msi: enable CFG in node.exe

[ahtrahdis7]

Links Issue : #42100
#42100

[targos]

Windows CI (including tests on arm64): https://ci.nodejs.org/job/node-test-commit-windows-fanned/47188/

[RaisinTen]

There is a compilation error:

MSBUILD : error MSB1001: Unknown switch.
Switch: /guard:cf

Added some suggestions which should hopefully help you fix that.

[RaisinTen]

Same here, /DYNAMICBASE is something that should be passed to link. To do that, you can try adding <AdditionalOptions>/DYNAMICBASE /GUARD:CF</AdditionalOptions> to the list of <Link> options.

[ahtrahdis7]

@RaisinTen How can I get the binary built for this PR. I need to run test for CFG enablement.

[ahtrahdis7]

The suggested solution ain't working. I tried multiple combinations.
Did generate a *.vcxproj file from visual studio with CFG enabled as mentioned in this link https://docs.microsoft.com/en-us/windows/win32/secbp/control-flow-guard . Didn't get any satisfactory results.

[RaisinTen]

@RaisinTen How can I get the binary built for this PR. I need to run test for CFG enablement.

I don't think we provide a way to download the artifacts generated from PRs. You probably need to build it yourself. Here is the building guide for Windows - https://github.com/nodejs/node/blob/HEAD/BUILDING.md#windows.

The suggested solution ain't working. I tried multiple combinations.
Did generate a *.vcxproj file from visual studio with CFG enabled as mentioned in this link https://docs.microsoft.com/en-us/windows/win32/secbp/control-flow-guard . Didn't get any satisfactory results.

I guess Richard is right in #42126 (comment), this needs a change in the gyp files. The vcxproj file is only used to build the msi, not the node.exe executable.

[ahtrahdis7]

Can anyone suggest something more concrete ??

[bjendyk]

@richardlau Which gyp files should be modified to enable CFG when compiling node.js sources?

[richardlau]

Probably common.gypi:

node/common.gypi

Lines 279 to 318 in 03fb789

	'msvs_settings': {
	'VCCLCompilerTool': {
	'AdditionalOptions': [
	'/Zc:__cplusplus',
	'-std:c++17'
	],
	'BufferSecurityCheck': 'true',
	'target_conditions': [
	['_toolset=="target"', {
	'DebugInformationFormat': 1 # /Z7 embed info in .obj files
	}],
	],
	'ExceptionHandling': 0, # /EHsc
	'MultiProcessorCompilation': 'true',
	'StringPooling': 'true', # pool string literals
	'SuppressStartupBanner': 'true',
	'WarnAsError': 'false',
	'WarningLevel': 3, # /W3
	},
	'VCLinkerTool': {
	'target_conditions': [
	['_type=="executable"', {
	'SubSystem': 1, # /SUBSYSTEM:CONSOLE
	}],
	],
	'conditions': [
	['target_arch=="ia32"', {
	'TargetMachine' : 1, # /MACHINE:X86
	}],
	['target_arch=="x64"', {
	'TargetMachine' : 17, # /MACHINE:X64
	}],
	['target_arch=="arm64"', {
	'TargetMachine' : 0, # NotSet. MACHINE:ARM64 is inferred from the input files.
	}],
	],
	'GenerateDebugInformation': 'true',
	'SuppressStartupBanner': 'true',
	},
	},

I think /dynamicbase can be enabled via RandomizedBaseAddress:
https://github.com/nodejs/gyp-next/blob/52de08ab53ed5e96a4061aec42d10737f6a8cc91/pylib/gyp/msvs_emulation.py#L723
I didn't see anything in gyp-next for enabling /guard so you'd probably need to add AdditionalOptions (you may need to do this twice -- once for the compiler and once for the liner settings).

cc @nodejs/platform-windows