[PATCH] D59780: Support Intel Control-flow Enforcement Technology

Fangrui Song via Phabricator via llvm-commits llvm-commits at lists.llvm.org
Thu Dec 12 20:49:55 PST 2019 

MaskRay added a comment.

In D59780#1782932 <https://reviews.llvm.org/D59780#1782932>, @xiangzhangllvm wrote:

> In D59780#1782133 <https://reviews.llvm.org/D59780#1782133>, @MaskRay wrote:
>
> > In D59780#1781055 <https://reviews.llvm.org/D59780#1781055>, @xiangzhangllvm wrote:
> >
> > > For MPX prefix:
> > >  GCC have not supported the MPX from GCC 9. And intel will not support MPX code too. So we don’t consider MPX for CET in LLD.
> >
> >
> > I know that GCC has removed MPX and the Linux kernel is removing MPX (user-visible APIs and self-tests have been removed). I asked because I haven't seen a change on binutils-gdb side that will support a .plt.sec scheme without the BND prefix. So, I wonder what kind of changes are considered divergence from x86-64 psABI. After the removal of the BND prefix, the .plt entry will get the leeway of 2 bytes. If, say, in the future, a new security enhanced feature is proposed which requires a new instruction that will take more than 2 bytes, the 16-byte .plt entry no longer works, and toolchains will have to migrate a third PLT scheme, different from traditional PLT and the .plt.sec scheme.
> >
> > As to the option name question, are you happy with `-z force-ibt` and `-z shstk`? (My understanding is that they should be very similar to `-z force-bti` and `-z pac-plt`, respectively.)
>
>
> These options are OK for us, thank you again!
>  By the way, as I know, gnu ld have no CET options, (excepted -z cet-report=xxx you point out before). it just try to add CET  flags if all input file CETed.
>  For MPX prefix, in my eyes, it seems the new Binutils just forget to remove it. Try  ld --help you can see it list "-z nobndplt           Generate a regular PLT (**default**)"


`-z nobndplt` is not implemented in GNU ld

  % ld/ld-new -z nobndplt -v
  ./ld-new: warning: -z nobndplt ignored
  GNU ld (GNU Binutils) 2.33.50.20191213

gold supports `-z nobndplt` but it does not implement IBT.

  % gold/ld-new --help | grep bndplt
    -z bndplt                   (x86-64 only) Generate a BND PLT for Intel MPX
    -z nobndplt                 Generate a regular PLT (default)

I have uploaded a diff that implements `-z force-ibt` and `-z shstk`, but ultimately it is the code owner (@ruiu)'s decision whether the change should be included.


Repository:
  rG LLVM Github Monorepo

CHANGES SINCE LAST ACTION
  https://reviews.llvm.org/D59780/new/

https://reviews.llvm.org/D59780

More information about the llvm-commits mailing list