Tests' - dependsOn: Package_MXC_NPM_SDK + dependsOn: Package_MXC jobs: - template: .azure-pipelines/templates/SDK.Integration.Test.Job.yml@self parameters: diff --git a/.azure-pipelines/templates/Mac.Build.Job.yml b/.azure-pipelines/templates/Mac.Build.Job.yml index 4f009291f..fbb61ca11 100644 --- a/.azure-pipelines/templates/Mac.Build.Job.yml +++ b/.azure-pipelines/templates/Mac.Build.Job.yml @@ -89,6 +89,15 @@ jobs: contents: mxc-exec-mac targetFolder: $(outputDirectory)/$(targetTriple) + # Copy the .dSYM bundle into a sibling `symbols/` subdir, mirroring the + # Windows/Linux pattern (see Rust.Build.Job.yml for the BinSkim rationale). + - task: CopyFiles@2 + displayName: Copy dSYM bundle + inputs: + sourceFolder: $(targetTripleDir) + contents: 'mxc-exec-mac.dSYM/**' + targetFolder: $(outputDirectory)/$(targetTriple)/symbols + - task: 1ES.PublishPipelineArtifact@1 displayName: Publish inputs: diff --git a/.azure-pipelines/templates/Mxc.Binary.Packaging.Job.yml b/.azure-pipelines/templates/Mxc.Binary.Packaging.Job.yml new file mode 100644 index 000000000..633fa6b87 --- /dev/null +++ b/.azure-pipelines/templates/Mxc.Binary.Packaging.Job.yml @@ -0,0 +1,61 @@ +# Copyright (c) Microsoft Corporation. All rights reserved. +# Licensed under the MIT License. +# +# Bundles the per-arch build artifacts into a single mxc-release-binaries.zip +# (x64/ + arm64/ folders containing executables and symbol files) for upload +# to the GitHub Release page, until we publish to a symbol server. Runs in +# parallel with the npm SDK packaging job. + +parameters: +- name: targets + type: object + default: + - artifact: wxc-binaries-x86_64-pc-windows-msvc + sdkArch: x64 + - artifact: wxc-binaries-aarch64-pc-windows-msvc + sdkArch: arm64 + - artifact: lxc-binaries-x86_64-unknown-linux-gnu + sdkArch: x64 + - artifact: lxc-binaries-aarch64-unknown-linux-gnu + sdkArch: arm64 + - artifact: mxc-binaries-aarch64-apple-darwin + sdkArch: arm64 + +jobs: +- job: package_mxc_release_binaries + displayName: Package Mxc Release Binaries + pool: + name: Azure-Pipelines-1ESPT-ExDShared + image: ubuntu-latest + os: linux + variables: + stagingDirectory: $(Build.SourcesDirectory)/release-binaries-staging + outputDirectory: $(Build.SourcesDirectory)/out + artifactName: mxc-release-binaries + + steps: + - checkout: none + + # Download all per-arch artifacts into a flat / layout matching the + # one that ships in the npm package. + - ${{ each target in parameters.targets }}: + - task: DownloadPipelineArtifact@2 + displayName: Download ${{ target.artifact }} + inputs: + artifact: ${{ target.artifact }} + path: $(stagingDirectory)/${{ target.sdkArch }} + + - task: ArchiveFiles@2 + displayName: Archive mxc-release-binaries.zip + inputs: + rootFolderOrFile: '$(stagingDirectory)' + includeRootFolder: false + archiveType: zip + archiveFile: '$(outputDirectory)/release-binaries/mxc-release-binaries.zip' + replaceExistingArchive: true + + - task: 1ES.PublishPipelineArtifact@1 + displayName: Publish mxc-release-binaries artifact + inputs: + path: '$(outputDirectory)/release-binaries' + artifactName: $(artifactName) diff --git a/.azure-pipelines/templates/Package.NpmSdk.Job.yml b/.azure-pipelines/templates/Package.NpmSdk.Job.yml index 9f1334c0c..de98cc2f2 100644 --- a/.azure-pipelines/templates/Package.NpmSdk.Job.yml +++ b/.azure-pipelines/templates/Package.NpmSdk.Job.yml @@ -2,16 +2,24 @@ # Licensed under the MIT License. parameters: -- name: Targets +- name: targets type: object - default: [] # list of { artifact, path, sdkArch } + default: + - artifact: wxc-binaries-x86_64-pc-windows-msvc + sdkArch: x64 + - artifact: wxc-binaries-aarch64-pc-windows-msvc + sdkArch: arm64 + - artifact: lxc-binaries-x86_64-unknown-linux-gnu + sdkArch: x64 + - artifact: lxc-binaries-aarch64-unknown-linux-gnu + sdkArch: arm64 - name: ESRPInfo type: object default: {} jobs: -- job: package_mxc_npm_sdk - displayName: Package Mxc Npm Sdk +- job: package_npm_sdk + displayName: Package Npm Sdk pool: name: Azure-Pipelines-1ESPT-ExDShared image: ubuntu-latest @@ -42,6 +50,10 @@ jobs: - script: chmod +x $(sdkDirectory)/bin/*/lxc-exec displayName: Restore execute permission on lxc-exec + # Drop symbol files from the npm package — symbols ship separately. + - script: rm -rf $(sdkDirectory)/bin/*/symbols + displayName: Strip symbols/ from npm package + - script: | set -euo pipefail find $(sdkDirectory)/bin -name mxc-exec-mac -exec chmod +x {} + diff --git a/.azure-pipelines/templates/Rust.Build.Job.yml b/.azure-pipelines/templates/Rust.Build.Job.yml index 909c4ec62..796118f12 100644 --- a/.azure-pipelines/templates/Rust.Build.Job.yml +++ b/.azure-pipelines/templates/Rust.Build.Job.yml @@ -175,6 +175,21 @@ jobs: contents: wslcsdk.dll targetFolder: $(outputDirectory)/$(targetTriple) + # Copy symbol files into a sibling `symbols/` subdir, NOT alongside the + # binaries. Workaround for BinSkim BA2007: when the pdb is co-located, + # BinSkim reads its S_COMPILE3 records and flags `-wd4146` in the + # statically-linked MS CRT obj files (libucrt.lib internals). We still + # want +crt-static so consumers don't need a vcruntime DLL — separating + # the pdb hides those records from BinSkim without changing the binary. + - task: CopyFiles@2 + displayName: Copy symbol files + inputs: + sourceFolder: $(targetTripleDir) + contents: | + *.pdb + *.dwp + targetFolder: $(outputDirectory)/$(targetTriple)/symbols + - task: 1ES.PublishPipelineArtifact@1 displayName: Publish inputs: diff --git a/.cargo/config.toml b/.cargo/config.toml index 57314ef69..e027d8b4a 100644 --- a/.cargo/config.toml +++ b/.cargo/config.toml @@ -1,8 +1,35 @@ -# Use static CRT for Windows targets so vcruntime DLLs don't need to be -# pre-installed on the machine. +# Hardening flags for Windows targets. Most flags apply to both arches; +# /CETCOMPAT is x86/x64 only (Intel Control-flow Enforcement Technology; +# ARM64 uses Pointer Authentication / BTI instead). +# +# Shared flags: +# - control-flow-guard (rustc) + /guard:cf (linker) — Control Flow Guard +# - target-feature=+crt-static — static CRT so vcruntime DLLs aren't needed at runtime +# - /DYNAMICBASE — ASLR +# - /LTCG — link-time codegen (pairs best with profile-level lto = "thin"|"fat") +# - -D warnings — make warnings fatal at compile time + [target.x86_64-pc-windows-msvc] -rustflags = ["-C", "target-feature=+crt-static"] +rustflags = [ + "-C", + "control-flow-guard", + "-C", + "target-feature=+crt-static", + "-C", + "link-args=/guard:cf /DYNAMICBASE /CETCOMPAT /LTCG", + "-D", + "warnings", +] [target.aarch64-pc-windows-msvc] -rustflags = ["-C", "target-feature=+crt-static"] +rustflags = [ + "-C", + "control-flow-guard", + "-C", + "target-feature=+crt-static", + "-C", + "link-args=/guard:cf /DYNAMICBASE /LTCG", + "-D", + "warnings", +] diff --git a/src/Cargo.toml b/src/Cargo.toml index dcc8b48db..745332ea8 100644 --- a/src/Cargo.toml +++ b/src/Cargo.toml @@ -20,6 +20,16 @@ members = [ ] resolver = "3" +# Full debug info so we can analyse customer crash dumps in WinDbg until we +# publish to a symbol server. `strip = "debuginfo"` removes embedded debug +# sections from the binary itself (mainly relevant on Linux — Windows pdbs +# are already split by `split-debuginfo = "packed"`). Full debug info still +# ships via the side-by-side .pdb / .dwp files. +[profile.release] +debug = "full" +split-debuginfo = "packed" +strip = "debuginfo" + [workspace.package] edition = "2021"