diff --git a/CHANGES.md b/CHANGES.md index c26d63900..5c19506da 100644 --- a/CHANGES.md +++ b/CHANGES.md @@ -7,12 +7,13 @@ - All output files including downloaded thirdparty dependencies and Visual Studio project and solution files will be created in the build directory [(PR 427)](https://github.com/microsoft/SEAL/pull/427). - Reduced `util::try_minimal_primitive_root` search iterations by half [(PR 430)](https://github.com/microsoft/SEAL/pull/430). Thanks, [zirconium-n](https://github.com/zirconium-n)! - Updated .Net SDK version to 6.0.x and supported Visual Studio version to 17 2022. +- Added `SEAL_AVOID_BRANCHING` option to eleminate branching in critical functions when Microsoft SEAL is built with maliciously inserted compiler flags. -## Bug Fixes +### Bug Fixes - Removed exceptions in `KeyGenerator::CreateGaloisKeys` when inputs do not include steps so that even when `EncryptionParameterQualifiers::using_batching` is false Galois automorphisms are still available. -## File Changes +### File Changes - `dotnet/SEALNet.sln` is removed. - `dotnet/SEALNet.sln.in` is added. diff --git a/CMakeLists.txt b/CMakeLists.txt index 22122d8b5..5e67dfabc 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -23,7 +23,7 @@ if(NOT CMAKE_BUILD_TYPE) endif() message(STATUS "Build type (CMAKE_BUILD_TYPE): ${CMAKE_BUILD_TYPE}") -project(SEAL VERSION 3.7.2 LANGUAGES CXX C) +project(SEAL VERSION 3.7.3 LANGUAGES CXX C) ######################## # Global configuration # @@ -266,7 +266,7 @@ set_property(CACHE SEAL_DEFAULT_PRNG PROPERTY mark_as_advanced(FORCE SEAL_DEFAULT_PRNG) # [option] SEAL_AVOID_BRANCHING (default: OFF) -# Avoid branching in conditional move operations if set to ON, use faster method if set to OFF. +# Avoid branching in critical conditional move operations if set to ON, use faster method if set to OFF. set(SEAL_AVOID_BRANCHING_STR "Use an always branching-free conditional move") option(SEAL_AVOID_BRANCHING ${SEAL_AVOID_BRANCHING_STR} OFF) message(STATUS "SEAL_AVOID_BRANCHING: ${SEAL_AVOID_BRANCHING}") diff --git a/README.md b/README.md index 49947f5d1..a77045c51 100644 --- a/README.md +++ b/README.md @@ -430,6 +430,7 @@ The following options can be used with CMake to further configure the build. Mos | SEAL_BUILD_STATIC_SEAL_C | ON / **OFF** | Set to `ON` to build SEAL_C as a static library instead of a shared library. | | SEAL_DEFAULT_PRNG | **Blake2xb**
Shake256 | Microsoft SEAL supports both Blake2xb and Shake256 XOFs for generating random bytes. Blake2xb is much faster, but it is not standardized, whereas Shake256 is a FIPS standard. | | SEAL_USE_GAUSSIAN_NOISE | ON / **OFF** | Set to `ON` to use a non-constant time rounded continuous Gaussian for the error distribution; otherwise a centered binomial distribution – with slightly larger standard deviation – is used. | +| SEAL_AVOID_BRANCHING | ON / **OFF** | Set to `ON` to eliminate branching in critical conditional move operations when compiler has maliciously inserted flags; otherwise assume `cmov` is used. | | SEAL_SECURE_COMPILE_OPTIONS | ON / **OFF** | Set to `ON` to compile/link with Control-Flow Guard (`/guard:cf`) and Spectre mitigations (`/Qspectre`). This has an effect only when compiling with MSVC. | | SEAL_USE_ALIGNED_ALLOC | **ON** / OFF | Set to `ON` to use 64-byte aligned memory allocations. This can improve performance of AVX512 primitives when Intel HEXL is enabled. This depends on C++17 and is disabled on Android. | diff --git a/cmake/SEALConfig.cmake.in b/cmake/SEALConfig.cmake.in index 