From 31aadbd63d0d3fd0472e502e622f0c846c8f565a Mon Sep 17 00:00:00 2001
From: Deeptanshu Sekhri <deeptanshu.sekhri@arm.com>
Date: Wed, 30 Jul 2025 14:19:15 +0100
Subject: [PATCH 1/3] build: add compiler hardening flags

- Adding tools/flags.bzl defining TCFT_HARDENED_COPTS and TCFT_HARDENED_LINKOPTS
- Load and apply hardening flags in tosa_converter_for_tflite BUILD

Signed-off-by: Deeptanshu Sekhri <deeptanshu.sekhri@arm.com>
---
 tools/BUILD                     |  6 ++++
 tools/flags.bzl                 | 52 +++++++++++++++++++++++++++++++++
 tosa_converter_for_tflite/BUILD |  4 +++
 3 files changed, 62 insertions(+)
 create mode 100644 tools/BUILD
 create mode 100644 tools/flags.bzl

diff --git a/tools/BUILD b/tools/BUILD
new file mode 100644
index 0000000..dd2ac33
--- /dev/null
+++ b/tools/BUILD
@@ -0,0 +1,6 @@
+#
+# SPDX-FileCopyrightText: Copyright 2025 Arm Limited and/or its affiliates <open-source-office@arm.com>
+#
+# SPDX-License-Identifier: Apache-2.0
+#
+# This file's existence makes this directory a Bazel package so flags.bzl can be loaded
diff --git a/tools/flags.bzl b/tools/flags.bzl
new file mode 100644
index 0000000..79702ba
--- /dev/null
+++ b/tools/flags.bzl
@@ -0,0 +1,52 @@
+#
+# SPDX-FileCopyrightText: Copyright 2025 Arm Limited and/or its affiliates <open-source-office@arm.com>
+#
+# SPDX-License-Identifier: Apache-2.0
+#
+# -----------------------------------------------------------------------------
+# Hardened compile flags
+# -----------------------------------------------------------------------------
+TCFT_HARDENED_COPTS = [
+    # optimizations and warnings
+    "-Wall",
+    "-Wformat",
+    "-Wformat=2",
+    "-Wconversion",
+    "-Wimplicit-fallthrough",
+    "-Werror=format-security",
+
+    # fortify
+    "-U_FORTIFY_SOURCE",
+    "-D_FORTIFY_SOURCE=3",
+    "-D_GLIBCXX_ASSERTIONS",
+
+    # strict arrays
+    "-fstrict-flex-arrays=3",
+
+    # stack protection
+    "-fstack-clash-protection",
+    "-fstack-protector-strong",
+
+    # overflow/null-pointer checks
+    "-fno-delete-null-pointer-checks",
+    "-fno-strict-overflow",
+    "-fno-strict-aliasing",
+    "-ftrivial-auto-var-init=zero",
+
+    # pthreads exception support
+    "-fexceptions",
+
+    # treat warnings as errors
+    "-Werror",
+]
+
+# -----------------------------------------------------------------------------
+# Hardened link flags
+# -----------------------------------------------------------------------------
+TCFT_HARDENED_LINKOPTS = [
+    "-Wl,-z,noexecstack",
+    "-Wl,-z,relro",
+    "-Wl,-z,now",
+    "-Wl,--as-needed",
+    "-Wl,--no-copy-dt-needed-entries",
+]
diff --git a/tosa_converter_for_tflite/BUILD b/tosa_converter_for_tflite/BUILD
index aafd70c..28130f2 100644
--- a/tosa_converter_for_tflite/BUILD
+++ b/tosa_converter_for_tflite/BUILD
@@ -5,6 +5,7 @@
 #
 
 load("@pybind11_bazel//:build_defs.bzl", "pybind_extension")
+load("//tools:flags.bzl", "TCFT_HARDENED_COPTS", "TCFT_HARDENED_LINKOPTS")
 
 cc_library(
     name = "tosa_converter_for_tflite_lib",
@@ -14,6 +15,7 @@ cc_library(
         "@org_tensorflow//tensorflow/compiler/mlir/lite:flatbuffer_translate_lib",
         "@org_tensorflow//tensorflow/compiler/mlir/tosa:tfl_passes",
     ],
+    copts = TCFT_HARDENED_COPTS,
 )
 
 pybind_extension(
@@ -24,6 +26,8 @@ pybind_extension(
     deps = [
         ":tosa_converter_for_tflite_lib",
     ],
+    copts = TCFT_HARDENED_COPTS,
+    linkopts = TCFT_HARDENED_LINKOPTS,
 )
 
 py_library(
-- 
GitLab


From daecee35e1b5a1f2d44c7aeea71a8056ef74ff21 Mon Sep 17 00:00:00 2001
From: Deeptanshu Sekhri <deeptanshu.sekhri@arm.com>
Date: Fri, 1 Aug 2025 14:09:16 +0100
Subject: [PATCH 2/3] chore: move hardening flags to where they are being used

