From 7252a1ba07aede88bccd6070db0780b62f6ead64 Mon Sep 17 00:00:00 2001
From: onalante-msft <89409054+onalante-msft@users.noreply.github.com>
Date: Wed, 18 Jan 2023 21:16:59 -0800
Subject: [PATCH] Prevent LTO from optimizing out OpenSSL engine symbols

LTO is enabled by default for .deb packages starting in Ubuntu 21.04[1],
causing build failures on Ubuntu 22.04 when we use GCC ranlib (used by
default with `cc` crate version >= 1.0.74[2]).  LTO is incompatible with
`__asm__(".symver ..")` because it uses the linker-script-provided
exported symbols to determine what is safe to optimize out, and the
linker script is naturally unaware of manually-exported symbols.  We can
work around this by adding `__attribute__((used))` to the functions we
want to keep in the final object.

Another option would be to use GCC's `__attribute__((symver("..@")))`[3]
directive, but this relies on too new of a toolchain version (GCC 10).

Addendum 1: The fundamental reason for why LTO is a problem for
`aziot-key-openssl-engine-shared` in the first place is that this crate
uses what is, in effect, a "symbol stub" to hook Rust code into
OpenSSL's engine macros.  First, `build/engine.c` declares the engine
function signature and uses OpenSSL's macros to expand the dynamic
engine binding.  This file is then compiled (but not linked) into an
object that will become the dynamic library's public interface.  The way
this is accomplished is by linking the whole object into the `cdylib`
(as opposed to only linking referenced functions).  LTO requires us to
go one step further by preventing the linker from optimizing out symbols
not declared as globally-exported in `rustc`'s linker script, which does
not know of the symbol declaration in the stub object.  There is an open
RFC request for allowing re-export of C symbols from `cdylib` crates:
https://github.com/rust-lang/rfcs/issues/2771.

Addendum 2: When our supported platforms start shipping with GNU as >=
2.35 and/or Clang 13, we may want to add `,remove` to the `.symver`
directive arguments to lift the restriction that
`aziot-key-openssl-engine-shared` cannot be included in tests[4].

[1]: https://wiki.ubuntu.com/ToolChain/LTO
[2]: Binutils ranlib was used before, see discussion in
    https://github.com/rust-lang/cc-rs/pull/735 for full details.
[3]: `..@` instead of `..@@` since we do not define a version
    node name, meaning double-at leads to symbol duplication.
[4]: https://maskray.me/blog/2020-11-26-all-about-symbol-versioning
---
 Makefile                                           |  9 +--------
 ci/install-build-deps.sh                           |  2 +-
 key/aziot-key-openssl-engine-shared/build/engine.c | 11 +++++++++--
 key/aziot-key-openssl-engine-shared/build/main.rs  | 10 ++--------
 4 files changed, 13 insertions(+), 19 deletions(-)

diff --git a/Makefile b/Makefile
index 6d9166166..65ba72205 100644
--- a/Makefile
+++ b/Makefile
@@ -310,14 +310,7 @@ deb: dist
 	cp -R contrib/debian /tmp/aziot-identity-service-$(PACKAGE_VERSION)/
 	sed -i -e 's/@version@/$(PACKAGE_VERSION)/g; s/@release@/$(PACKAGE_RELEASE)/g' /tmp/aziot-identity-service-$(PACKAGE_VERSION)/debian/changelog
 
-	# Build package
-	# Note: This builds the `default` target before the normal Debian packaging (instead
-	# of as part of it) to workaround linker errors on Ubuntu 22.04 when building
-	# aziot-key-openssl-engine-shared. The extra flags to dpkg-buildpackage are to
-	# circumvent the default clean and to ignore build artifacts that will already exist.
-	cd /tmp/aziot-identity-service-$(PACKAGE_VERSION) && \
-		make RELEASE=1 V=1 ARCH=$(ARCH) && \
-		dpkg-buildpackage -us -uc $(DPKG_ARCH_FLAGS) -nc -tc -F -I=vendor -I=target --source-option=--extend-diff-ignore="target|vendor|third-party|keys\.generated\.rs"
+	cd /tmp/aziot-identity-service-$(PACKAGE_VERSION) && dpkg-buildpackage -us -uc $(DPKG_ARCH_FLAGS)
 
