Merged PR 10332702: Prepare SymCrypt undocked build for undocked LKG which specifies most kernel mode flags

## Description:

+ Remove many workarounds in SymCrypt undocked props files for missing flags
+ Explicitly build SymCryptK.dll with no entrypoint, remove the fake entry point from code, and call `__security_init_cookie` in `SymCryptModuleInit` to prevent binskim errors.
+ Remove reference to memset in `SymCryptEntropyAccumulatorAccumulateSample` to reduce size and complexity of resulting SymCryptK.dll with real build environment (memset is not inlined as expected).

## Admin Checklist:
- [X] You have updated documentation in symcrypt.h to reflect any changes in behavior
- [X] You have updated CHANGELOG.md to reflect any changes in behavior
- [X] You have updated symcryptunittest to exercise any new functionality
- [X] If you have introduced any symbols in symcrypt.h you have updated production and test dynamic export symbols (exports.ver / exports.def / symcrypt.src) and tested the updated dynamic modules with symcryptunittest
- [X] If you have introduced functionality that varies based on CPU features, you have manually tested with and without relevant features
- [X] If you have made significant changes to a particular algorithm, you have checked that performance numbers reported by symcryptunittest are in line with expectations
- [X] If you have added new algorithms/modes, you have updated the status indicator text for the associated modules if necessary

Related work items: #49010014

lib/env_windowsKernelModeWin8_1.c

@@ -41,6 +41,7 @@ VOID
 SYMCRYPT_CALL
 SymCryptInitEnvWindowsKernelmodeWin8_1nLater( UINT32 version )
 {
+    __declspec(no_init_all)
     RTL_OSVERSIONINFOW  verInfo;
 
     if( g_SymCryptFlags & SYMCRYPT_FLAG_LIB_INITIALIZED )

lib/symcrypt.vcxproj

@@ -10,7 +10,7 @@
     <UndockedType>lib</UndockedType>
     <UndockedDir>$(SolutionDir)msbuild\</UndockedDir>
     <UndockedOut>$(SolutionDir)</UndockedOut>
-    <SymCryptKernelTarget>true</SymCryptKernelTarget>
+    <UndockedKernelModeBuild>true</UndockedKernelModeBuild>
     <IncludePath>$(ProjectDir);$(IncludePath);</IncludePath>
   </PropertyGroup>
   <Import Project="$(UndockedDir)symcrypt.undocked.props" />
@@ -167,7 +167,7 @@
     <SymCryptAsm Include="arm64\fdef369_asm.symcryptasm" Dialect="armasm64" Arch="arm64" Convention="aapcs64" />
     <SymCryptAsm Include="arm64\wipe.symcryptasm" Dialect="armasm64" Arch="arm64" Convention="aapcs64" />
   </ItemGroup>
-  <ItemGroup Condition="'$(Platform)'=='ARM64' AND '$(EnableArm64x)' == 'true'">
+  <ItemGroup Condition="'$(Platform)'=='ARM64EC'">
     <SymCryptAsm Include="arm64\fdef_asm.symcryptasm" Dialect="armasm64" Arch="arm64" Convention="arm64ec" />
     <SymCryptAsm Include="arm64\fdef369_asm.symcryptasm" Dialect="armasm64" Arch="arm64" Convention="arm64ec" />
     <SymCryptAsm Include="arm64\wipe.symcryptasm" Dialect="armasm64" Arch="arm64" Convention="arm64ec" />

modules/windows/kernel/entropy_accumulator.c

@@ -222,9 +222,7 @@ SymCryptEntropyAccumulatorAccumulateSample(
             // As we know nSamplesAccumulated is a multiple of 128, we can just align to the nearest byte
             bufferIndex = (nSamplesAccumulated & (SYMCRYPT_ENTROPY_ACCUMULATOR_SAMPLES_PER_BUFFER - 1)) / 8;
 
