Control-flow Enforcement Technology (CET), published by Intel, introduces

indirect branch tracking(IBT) feature aiming to ensure the target address of an indirect jump/call is not tampered. When IBT is enabled, each function or target of any indirect jump/call will start with an 'endbr32/64' instruction otherwise the program will crash during execution. To build an application with CET enabled. we need to ensure: 1. build the source code with "-fcf-protection=full" 2. all the libraries linked with .o files must be CET enabled too This patch aims to enable CET for compiler-rt builtins library, we add an option "COMPILER_RT_ENABLE_CET" whose default value is OFF to enable CET for compiler-rt in building time and when this option is "ON", "-fcf-protection=full" is added to BUILTINS_CFLAG and the "endbr32/64" will be placed in the beginning of each assembly function. We also enabled CET for crtbegin, crtend object files in this patch. Reviewed by: MaskRay, compnerd, manojgupta, efriedma Differential Revision: https://reviews.llvm.org/D109811 Signed-off-by: jinge90 <ge.jin@intel.com>
author: jinge90 <ge.jin@intel.com> 2022-01-10 09:23:28 +0800
committer: jinge90 <ge.jin@intel.com> 2022-01-10 11:01:11 +0800
commit: 6fab2742758197949d7bc624f453e544129709a3 (patch)
tree: 9c7028c3e2524e37186cc234b68f698c7e5d151a
parent: 9b70ddaff6e1d1ffc538ac74aa43b4fd6f73bb02 (diff)
download: llvm-6fab2742758197949d7bc624f453e544129709a3.tar.gz
7 files changed, 41 insertions, 0 deletions
diff --git a/compiler-rt/CMakeLists.txt b/compiler-rt/CMakeLists.txt
index c5003b5efa1d..0dcb417a85f8 100644
--- a/compiler-rt/CMakeLists.txt
+++ b/compiler-rt/CMakeLists.txt
@@ -54,6 +54,7 @@ option(COMPILER_RT_BUILD_ORC "Build ORC runtime" ON)
 mark_as_advanced(COMPILER_RT_BUILD_ORC)
 option(COMPILER_RT_BUILD_GWP_ASAN "Build GWP-ASan, and link it into SCUDO" ON)
 mark_as_advanced(COMPILER_RT_BUILD_GWP_ASAN)
+option(COMPILER_RT_ENABLE_CET "Build Compiler RT with CET enabled" OFF)
 
 if(FUCHSIA)
   set(COMPILER_RT_HWASAN_WITH_INTERCEPTORS_DEFAULT OFF)
@@ -244,6 +245,14 @@ include(config-ix)
 # Setup Compiler Flags
 #================================
 
+# fcf-protection is a gcc/clang option for CET support on Linux platforms.
+# We need to handle MSVC CET option on Windows platforms.
+if (NOT MSVC)
+  if (COMPILER_RT_ENABLE_CET AND NOT COMPILER_RT_HAS_FCF_PROTECTION_FLAG)
+    message(FATAL_ERROR "Compiler used to build compiler-rt doesn't support CET!")
+  endif()
+endif()
+
 if(MSVC)
   # Override any existing /W flags with /W4. This is what LLVM does.  Failing to
   # remove other /W[0-4] flags will result in a warning about overriding a
diff --git a/compiler-rt/cmake/config-ix.cmake b/compiler-rt/cmake/config-ix.cmake
index eadb6013e739..f1a7acbec652 100644
--- a/compiler-rt/cmake/config-ix.cmake
+++ b/compiler-rt/cmake/config-ix.cmake
@@ -64,6 +64,7 @@ endif ()
 check_c_compiler_flag(-ffreestanding         COMPILER_RT_HAS_FFREESTANDING_FLAG)
 check_c_compiler_flag(-fomit-frame-pointer   COMPILER_RT_HAS_OMIT_FRAME_POINTER_FLAG)
 check_c_compiler_flag(-std=c11               COMPILER_RT_HAS_STD_C11_FLAG)
+check_c_compiler_flag(-fcf-protection=full   COMPILER_RT_HAS_FCF_PROTECTION_FLAG)
 check_cxx_compiler_flag(-fPIC                COMPILER_RT_HAS_FPIC_FLAG)
 check_cxx_compiler_flag(-fPIE                COMPILER_RT_HAS_FPIE_FLAG)
 check_cxx_compiler_flag(-fno-builtin         COMPILER_RT_HAS_FNO_BUILTIN_FLAG)
diff --git a/compiler-rt/lib/builtins/CMakeLists.txt b/compiler-rt/lib/builtins/CMakeLists.txt
index 0b965d90a5b5..ea5ad9cdb864 100644
--- a/compiler-rt/lib/builtins/CMakeLists.txt
+++ b/compiler-rt/lib/builtins/CMakeLists.txt
@@ -678,6 +678,10 @@ if (APPLE)
 else ()
   set(BUILTIN_CFLAGS "")
 