609053c3e..a84fffb1b 100644 --- a/cmake/SEALConfig.cmake.in +++ b/cmake/SEALConfig.cmake.in @@ -27,6 +27,7 @@ # validation code (little impact on performance) # SEAL_USE_GAUSSIAN_NOISE : Set to non-zero value if library is compiled to sample noise from a rounded Gaussian # distribution (slower) instead of a centered binomial distribution (faster) +# SEAL_AVOID_BRANCHING : Set to non-zero value if library is compiled to eliminate branching in critical conditional move operations. # SEAL_DEFAULT_PRNG : The default choice of PRNG (e.g., "Blake2xb" or "Shake256") # # SEAL_USE_MSGSL : Set to non-zero value if library is compiled with Microsoft GSL support @@ -70,6 +71,7 @@ set(SEAL_USE_NODISCARD @SEAL_USE_NODISCARD@) set(SEAL_THROW_ON_TRANSPARENT_CIPHERTEXT @SEAL_THROW_ON_TRANSPARENT_CIPHERTEXT@) set(SEAL_USE_GAUSSIAN_NOISE @SEAL_USE_GAUSSIAN_NOISE@) +set(SEAL_AVOID_BRANCHING @SEAL_AVOID_BRANCHING@) set(SEAL_DEFAULT_PRNG @SEAL_DEFAULT_PRNG@) set(SEAL_USE_MSGSL @SEAL_USE_MSGSL@) diff --git a/dotnet/tests/SEALNetTest.csproj.in b/dotnet/tests/SEALNetTest.csproj.in index f1ad345ee..ce6b0ce0e 100644 --- a/dotnet/tests/SEALNetTest.csproj.in +++ b/dotnet/tests/SEALNetTest.csproj.in @@ -15,7 +15,7 @@ - + diff --git a/native/bench/CMakeLists.txt b/native/bench/CMakeLists.txt index 8a41ae880..baa905046 100644 --- a/native/bench/CMakeLists.txt +++ b/native/bench/CMakeLists.txt @@ -3,14 +3,14 @@ cmake_minimum_required(VERSION 3.13) -project(SEALBench VERSION 3.7.2 LANGUAGES CXX) +project(SEALBench VERSION 3.7.3 LANGUAGES CXX) # If not called from root CMakeLists.txt if(NOT DEFINED SEAL_BUILD_BENCH) set(SEAL_BUILD_BENCH ON) # Import Microsoft SEAL - find_package(SEAL 3.7.2 EXACT REQUIRED) + find_package(SEAL 3.7.3 EXACT REQUIRED) # Must define these variables and include macros set(CMAKE_ARCHIVE_OUTPUT_DIRECTORY ${CMAKE_CURRENT_BINARY_DIR}/${OUTLIB_PATH}) diff --git a/native/examples/CMakeLists.txt b/native/examples/CMakeLists.txt index e04cba886..89fa5a264 100644 --- a/native/examples/CMakeLists.txt +++ b/native/examples/CMakeLists.txt @@ -3,14 +3,14 @@ cmake_minimum_required(VERSION 3.13) -project(SEALExamples VERSION 3.7.2 LANGUAGES CXX) +project(SEALExamples VERSION 3.7.3 LANGUAGES CXX) # If not called from root CMakeLists.txt if(NOT DEFINED SEAL_BUILD_EXAMPLES) set(SEAL_BUILD_EXAMPLES ON) # Import Microsoft SEAL - find_package(SEAL 3.7.2 EXACT REQUIRED) + find_package(SEAL 3.7.3 EXACT REQUIRED) set(CMAKE_RUNTIME_OUTPUT_DIRECTORY ${CMAKE_CURRENT_BINARY_DIR}/bin) endif() diff --git a/native/tests/CMakeLists.txt b/native/tests/CMakeLists.txt index 86292768f..8f9c071ef 100644 --- a/native/tests/CMakeLists.txt +++ b/native/tests/CMakeLists.txt @@ -3,14 +3,14 @@ cmake_minimum_required(VERSION 3.13) -project(SEALTest VERSION 3.7.2 LANGUAGES CXX C) +project(SEALTest VERSION 3.7.3 LANGUAGES CXX C) # If not called from root CMakeLists.txt if(NOT DEFINED SEAL_BUILD_TESTS) set(SEAL_BUILD_TESTS ON) # Import Microsoft SEAL - find_package(SEAL 3.7.2 EXACT REQUIRED) + find_package(SEAL 3.7.3 EXACT REQUIRED) # Must define these variables and include macros set(CMAKE_ARCHIVE_OUTPUT_DIRECTORY ${CMAKE_CURRENT_BINARY_DIR}/${OUTLIB_PATH}) diff --git a/pipelines/jobs.yml b/pipelines/jobs.yml index 00d86a113..1341fc11c 100644 --- a/pipelines/jobs.yml +++ b/pipelines/jobs.yml @@ -11,11 +11,11 @@ jobs: ${{ if eq(parameters.debug, 'false') }}: timeoutInMinutes: 0 pool: - vmImage: 'windows-latest' + vmImage: 'windows-2022' steps: - template: windows.yml parameters: - nuget_version: '5.4.0' + nuget_version: '6.1.0' ${{ if eq(parameters.debug, 'true') }}: configuration: 'Debug' ${{ if eq(parameters.debug, 'false') }}: @@ -67,7 +67,7 @@ jobs: - job: ${{ parameters.name }} displayName: ${{ parameters.name }} pool: - vmImage: 'windows-latest' + vmImage: 'windows-2022' steps: - template: android.yml parameters: @@ -82,8 +82,8 @@ jobs: displayName: ${{ parameters.name }} dependsOn: [Windows, Linux, macOS, Android] pool: - vmImage: 'windows-latest' + vmImage: 'windows-2022' steps: - template: nuget.yml parameters: - nuget_version: '5.4.0' + nuget_version: '6.1.0' diff --git a/pipelines/windows.yml b/pipelines/windows.yml index c491c0c5b..ba4d93208 100644 --- a/pipelines/windows.yml +++ b/pipelines/windows.yml @@ -1,4 +1,30 @@ steps: +- task: CMake@1 + displayName: 'Configure SEAL' + inputs: + cmakeArgs: .. -DCMAKE_BUILD_TYPE='${{ parameters.configuration }}' -DSEAL_BUILD_DEPS=ON -DSEAL_BUILD_TESTS=ON -DSEAL_BUILD_EXAMPLES=ON -DSEAL_BUILD_SEAL_C=ON -DSEAL_SECURE_COMPILE_OPTIONS=ON + workingDirectory: '$(Build.SourcesDirectory)/build' + +- task: MSBuild@1 + displayName: 'Build SEAL' + inputs: + solution: '$(Build.SourcesDirectory)/build/seal.sln' + msbuildArchitecture: 'x64' + platform: 'x64' + configuration: '${{ parameters.configuration }}' + msbuildVersion: 'latest' + +- task: VSTest@2 + displayName: 'VsTest - native tests' + inputs: + testAssemblyVer2: | + **\${{ parameters.configuration }}\*test*.dll + **\${{ parameters.configuration }}\*test*.exe + !**\obj\** + platform: 'x64' + configuration: ${{ parameters.configuration }} + diagnosticsEnabled: True + - task: NuGetToolInstaller@1 displayName: 'Use NuGet' inputs: @@ -10,6 +36,12 @@ steps: restoreSolution: tools/config/packages.config restoreDirectory: ConfigPackages +- task: UseDotNet@2 + displayName: 'Get .NET Core 6.0 SDK' + inputs: + packageType: 'sdk' + version: '6.0.x' + - task: securedevelopmentteam.vss-secure-development-tools.build-task-credscan.CredScan@2 displayName: 'Run CredScan' inputs: @@ -17,11 +49,8 @@ steps: outputFormat: sarif debugMode: false -- task: UseDotNet@2 - displayName: 'Get .NET Core 6.0 SDK' - inputs: - packageType: 'sdk' - version: '6.0.x' +- task: securedevelopmentteam.vss-secure-development-tools.build-task-roslynanalyzers.RoslynAnalyzers@2 + displayName: 'Run Roslyn Analyzers' - ${{ if eq(parameters.configuration, 'Release') }}: - task: PowerShell@2 @@ -30,63 +59,26 @@ steps: targetType: 'inline' script: | # Get signing certificate - $CertOutFile = Join-Path -Path $env:BUILD_SOURCESDIRECTORY -ChildPath dotnet\src\SEALNetCert.snk + $CertOutFile = Join-Path -Path $env:BUILD_SOURCESDIRECTORY -ChildPath build\dotnet\src\SEALNetCert.snk if (Test-Path env:SEALNetSigningCertificate) { Invoke-WebRequest -Uri "$env:SEALNetSigningCertificate" -OutFile $CertOutFile } -- task: CMake@1 - displayName: 'Configure SEAL' - inputs: - cmakeArgs: .. -DCMAKE_BUILD_TYPE='${{ parameters.configuration }}' -DSEAL_BUILD_DEPS=ON -DSEAL_BUILD_TESTS=ON -DSEAL_BUILD_EXAMPLES=ON -DSEAL_BUILD_SEAL_C=ON -DSEAL_SECURE_COMPILE_OPTIONS=ON - workingDirectory: '$(Build.SourcesDirectory)/build' - -- task: MSBuild@1 - displayName: 'Build SEAL' - inputs: - solution: '$(Build.SourcesDirectory)/build/seal.sln' - msbuildArchitecture: 'x64' - platform: 'x64' - configuration: '${{ parameters.configuration }}' - -- task: securedevelopmentteam.vss-secure-development-tools.build-task-roslynanalyzers.RoslynAnalyzers@2 - displayName: 'Run Roslyn Analyzers' - -- task: VSTest@2 - displayName: 'VsTest - native tests' - inputs: - testAssemblyVer2: | - **\${{ parameters.configuration }}\*test*.dll - **\${{ parameters.configuration }}\*test*.exe - !