-            // use memset here because the compiler can't optimize it away, and it should have the best codegen.
-            // SymCryptWipeKnownSize would also work but it is not optimized for buffers this large.
-            memset( &pState->buffer[bufferIndex], 0, SYMCRYPT_ENTROPY_ACCUMULATOR_SEGMENT_SIZE );
+            SymCryptWipeKnownSize( &pState->buffer[bufferIndex], SYMCRYPT_ENTROPY_ACCUMULATOR_SEGMENT_SIZE );
 
             pState->nDPCScheduleFailures++;
         }

modules/windows/kernel/main.c

@@ -20,24 +20,13 @@ SYMCRYPT_ENVIRONMENT_WINDOWS_KERNELMODE_LATEST;
 #define FIPS_SERVICE_DESC_SHOW_VERSION
 #include "../lib/status_indicator.h"
 
-// Our DriverEntry function is not used, as this module acts as an export driver which is linked
-// directly to the kernel. In other words, it's not initialized by WDF, and we don't create any
-// device objects or use other WDF functions. However, we need to define the function to be able
-// to link with some of the KMDF libs.
-NTSTATUS
-DriverEntry(
-    _In_  struct _DRIVER_OBJECT* DriverObject,
-    _In_ PUNICODE_STRING RegistryPath
-    )
-{
-    UNREFERENCED_PARAMETER( DriverObject );
-    UNREFERENCED_PARAMETER( RegistryPath );
-
-    return STATUS_SUCCESS;
-}
+void __cdecl __security_init_cookie(void);
 
 VOID SYMCRYPT_CALL SymCryptModuleInit(UINT32 api, UINT32 minor)
 {
+    // Initialize the /GS flag stack overflow cookie
+    __security_init_cookie();
+
     if (api != SYMCRYPT_CODE_VERSION_API ||
         (api == SYMCRYPT_CODE_VERSION_API && minor > SYMCRYPT_CODE_VERSION_MINOR))
     {

modules/windows/kernel/symcryptk.vcxproj

@@ -36,7 +36,7 @@
     <UndockedType>kmdll</UndockedType>
     <UndockedDir>$(SolutionDir)msbuild\</UndockedDir>
     <UndockedOut>$(SolutionDir)</UndockedOut>
-    <SymCryptKernelTarget>true</SymCryptKernelTarget>
+    <UndockedKernelModeBuild>true</UndockedKernelModeBuild>
   </PropertyGroup>
   <Import Project="$(UndockedDir)symcrypt.undocked.props" />
   <ItemGroup>
@@ -59,7 +59,7 @@
       <GenerateDebugInformation>true</GenerateDebugInformation>
       <LinkTimeCodeGeneration>UseLinkTimeCodeGeneration</LinkTimeCodeGeneration>
       <AdditionalDependencies>%(AdditionalDependencies);ntoskrnl.lib</AdditionalDependencies>
-      <EntryPointSymbol>GsDriverEntry</EntryPointSymbol>
+      <NoEntryPoint>true</NoEntryPoint>
     </Link>
   </ItemDefinitionGroup>
   <PropertyGroup Label="DbgEng">