+  if (COMPILER_RT_HAS_FCF_PROTECTION_FLAG)
+    append_list_if(COMPILER_RT_ENABLE_CET -fcf-protection=full BUILTIN_CFLAGS)
+  endif()
+
   append_list_if(COMPILER_RT_HAS_FLOAT16 -DCOMPILER_RT_HAS_FLOAT16 BUILTIN_CFLAGS)
 
   append_list_if(COMPILER_RT_HAS_STD_C11_FLAG -std=c11 BUILTIN_CFLAGS)
diff --git a/compiler-rt/lib/builtins/assembly.h b/compiler-rt/lib/builtins/assembly.h
index 9c015059af5a..69a3d8620f92 100644
--- a/compiler-rt/lib/builtins/assembly.h
+++ b/compiler-rt/lib/builtins/assembly.h
@@ -14,6 +14,12 @@
 #ifndef COMPILERRT_ASSEMBLY_H
 #define COMPILERRT_ASSEMBLY_H
 
+#if defined(__linux__) && defined(__CET__)
+#if __has_include(<cet.h>)
+#include <cet.h>
+#endif
+#endif
+
 #if defined(__APPLE__) && defined(__aarch64__)
 #define SEPARATOR %%
 #else
diff --git a/compiler-rt/lib/crt/CMakeLists.txt b/compiler-rt/lib/crt/CMakeLists.txt
index c21bc370a81b..dc7dd17f8b1a 100644
--- a/compiler-rt/lib/crt/CMakeLists.txt
+++ b/compiler-rt/lib/crt/CMakeLists.txt
@@ -100,6 +100,9 @@ append_list_if(COMPILER_RT_HAS_INITFINI_ARRAY -DCRT_HAS_INITFINI_ARRAY CRT_CFLAG
 append_list_if(COMPILER_RT_CRT_USE_EH_FRAME_REGISTRY -DEH_USE_FRAME_REGISTRY CRT_CFLAGS)
 append_list_if(COMPILER_RT_HAS_FPIC_FLAG -fPIC CRT_CFLAGS)
 append_list_if(COMPILER_RT_HAS_WNO_PEDANTIC -Wno-pedantic CRT_CFLAGS)
+if (COMPILER_RT_HAS_FCF_PROTECTION_FLAG)
+  append_list_if(COMPILER_RT_ENABLE_CET -fcf-protection=full CRT_CFLAGS)
+endif()
 
 foreach(arch ${CRT_SUPPORTED_ARCH})
   add_compiler_rt_runtime(clang_rt.crtbegin
diff --git a/compiler-rt/test/builtins/CMakeLists.txt b/compiler-rt/test/builtins/CMakeLists.txt
index 31d16312dd18..d56ffc69763b 100644
--- a/compiler-rt/test/builtins/CMakeLists.txt
+++ b/compiler-rt/test/builtins/CMakeLists.txt
@@ -49,6 +49,16 @@ foreach(arch ${BUILTIN_TEST_ARCH})
     string(REPLACE ";" " " BUILTINS_TEST_TARGET_CFLAGS "${BUILTINS_TEST_TARGET_CFLAGS}")
   endif()
 
+  if(COMPILER_RT_ENABLE_CET)
+    if(NOT arch MATCHES "i?86|x86_64|AMD64")
+      message(SEND_ERROR "${arch} does not support CET")
+    endif()
+    if(COMPILER_RT_HAS_FCF_PROTECTION_FLAG)
+      list(APPEND BUILTINS_TEST_TARGET_CFLAGS -fcf-protection=full)
+      string(REPLACE ";" " " BUILTINS_TEST_TARGET_CFLAGS "${BUILTINS_TEST_TARGET_CFLAGS}")
+    endif()
+  endif()
+
   # Compute builtins available in library and add them as lit features.
   if(APPLE)
     # TODO: Support other Apple platforms.
diff --git a/compiler-rt/test/crt/CMakeLists.txt b/compiler-rt/test/crt/CMakeLists.txt
index 7d8d26073370..9c3087bc62f5 100644
--- a/compiler-rt/test/crt/CMakeLists.txt
+++ b/compiler-rt/test/crt/CMakeLists.txt
@@ -21,6 +21,14 @@ if (COMPILER_RT_BUILD_CRT AND COMPILER_RT_HAS_CRT)
     string(TOUPPER ${arch} ARCH_UPPER_CASE)
     set(CONFIG_NAME ${ARCH_UPPER_CASE}${OS_NAME}Config)
 
+    if (COMPILER_RT_ENABLE_CET)
+      if (${arch} MATCHES "i386|x86_64")
+        list(APPEND CRT_TEST_TARGET_CFLAGS -fcf-protection=full)
+        string(REPLACE ";" " " CRT_TEST_TARGET_CFLAGS "${CRT_TEST_TARGET_CFLAGS}")
+      else()
+        message(FATAL_ERROR "The target arch ${arch} doesn't support CET")
+      endif()
+    endif()
     configure_lit_site_cfg(
       ${CMAKE_CURRENT_SOURCE_DIR}/lit.site.cfg.py.in
       ${CMAKE_CURRENT_BINARY_DIR}/${CONFIG_NAME}/lit.site.cfg.py)
author	jinge90 <ge.jin@intel.com>	2022-01-10 09:23:28 +0800
committer	jinge90 <ge.jin@intel.com>	2022-01-10 11:01:11 +0800
commit	6fab2742758197949d7bc624f453e544129709a3 (patch)
tree	9c7028c3e2524e37186cc234b68f698c7e5d151a
parent	9b70ddaff6e1d1ffc538ac74aa43b4fd6f73bb02 (diff)
download	llvm-6fab2742758197949d7bc624f453e544129709a3.tar.gz