**\obj\** - platform: 'x64' - configuration: ${{ parameters.configuration }} - diagnosticsEnabled: True - - task: NuGetCommand@2 displayName: 'NuGet restore from Solution' inputs: command: 'restore' - restoreSolution: 'dotnet/SEALNet.sln' + restoreSolution: '$(Build.SourcesDirectory)/build/dotnet/SEALNet.sln' feedsToUse: 'select' - task: MSBuild@1 displayName: 'Build SEALNet' inputs: - solution: '$(Build.SourcesDirectory)/dotnet/SEALNet.sln' + solution: '$(Build.SourcesDirectory)/build/dotnet/SEALNet.sln' msbuildArchitecture: 'x64' platform: 'x64' configuration: '${{ parameters.configuration }}' - -- ${{ if eq(parameters.configuration, 'Release') }}: - - task: MSBuild@1 - displayName: 'Build SEALNet for iOS' - inputs: - solution: '$(Build.SourcesDirectory)/dotnet/src/SEALNet.csproj' - msbuildArchitecture: 'x64' - platform: 'x64' - msbuildArguments: '/p:BuildIOS=1' - configuration: '${{ parameters.configuration }}' + msbuildVersion: 'latest' - task: VSTest@2 displayName: 'VsTest - dotnet tests' @@ -94,11 +86,12 @@ steps: testAssemblyVer2: | **\${{ parameters.configuration }}\**\sealnettest.dll !**\obj\** + !**\ref\** configuration: ${{ parameters.configuration }} diagnosticsEnabled: True - ${{ if eq(parameters.configuration, 'Release') }}: - - task: Semmle@0 + - task: Semmle@1 displayName: 'Semmle SEAL' env: SYSTEM_ACCESSTOKEN: $(System.AccessToken) @@ -112,7 +105,7 @@ steps: buildCommands: '"%ProgramFiles(x86)%\Microsoft Visual Studio\2022\Enterprise\Common7\Tools\VsMSBuildCmd.bat" && msbuild $(Build.SourcesDirectory)/build/seal.sln' cleanupBuildCommands: '"%ProgramFiles(x86)%\Microsoft Visual Studio\2022\Enterprise\Common7\Tools\VsMSBuildCmd.bat" && msbuild $(Build.SourcesDirectory)/build/seal.sln /t:Clean' - - task: Semmle@0 + - task: Semmle@1 displayName: 'Semmle SEALNet' env: SYSTEM_ACCESSTOKEN: $(System.AccessToken) @@ -123,8 +116,18 @@ steps: timeout: '1800' ram: '16384' addProjectDirToScanningExclusionList: true - buildCommands: '"%ProgramFiles(x86)%\Microsoft Visual Studio\2022\Enterprise\Common7\Tools\VsMSBuildCmd.bat" && msbuild $(Build.SourcesDirectory)/dotnet/SEALNet.sln' - cleanupBuildCommands: '"%ProgramFiles(x86)%\Microsoft Visual Studio\2022\Enterprise\Common7\Tools\VsMSBuildCmd.bat" && msbuild $(Build.SourcesDirectory)/dotnet/SEALNet.sln /t:Clean' + buildCommands: '"%ProgramFiles(x86)%\Microsoft Visual Studio\2022\Enterprise\Common7\Tools\VsMSBuildCmd.bat" && msbuild $(Build.SourcesDirectory)/build/dotnet/SEALNet.sln' + cleanupBuildCommands: '"%ProgramFiles(x86)%\Microsoft Visual Studio\2022\Enterprise\Common7\Tools\VsMSBuildCmd.bat" && msbuild $(Build.SourcesDirectory)/build/dotnet/SEALNet.sln /t:Clean' + + - task: MSBuild@1 + displayName: 'Build SEALNet for iOS' + inputs: + solution: '$(Build.SourcesDirectory)/build/dotnet/src/SEALNet.csproj' + msbuildArchitecture: 'x64' + platform: 'x64' + msbuildArguments: '/p:BuildIOS=1' + configuration: '${{ parameters.configuration }}' + msbuildVersion: 'latest' - task: PublishSymbols@2 displayName: 'Publish symbols path' @@ -286,7 +289,7 @@ steps: - task: CopyFiles@2 displayName: 'Copy NuSpec File to: $(Build.ArtifactStagingDirectory)' inputs: - SourceFolder: '$(Build.SourcesDirectory)\dotnet\nuget\' + SourceFolder: '$(Build.SourcesDirectory)\build\dotnet\nuget\' Contents: 'SEALNet-multi.nuspec' TargetFolder: '$(Build.ArtifactStagingDirectory)\dotnet\nuget\'