msbuild/symcrypt.undocked.props

@@ -28,34 +28,12 @@
       <CharacterSet>MultiByte</CharacterSet>
       <WholeProgramOptimization>true</WholeProgramOptimization>
       <AdditionalOptions>/Gy %(AdditionalOptions)</AdditionalOptions>
-      <AdditionalOptions Condition="'$(SymCryptKernelTarget)'=='true'">
-        /kernel
-        %(AdditionalOptions)
-      </AdditionalOptions>
     </ClCompile>
     <MASM>
       <GenerateDebugInformation>true</GenerateDebugInformation>
       <PreprocessorDefinitions>SYMCRYPT_MASM;%(PreprocessorDefinitions)</PreprocessorDefinitions>
       <AdditionalOptions>/Gy %(AdditionalOptions)</AdditionalOptions>
     </MASM>
-    <Link>
-      <AdditionalOptions>
-        /nodefaultlib:libcmt.lib
-        /nodefaultlib:libcmtd.lib
-        %(AdditionalOptions)
-      </AdditionalOptions>
-      <AdditionalOptions Condition="'$(SymCryptKernelTarget)'=='true'">
-        /d2:-guardcfgdispatch
-        /guard:exportsuppress
-        /kernel
-        /NOOPTIDATA
-        /merge:.gfids=GFIDS
-        /merge:.orpc=.text
-        /merge:_RDATA=.rdata
-        /section:GFIDS,d
-        %(AdditionalOptions)
-      </AdditionalOptions>
-    </Link>
   </ItemDefinitionGroup>
   <ItemDefinitionGroup Condition="'$(Configuration)|$(UndockedOfficial)'=='Debug|true'">
     <ClCompile>
@@ -77,47 +55,24 @@
       <RuntimeLibrary>MultiThreadedDLL</RuntimeLibrary>
     </ClCompile>
   </ItemDefinitionGroup>
-  <ItemDefinitionGroup Condition="'$(Platform)'=='x64'">
-    <ClCompile>
-      <PreprocessorDefinitions>_AMD64_;%(PreprocessorDefinitions)</PreprocessorDefinitions>
-        <!-- 
-          Specifying /cbstring- will generate warning D9025 overriding '/cbstring' with '/cbstring-'
-          in the official build for now. We cannot avoid this until the flags are updated.
-        -->
-      <AdditionalOptions>%(AdditionalOptions) /cbstring-</AdditionalOptions>
-    </ClCompile>
-    <Link>
-        <!-- 
-          Ignore warning LNK4287 (object file is missing /guard:retpoline metadata) which happens
-          when linking to debug versions of the CRT.
-        -->
-      <AdditionalOptions>/guard:retpoline /IGNORE:4287 %(AdditionalOptions)</AdditionalOptions>
-    </Link>
-  </ItemDefinitionGroup>
-  <ItemDefinitionGroup Condition="'$(Platform)'=='Win32'">
+  <ItemDefinitionGroup Condition="'$(Platform)'=='Win32' AND ('$(UndockedOfficial)'=='false' OR '$(UndockedKernelModeBuild)'=='false')">
     <ClCompile>
       <CallingConvention>StdCall</CallingConvention>
-      <PreprocessorDefinitions>_X86_;%(PreprocessorDefinitions)</PreprocessorDefinitions>
     </ClCompile>
     <MASM>
       <UseSafeExceptionHandlers>true</UseSafeExceptionHandlers>
     </MASM>
   </ItemDefinitionGroup>
-  <ItemDefinitionGroup Condition="$(Platform.StartsWith('ARM64'))">
-    <ClCompile>
-      <PreprocessorDefinitions>_ARM64_;%(PreprocessorDefinitions)</PreprocessorDefinitions>
-    </ClCompile>
-  </ItemDefinitionGroup>
 
   <!-- Helper properties for processing CppAsm -->
   <PropertyGroup Condition="'$(Platform)'=='x64'">
     <CppAsmArch>SYMCRYPT_CPU_AMD64</CppAsmArch>
   </PropertyGroup>
   <PropertyGroup Condition="'$(Platform)'=='Win32'">
-      <CppAsmArch>SYMCRYPT_CPU_X86</CppAsmArch>
+    <CppAsmArch>SYMCRYPT_CPU_X86</CppAsmArch>
   </PropertyGroup>
-  <PropertyGroup Condition="$(Platform.StartsWith('ARM64'))">
-      <CppAsmArch>SYMCRYPT_CPU_ARM64</CppAsmArch>
+  <PropertyGroup Condition="'$(Platform)'=='ARM64' OR '$(Platform)'=='ARM64EC'">
+    <CppAsmArch>SYMCRYPT_CPU_ARM64</CppAsmArch>
   </PropertyGroup>
 