 # rpm
 #
diff --git a/ci/install-build-deps.sh b/ci/install-build-deps.sh
index ce822a4c1..296916c94 100755
--- a/ci/install-build-deps.sh
+++ b/ci/install-build-deps.sh
@@ -16,7 +16,7 @@ case "$OS:$ARCH" in
 
         yum install -y centos-release-scl epel-release
         yum install -y \
-            autoconf autoconf-archive automake clang curl devtoolset-9-gcc devtoolset-9-gcc-c++ \
+            autoconf autoconf-archive automake curl devtoolset-9-gcc devtoolset-9-gcc-c++ \
             git jq libcurl-devel libtool llvm-toolset-7-clang llvm-toolset-7-llvm-devel \
             make openssl openssl-devel pkgconfig
 
diff --git a/key/aziot-key-openssl-engine-shared/build/engine.c b/key/aziot-key-openssl-engine-shared/build/engine.c
index 84240f0fa..47ced7bef 100644
--- a/key/aziot-key-openssl-engine-shared/build/engine.c
+++ b/key/aziot-key-openssl-engine-shared/build/engine.c
@@ -14,12 +14,19 @@ int aziot_key_openssl_engine_shared_bind(ENGINE* e, const char* id);
  * So the bind_engine and v_check functions generated by these two macros will not actually be exported by the final cdylib. It's not possible
  * to provide a custom version script via `cargo:rustc-cdylib-link-arg` because it conflicts with the one generated by rustc.
  *
- * So we have to use the other way mentioned by `ld`'s docs, `__asm__(".symver")`
+ * So we have to use the other way mentioned by `ld`'s docs[1], `__asm__(".symver")`. We also need to add `__attribute__((used))` since otherwise
+ * the versioned symbol is optimized out by LTO.
  *
  * Unfortunately this trick means this crate cannot be compiled for tests since the linker will see duplicate symbols, so every invocation of
- * `cargo test --all` or `cargo clippy --tests --all` has to also exclude this crate with `--exclude`.
+ * `cargo test --all` or `cargo clippy --tests --all` has to also exclude this crate with `--exclude`. When all of our platforms provide
+ * GNU as >= 2.35 and/or Clang >= 13, we can lift this restriction by appending `,remove` to the `.symver` directive arguments[2].
+ *
+ * [1]: https://sourceware.org/binutils/docs/ld/VERSION.html
+ * [2]: https://maskray.me/blog/2020-11-26-all-about-symbol-versioning
  */
+__attribute__((used))
 IMPLEMENT_DYNAMIC_BIND_FN(aziot_key_openssl_engine_shared_bind);
 __asm__(".symver bind_engine,bind_engine@@");
+__attribute__((used))
 IMPLEMENT_DYNAMIC_CHECK_FN();
 __asm__(".symver v_check,v_check@@");
diff --git a/key/aziot-key-openssl-engine-shared/build/main.rs b/key/aziot-key-openssl-engine-shared/build/main.rs
index b6463cd66..79507ba04 100644
--- a/key/aziot-key-openssl-engine-shared/build/main.rs
+++ b/key/aziot-key-openssl-engine-shared/build/main.rs
@@ -4,7 +4,7 @@
 #![warn(clippy::all, clippy::pedantic)]
 
 fn main() {
-    println!("cargo:rerun-if-changed=build/engine.c");
+    println!("cargo:rerun-if-changed=build/");
 
     openssl_build::define_version_number_cfg();
 
@@ -13,13 +13,7 @@ fn main() {
         // Since we are going to use the generated archive in a shared
         // library, we need +whole-archive to be set.  See:
         // https://github.com/rust-lang/rust/blob/1.61.0/RELEASES.md#compatibility-notes
-        .cargo_metadata(false)
+        .link_lib_modifier("+whole-archive")
         .file("build/engine.c")
         .compile("aziot_key_openssl_shared_engine_wrapper");
-
-    println!("cargo:rustc-link-lib=static:+whole-archive=aziot_key_openssl_shared_engine_wrapper");
-    println!(
-        "cargo:rustc-link-search=native={}",
-        std::env::var("OUT_DIR").unwrap()
-    );
 }