[PATCH] D58102: Support X86 Control-flow Enforcement Technology (CET) in LLD

H.J Lu via Phabricator via llvm-commits llvm-commits at lists.llvm.org
Wed Feb 27 09:58:22 PST 2019 

hjl.tools added a comment.

In D58102#1412090 <https://reviews.llvm.org/D58102#1412090>, @peter.smith wrote:

> Thanks for putting this feature forward. I've not had a chance to go through everything in detail but I thought it would be important to mention that AArch64 has a similar set of features (Pointer Authentication PAC and Branch Target Identification BTI) that are going to use .note.gnu.property sections with GNU_PROPERTY_AARCH64_FEATURE_1_AND (same meaning as GNU_PROPERTY_X86_FEATURE_1_AND), with two associated feature bits GNU_PROPERTY_AARCH64_FEATURE_1_BTI and GNU_PROPERTY_AARCH64_FEATURE_1_PAC. AArch64 does need a modified PLT entry to make this work but it doesn't use a .splt, in effect an extra instruction at the top of the PLT if BTI is used and one at the end if PAC is used, or both if both BTI and PAC are needed. Given that we will have at least two targets implementing a similar mechanism but with target specific details then we'll either need to make it my responsibility to generalise the .note.gnu.property implementation so that it can support both AArch64 and X86, or we make it generic from the start. The main difference for AArch64 is that there are two independent feature bits to track.
>
> In the case of AArch64 it is important for the program loader to only enable the BTI/PAC feature for the process if the whole program has been compiled/assembled to support it. Our prior experience with assembler files in particular is that it is very easy to get a single .s file added to a build that is harmless but doesn't have the .note.gnu.property set properly and a single one of these would be enough to clear all the features. Our thoughts were to add a command line option to force generation of the appropriate PLTs and the .note.gnu.property in the output file but to warn if an input file doesn't have the .note.gnu.property flag.


$ info ld

  'shstk'
       Generate GNU_PROPERTY_X86_FEATURE_1_SHSTK in
       .note.gnu.property section to indicate compatibility with
       Intel Shadow Stack.  Supported for Linux/i386 and
       Linux/x86_64.
  
  'ibtplt'
       Generate Intel Indirect Branch Tracking (IBT) enabled PLT
       entries.  Supported for Linux/i386 and Linux/x86_64.
  
  'ibt'
       Generate GNU_PROPERTY_X86_FEATURE_1_IBT in .note.gnu.property
       section to indicate compatibility with IBT. This also implies
       'ibtplt'.  Supported for Linux/i386 and Linux/x86_64.


Repository:
  rLLD LLVM Linker

CHANGES SINCE LAST ACTION
  https://reviews.llvm.org/D58102/new/

https://reviews.llvm.org/D58102

More information about the llvm-commits mailing list