   <!-- Preprocess SymCryptAsm into CppAsm -->
@@ -142,13 +97,11 @@
     <Exec Command="cl.exe /EP /P /I..\inc /I.\ /D$(CppAsmArch) /DSYMCRYPT_MASM /Fi&quot;$(IntDir)%(CppAsm.Filename).asm&quot; &quot;%(CppAsm.Identity)&quot;" Condition="'%(CppAsm.Convention)' != 'arm64ec'"/>
     <!-- Special case for ARM64EC -->
     <Exec Command="cl.exe /EP /P /I..\inc /I.\ /D$(CppAsmArch) /D_M_ARM64EC /DSYMCRYPT_MASM /Fi&quot;$(IntDir)%(CppAsm.Filename).asm&quot; &quot;%(CppAsm.Identity)&quot;" Condition="'%(CppAsm.Convention)' == 'arm64ec'"/>
-    <ItemGroup Condition="'$(Platform)'!='ARM64'">
+    <ItemGroup Condition="'$(Platform)'=='x64' OR '$(Platform)'=='Win32'">
       <MASM Include="$(IntDir)%(CppAsm.Filename).asm" />
     </ItemGroup>
-    <ItemGroup Condition="'$(Platform)'=='ARM64'">
-      <MARMASM Include="$(IntDir)%(CppAsm.Filename).asm" PreprocessWithCl="false">
-        <AdditionalOptions Condition="'%(CppAsm.Convention)' == 'arm64ec'">-machine arm64ec</AdditionalOptions>
-      </MARMASM>
+    <ItemGroup Condition="'$(Platform)'=='ARM64' OR '$(Platform)'=='ARM64EC'">
+      <MARMASM Include="$(IntDir)%(CppAsm.Filename).asm" PreprocessWithCl="false" />
     </ItemGroup>
   </Target>
 

msbuild/windows.undocked.props

@@ -6,16 +6,13 @@
     <UndockedOut Condition="'$(UndockedOut)' == ''">$(SolutionDir)</UndockedOut>
     <UndockedBuildId Condition="'$(UndockedBuildId)' == ''">0</UndockedBuildId>
     <UndockedOfficial Condition="'$(UndockedOfficial)' == ''">false</UndockedOfficial>
-    <!-- Use the official LKG complier when available -->
+    <UndockedKernelModeBuild Condition="'$(UndockedKernelModeBuild)' == ''">false</UndockedKernelModeBuild>
+    <!-- Use the official LKG compiler when available -->
     <UseInternalMSUniCrtPackage>true</UseInternalMSUniCrtPackage>
-    <!-- Enable ARM64X unless explicitly disabled -->
-    <EnableArm64x Condition="$(ARM64X_DISABLED) != '1'">true</EnableArm64x>
-    <!-- Set UndockedKernelModeBuild when building .sys files -->
-    <UndockedKernelModeBuild Condition="'$(UndockedType)' == 'sys' OR '$(UndockedType)' == 'kmdll'">true</UndockedKernelModeBuild>
   </PropertyGroup>
 
-  <!-- The set of supported user mode configurations (x86,x64,arm,arm64) -->
-  <ItemGroup Label="ProjectConfigurations" Condition="'$(UndockedKernelModeBuild)' != 'true'">
+  <!-- The set of supported configurations (x86,x64,arm64,arm64ec) -->
+  <ItemGroup Label="ProjectConfigurations">
     <ProjectConfiguration Include="Debug|Win32">
       <Configuration>Debug</Configuration>
       <Platform>Win32</Platform>
@@ -50,34 +47,6 @@
     </ProjectConfiguration>
   </ItemGroup>
 