Signed-off-by: Deeptanshu Sekhri <deeptanshu.sekhri@arm.com>
---
 tools/BUILD                     |  6 ----
 tools/flags.bzl                 | 52 ---------------------------------
 tosa_converter_for_tflite/BUILD | 49 ++++++++++++++++++++++++++++++-
 3 files changed, 48 insertions(+), 59 deletions(-)
 delete mode 100644 tools/BUILD
 delete mode 100644 tools/flags.bzl

diff --git a/tools/BUILD b/tools/BUILD
deleted file mode 100644
index dd2ac33..0000000
--- a/tools/BUILD
+++ /dev/null
@@ -1,6 +0,0 @@
-#
-# SPDX-FileCopyrightText: Copyright 2025 Arm Limited and/or its affiliates <open-source-office@arm.com>
-#
-# SPDX-License-Identifier: Apache-2.0
-#
-# This file's existence makes this directory a Bazel package so flags.bzl can be loaded
diff --git a/tools/flags.bzl b/tools/flags.bzl
deleted file mode 100644
index 79702ba..0000000
--- a/tools/flags.bzl
+++ /dev/null
@@ -1,52 +0,0 @@
-#
-# SPDX-FileCopyrightText: Copyright 2025 Arm Limited and/or its affiliates <open-source-office@arm.com>
-#
-# SPDX-License-Identifier: Apache-2.0
-#
-# -----------------------------------------------------------------------------
-# Hardened compile flags
-# -----------------------------------------------------------------------------
-TCFT_HARDENED_COPTS = [
-    # optimizations and warnings
-    "-Wall",
-    "-Wformat",
-    "-Wformat=2",
-    "-Wconversion",
-    "-Wimplicit-fallthrough",
-    "-Werror=format-security",
-
-    # fortify
-    "-U_FORTIFY_SOURCE",
-    "-D_FORTIFY_SOURCE=3",
-    "-D_GLIBCXX_ASSERTIONS",
-
-    # strict arrays
-    "-fstrict-flex-arrays=3",
-
-    # stack protection
-    "-fstack-clash-protection",
-    "-fstack-protector-strong",
-
-    # overflow/null-pointer checks
-    "-fno-delete-null-pointer-checks",
-    "-fno-strict-overflow",
-    "-fno-strict-aliasing",
-    "-ftrivial-auto-var-init=zero",
-
-    # pthreads exception support
-    "-fexceptions",
-
-    # treat warnings as errors
-    "-Werror",
-]
-
-# -----------------------------------------------------------------------------
-# Hardened link flags
-# -----------------------------------------------------------------------------
-TCFT_HARDENED_LINKOPTS = [
-    "-Wl,-z,noexecstack",
-    "-Wl,-z,relro",
-    "-Wl,-z,now",
-    "-Wl,--as-needed",
-    "-Wl,--no-copy-dt-needed-entries",
-]
diff --git a/tosa_converter_for_tflite/BUILD b/tosa_converter_for_tflite/BUILD
index 28130f2..37fd09d 100644
--- a/tosa_converter_for_tflite/BUILD
+++ b/tosa_converter_for_tflite/BUILD
@@ -5,7 +5,54 @@
 #
 
 load("@pybind11_bazel//:build_defs.bzl", "pybind_extension")
-load("//tools:flags.bzl", "TCFT_HARDENED_COPTS", "TCFT_HARDENED_LINKOPTS")
+
+# -----------------------------------------------------------------------------
+# Hardened compile flags
+# -----------------------------------------------------------------------------
+TCFT_HARDENED_COPTS = [
+    # optimizations and warnings
+    "-Wall",
+    "-Wformat",
+    "-Wformat=2",
+    "-Wconversion",
+    "-Wimplicit-fallthrough",
+    "-Werror=format-security",
+
+    # fortify
+    "-U_FORTIFY_SOURCE",
+    "-D_FORTIFY_SOURCE=3",
+    "-D_GLIBCXX_ASSERTIONS",
+
+    # strict arrays
+    "-fstrict-flex-arrays=3",
+
+    # stack protection
+    "-fstack-clash-protection",
+    "-fstack-protector-strong",
+
+    # overflow/null-pointer checks
+    "-fno-delete-null-pointer-checks",
+    "-fno-strict-overflow",
+    "-fno-strict-aliasing",
+    "-ftrivial-auto-var-init=zero",
+
+    # pthreads exception support
+    "-fexceptions",
+
+    # treat warnings as errors
+    "-Werror",
+]
+
+# -----------------------------------------------------------------------------
+# Hardened link flags
+# -----------------------------------------------------------------------------
+TCFT_HARDENED_LINKOPTS = [
+    "-Wl,-z,noexecstack",
+    "-Wl,-z,relro",
+    "-Wl,-z,now",
+    "-Wl,--as-needed",
+    "-Wl,--no-copy-dt-needed-entries",
+]
 
 cc_library(
     name = "tosa_converter_for_tflite_lib",
-- 
GitLab


From bce177732eb5f9c328f27d66ac1368dc0f1bb30b Mon Sep 17 00:00:00 2001
From: Deeptanshu Sekhri <deeptanshu.sekhri@arm.com>
Date: Fri, 1 Aug 2025 16:04:34 +0100
Subject: [PATCH 3/3] chore: removing -Werror

Signed-off-by: Deeptanshu Sekhri <deeptanshu.sekhri@arm.com>
---
 tosa_converter_for_tflite/BUILD | 3 ---
 1 file changed, 3 deletions(-)

diff --git a/tosa_converter_for_tflite/BUILD b/tosa_converter_for_tflite/BUILD
index 37fd09d..fe9abfb 100644
--- a/tosa_converter_for_tflite/BUILD
+++ b/tosa_converter_for_tflite/BUILD
@@ -38,9 +38,6 @@ TCFT_HARDENED_COPTS = [
 
     # pthreads exception support
     "-fexceptions",
-
-    # treat warnings as errors
-    "-Werror",
 ]
 
 # -----------------------------------------------------------------------------
-- 
GitLab