[PATCH] D58102: Support X86 Control-flow Enforcement Technology (CET) in LLD
Xiang Zhang via Phabricator via llvm-commits
llvm-commits at lists.llvm.org
Thu Feb 14 17:23:54 PST 2019
xiangzhangllvm added a comment.
In D58102#1398252 <https://reviews.llvm.org/D58102#1398252>, @ruiu wrote:
> Can I ask a few random questions to understand the design of the patch?
> 1. In the patch description, it says that lld checks if all input object files contains a certain marker .note section. What is supposed to happen if some object files miss the .note section? Do we silently disable the feature in that case?
> 2. Why did you choose to create a separate section .splt instead of just writing different contents to .plt?
> 3. Do you really want to support i386 (as opposed to x86-64)? I'm genuinely curious who would want to use the feature in the 32-bit mode.
1 Yes, we will disable the feature if not all the input object files contain the .note.gnu.property section, because the CET feature will supervise all the indirect jumps in the program. If one input file do not contain the CET info (flags which is set in .note.gnu.property section's GNU_PROPERTY_X86_FEATURE_1_AND property ), it means it can‘t be check by the CET hardware, so we need to disable the CET feature. This is important to link the non-CET library.
2 Here we can optimize, when IBT enabled, we need to insert the ENDBRANCH instructions in the old PLT, at first we don't want to change the PLT size, so we add a SPLT ,the caller first jump to SPLT and then go to PLT. The function of PLT +SPLT = old PLT.
3 We both support it in x86 and x86-64, please refer line 2017 in Driver.cpp. The control flow attack threat both exist in 32-bit and 64-bit, So the further 32-bit CPU will support the CET too, In fact GCC has supported the CET feature in 32-bit machines by Lu HongJiu who write the https://github.com/hjl-tools/linux-abi/wiki/linux-abi-draft.pdf.
Thank you very much!
rLLD LLVM Linker
CHANGES SINCE LAST ACTION
More information about the llvm-commits