-  <!-- The set of supported kernel configurations (only 64-bit platforms) -->
-  <ItemGroup Label="ProjectConfigurations" Condition="'$(UndockedKernelModeBuild)' == 'true'">
-    <ProjectConfiguration Include="Debug|x64">
-      <Configuration>Debug</Configuration>
-      <Platform>x64</Platform>
-    </ProjectConfiguration>
-    <ProjectConfiguration Include="Release|x64">
-      <Configuration>Release</Configuration>
-      <Platform>x64</Platform>
-    </ProjectConfiguration>
-    <ProjectConfiguration Include="Debug|ARM64">
-      <Configuration>Debug</Configuration>
-      <Platform>ARM64</Platform>
-    </ProjectConfiguration>
-    <ProjectConfiguration Include="Release|ARM64">
-      <Configuration>Release</Configuration>
-      <Platform>ARM64</Platform>
-    </ProjectConfiguration>
-    <ProjectConfiguration Include="Debug|ARM64EC">
-      <Configuration>Debug</Configuration>
-      <Platform>ARM64EC</Platform>
-    </ProjectConfiguration>
-    <ProjectConfiguration Include="Release|ARM64EC">
-      <Configuration>Release</Configuration>
-      <Platform>ARM64EC</Platform>
-    </ProjectConfiguration>
-  </ItemGroup>
-
   <!-- Configuration properties to match Windows -->
   <PropertyGroup>
     <WinConfig Condition="'$(Configuration)' == 'Release'">fre</WinConfig>
@@ -165,17 +134,21 @@
     </Link>
   </ItemDefinitionGroup>
 
-  <ItemDefinitionGroup Condition="'$(Platform)'=='x64'">
-    <ClCompile>
-      <AdditionalOptions>-d2jumptablerdata -d2epilogunwindrequirev2 %(AdditionalOptions)</AdditionalOptions>
-    </ClCompile>
-  </ItemDefinitionGroup>
-
   <!-- Enable ARM64X compilation -->
-  <PropertyGroup Condition="'$(Platform)'=='ARM64' AND '$(UndockedKernelModeBuild)' != 'true' AND '$(UndockedType)' != 'exe' AND '$(EnableArm64x)' == 'true'">
+  <PropertyGroup Condition="'$(Platform)'=='ARM64' AND '$(UndockedType)' != 'kmdll' AND '$(UndockedType)' != 'sys' AND '$(UndockedType)' != 'exe' AND $(ARM64X_DISABLED) != '1'">
     <BuildAsX>true</BuildAsX>
   </PropertyGroup>
 
+    <!-- Architecture definitions for certain header files from Windows Kits -->
+  <ItemDefinitionGroup>
+    <ClCompile>
+      <PreprocessorDefinitions Condition="'$(Platform)'=='x64'">_AMD64_;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <PreprocessorDefinitions Condition="'$(Platform)'=='Win32'">_X86_;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <PreprocessorDefinitions Condition="'$(Platform)'=='ARM64'">_ARM64_;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <PreprocessorDefinitions Condition="'$(Platform)'=='ARM64EC'">_AMD64_;_ARM64EC_;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+    </ClCompile>
+  </ItemDefinitionGroup>
+
   <!-- Unofficial build flags, but close enough for local testing -->
   <ItemDefinitionGroup Condition="'$(UndockedOfficial)' == 'false'">
     <ClCompile>
@@ -239,6 +212,11 @@
         /ZH:SHA_256
         /Zp8
       </AdditionalOptions>
+      <AdditionalOptions Condition="'$(Platform)'=='x64'">
+        -d2jumptablerdata
+        -d2epilogunwindrequirev2 
+        %(AdditionalOptions)
+      </AdditionalOptions>
       <AdditionalOptions Condition="'$(UndockedKernelModeBuild)' == 'true'">
         /kernel
         %(AdditionalOptions)
@@ -293,9 +271,8 @@
         /section:GFIDS,d
         %(AdditionalOptions)
       </AdditionalOptions>
-      <AdditionalOptions Condition="'$(Platform)'=='x86'">
+      <AdditionalOptions Condition="'$(Platform)'=='Win32'">
         /DynamicValueFixupSym:mm_shared_user_data_va=0x7FFE0000
-        /guard:xfg
         %(AdditionalOptions)
       </AdditionalOptions>
       <AdditionalOptions Condition="'$(Platform)'=='x64'">
@@ -306,20 +283,13 @@
         /highentropyva
         %(AdditionalOptions)
       </AdditionalOptions>
-      <AdditionalOptions Condition="$(Platform.StartsWith('ARM64'))">
+      <AdditionalOptions Condition="'$(Platform)'=='ARM64'">
         /highentropyva
         %(AdditionalOptions)
       </AdditionalOptions>
     </Link>
   </ItemDefinitionGroup>
 
