OvmfPkg: strip build paths in release builds

GenFw will embed a NB10 section which contains the path to the input file,
which means the output files have build paths embedded in them.  To reduce
information leakage and ensure reproducible builds, pass --zero in release
builds to remove this information.

Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=3256
Signed-off-by: Ross Burton <ross.burton@arm.com>
Message-Id: <20210324115819.605436-1-ross.burton@arm.com>
Reviewed-by: Laszlo Ersek <lersek@redhat.com>

diff --git a/OvmfPkg/AmdSev/AmdSevX64.dsc b/OvmfPkg/AmdSev/AmdSevX64.dsc
index 65c42284d94149e2345098887f569787d7a9534a..69a05feea9d2304f7da38f1a18807162f203bb73 100644 (file)
--- a/OvmfPkg/AmdSev/AmdSevX64.dsc
+++ b/OvmfPkg/AmdSev/AmdSevX64.dsc
@@ -78,6 +78,7 @@
   GCC:*_*_X64_GENFW_FLAGS   = --keepexceptiontable\r
   INTEL:*_*_X64_GENFW_FLAGS = --keepexceptiontable\r
 !endif\r
+  RELEASE_*_*_GENFW_FLAGS = --zero\r
 \r
   #\r
   # Disable deprecated APIs.\r

diff --git a/OvmfPkg/Bhyve/BhyveX64.dsc b/OvmfPkg/Bhyve/BhyveX64.dsc
index 4a1cdf5acad0e6b09a50ed3b75e928eceb4e70a3..132f55cf69b5a914053accdb74d42ec4b8887f6b 100644 (file)
--- a/OvmfPkg/Bhyve/BhyveX64.dsc
+++ b/OvmfPkg/Bhyve/BhyveX64.dsc
@@ -76,6 +76,7 @@
   GCC:*_*_X64_GENFW_FLAGS   = --keepexceptiontable\r
   INTEL:*_*_X64_GENFW_FLAGS = --keepexceptiontable\r
 !endif\r
+  RELEASE_*_*_GENFW_FLAGS = --zero\r
 \r
   #\r
   # Disable deprecated APIs.\r

diff --git a/OvmfPkg/OvmfPkgIa32.dsc b/OvmfPkg/OvmfPkgIa32.dsc
index 1eaf3e99c6c5d2c41b8c0cfb1a869975288f3e55..93c209950c7bbf6264ef26e109b911c9a0e3c92b 100644 (file)
--- a/OvmfPkg/OvmfPkgIa32.dsc
+++ b/OvmfPkg/OvmfPkgIa32.dsc
@@ -80,6 +80,7 @@
 !if $(TOOL_CHAIN_TAG) != "XCODE5" && $(TOOL_CHAIN_TAG) != "CLANGPDB"\r
   GCC:*_*_*_CC_FLAGS                   = -mno-mmx -mno-sse\r
 !endif\r
+  RELEASE_*_*_GENFW_FLAGS = --zero\r
 \r
   #\r
   # Disable deprecated APIs.\r

diff --git a/OvmfPkg/OvmfPkgIa32X64.dsc b/OvmfPkg/OvmfPkgIa32X64.dsc
index 4a5a430147256fcc98a98771ff73e6de184c929f..97cc438250d5e692079e27653931161c6321b71f 100644 (file)
--- a/OvmfPkg/OvmfPkgIa32X64.dsc
+++ b/OvmfPkg/OvmfPkgIa32X64.dsc
@@ -84,6 +84,7 @@
   GCC:*_*_X64_GENFW_FLAGS   = --keepexceptiontable\r
   INTEL:*_*_X64_GENFW_FLAGS = --keepexceptiontable\r
 !endif\r
+  RELEASE_*_*_GENFW_FLAGS = --zero\r
 \r
   #\r
   # Disable deprecated APIs.\r

diff --git a/OvmfPkg/OvmfPkgX64.dsc b/OvmfPkg/OvmfPkgX64.dsc
index d4d601b44476ff659783d263a9ec07aa02d49085..f544fb04bfdeb7efb3c1d5e8ad93dadf983c9191 100644 (file)
--- a/OvmfPkg/OvmfPkgX64.dsc
+++ b/OvmfPkg/OvmfPkgX64.dsc
@@ -84,6 +84,7 @@
   GCC:*_*_X64_GENFW_FLAGS   = --keepexceptiontable\r
   INTEL:*_*_X64_GENFW_FLAGS = --keepexceptiontable\r
 !endif\r
+  RELEASE_*_*_GENFW_FLAGS = --zero\r
 \r
   #\r
   # Disable deprecated APIs.\r

diff --git a/OvmfPkg/OvmfXen.dsc b/OvmfPkg/OvmfXen.dsc
index 507029404f0bbdf449849bac7f81f6b7f0567919..fcaa35acf1cd51fa794a2b3d131f8587dc4f2476 100644 (file)
--- a/OvmfPkg/OvmfXen.dsc
+++ b/OvmfPkg/OvmfXen.dsc
@@ -74,6 +74,7 @@
   GCC:*_*_X64_GENFW_FLAGS   = --keepexceptiontable\r
   INTEL:*_*_X64_GENFW_FLAGS = --keepexceptiontable\r
 !endif\r
+  RELEASE_*_*_GENFW_FLAGS = --zero\r
 \r
   #\r
   # Disable deprecated APIs.\r