Allow loading dependencies by name #1594
Merged
+458
−102
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
aleksei-fedotov
requested review from
pavelkumbrasev
and removed request for
pavelkumbrasev
egfefey
reviewed
Jan 9, 2025
egfefey
reviewed
Jan 9, 2025
egfefey
reviewed
Jan 9, 2025
egfefey
reviewed
Jan 13, 2025
egfefey
reviewed
Jan 13, 2025
egfefey
reviewed
Jan 13, 2025
aleksei-fedotov
force-pushed
the
load-dependencies-by-name
branch
from
3872b7b to
4605226
Compare
kboyarinov
reviewed
Jan 14, 2025
egfefey
reviewed
Jan 17, 2025
egfefey
reviewed
Jan 17, 2025
Contributor
egfefey
left a comment
egfefey
left a comment
There was a problem hiding this comment.
From the security standpoint, this is good for now.
A few notes:
- This is still up for discussion but anything beside ERROR_SUCCESS from WinVerifyTrust should result in an error instead of a warning sometimes. The user always has to option to turn off signature verification if they want, so once it's on, it's either success or failure.
- Might also need review from the TBB team.
- If there are some testing results that we can share, that will be great.
egfefey
reviewed
Jan 29, 2025
Contributor
egfefey
left a comment
egfefey
left a comment
There was a problem hiding this comment.
Update to use SearchPathA is good from the security point of view.
aleksei-fedotov
force-pushed
the
load-dependencies-by-name
branch
from
dd5a544 to
5e6c672
Compare
Contributor
Author
Thanks, @egfefey! Then I proceed with productization of this patch. |
isaevil
reviewed
Feb 11, 2025
aleksei-fedotov
force-pushed
the
load-dependencies-by-name
branch
from
6f001d1 to
65b3f89
Compare
isaevil
reviewed
Feb 18, 2025
aleksei-fedotov
force-pushed
the
load-dependencies-by-name
branch
from
81f5e1b to
6b276c7
Compare
Signed-off-by: Fedotov, Aleksei <[email protected]>
Signed-off-by: Fedotov, Aleksei <[email protected]>
Signed-off-by: Fedotov, Aleksei <[email protected]>
aleksei-fedotov
force-pushed
the
load-dependencies-by-name
branch
from
6b276c7 to
d11e413
Compare
aleksei-fedotov
commented
Mar 17, 2025
isaevil
reviewed
Mar 20, 2025
aleksei-fedotov
changed the title
kboyarinov
previously approved these changes
Mar 20, 2025
Contributor
kboyarinov
left a comment
kboyarinov
left a comment
There was a problem hiding this comment.
LGTM overall but I didn't review warnings and error codes in details
Contributor
|
@aleksei-fedotov Please adjust the description because signature check is now OFF by default. |
isaevil
previously approved these changes
Mar 21, 2025
aleksei-fedotov
dismissed stale reviews from isaevil and kboyarinov
via
81072c0
isaevil
approved these changes
Mar 21, 2025
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
5 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description
This PR allows loading dependencies by module name only as it is proposed in this RFC. To strengthen the security and avoid loading malicious code, the signature verification for modules being loaded is also introduced.
However, to avoid breaking compatibility with existing scenarios, the signature verification is disabled by default. To notify about that the following CMake warning appears on the console when
cmakecommand is invoked for the first time:, drawing user's attention to this change and allowing to explicitly choose whether user wants unsigned or having incorrect signature modules to be loaded or not.
To avoid loading of such modules, user needs specifying
-DTBB_VERIFY_DEPENDENCY_SIGNATURE=ONflag in the invocation command of CMake. In this case the warning transforms in a regular status message of the form:If, however, user ignores the warning, the following invocations of
cmakecommand show that the signature verification setting remains disabled:The patch also adds optional reporting of dynamic link issues. Examples of the output:
The issues reporting is disabled by default and can be enabled by setting
TBB_DYNAMIC_LINK_WARNINGmacro during the build.