-  <!-- Enable retpoline for MASM - template does not currently set this -->
-  <ItemDefinitionGroup Condition="'$(Platform)'=='x64'">
-    <MASM>
-      <AdditionalOptions>/GuardRetpoline</AdditionalOptions>
-    </MASM>
-  </ItemDefinitionGroup>
-
   <!-- Enable static analysis during the build (currently breaks in official builds) -->
   <!--
   <PropertyGroup Condition="'$(UndockedOfficial)' == 'false'">

unittest/exe_test/SymCryptUnitTest.vcxproj

@@ -10,7 +10,6 @@
     <UndockedType>exe</UndockedType>
     <UndockedDir>$(SolutionDir)msbuild\</UndockedDir>
     <UndockedOut>$(SolutionDir)</UndockedOut>
-    <SymCryptKernelTarget>false</SymCryptKernelTarget>
   </PropertyGroup>
   <Import Project="$(UndockedDir)symcrypt.undocked.props" />
   <ItemGroup>

unittest/lib/symcryptunittest_lib.vcxproj

@@ -10,7 +10,6 @@
     <UndockedType>lib</UndockedType>
     <UndockedDir>$(SolutionDir)msbuild\</UndockedDir>
     <UndockedOut>$(SolutionDir)</UndockedOut>
-    <SymCryptKernelTarget>false</SymCryptKernelTarget>
   </PropertyGroup>
   <Import Project="$(UndockedDir)symcrypt.undocked.props" />
   <ItemDefinitionGroup>

unittest/module_windows/symcrypttestmodule.vcxproj

@@ -10,7 +10,6 @@
     <UndockedType>dll</UndockedType>
     <UndockedDir>$(SolutionDir)msbuild\</UndockedDir>
     <UndockedOut>$(SolutionDir)</UndockedOut>
-    <SymCryptKernelTarget>false</SymCryptKernelTarget>
   </PropertyGroup>
   <Import Project="$(UndockedDir)symcrypt.undocked.props" />
   <ItemGroup>

unittest/module_windows_sys_km/SymCryptKernelTestModule.vcxproj

@@ -10,7 +10,7 @@
     <UndockedType>sys</UndockedType>
     <UndockedDir>$(SolutionDir)msbuild\</UndockedDir>
     <UndockedOut>$(SolutionDir)</UndockedOut>
-    <SymCryptKernelTarget>true</SymCryptKernelTarget>
+    <UndockedKernelModeBuild>true</UndockedKernelModeBuild>
   </PropertyGroup>
   <Import Project="$(UndockedDir)symcrypt.undocked.props" />
   <ItemGroup>
@@ -29,7 +29,8 @@
       <AdditionalOptions>/Zc:strictStrings- %(AdditionalOptions)</AdditionalOptions>
       <WholeProgramOptimization>true</WholeProgramOptimization>
       <MultiProcessorCompilation>true</MultiProcessorCompilation>
-      <ExceptionHandling>Sync</ExceptionHandling>
+      <!-- Official undocked builds handle setting the ExceptionHandling flags -->
+      <ExceptionHandling Condition="'$(UndockedOfficial)' != 'true'">Sync</ExceptionHandling>
     </ClCompile>
     <Link>
       <GenerateDebugInformation>true</GenerateDebugInformation>

unittest/module_windows_sys_um/symcryptkerneltestmodule_um.vcxproj

@@ -10,7 +10,6 @@
     <UndockedType>dll</UndockedType>
     <UndockedDir>$(SolutionDir)msbuild\</UndockedDir>
     <UndockedOut>$(SolutionDir)</UndockedOut>
-    <SymCryptKernelTarget>false</SymCryptKernelTarget>
   </PropertyGroup>
   <Import Project="$(UndockedDir)symcrypt.undocked.props" />
   <ItemGroup>