[PATCH] D59780: Support Intel Control-flow Enforcement Technology
Fangrui Song via Phabricator via llvm-commits
llvm-commits at lists.llvm.org
Tue Dec 10 21:01:33 PST 2019
MaskRay added a comment.
@xiangzhangllvm The patch has been rebased, but it doesn't seem to work.
I made a local patch to make --require-cet behave more like --force-bti:
--- i/lld/ELF/Driver.cpp
+++ w/lld/ELF/Driver.cpp
@@ -1705,2 +1705,4 @@ template <class ELFT> static uint32_t getAndFeatures() {
- } else if (!features && config->requireCET)
- error(toString(f) + ": --require-cet: file is not compatible with CET");
+ } else if (config->requireCET && !(features & GNU_PROPERTY_X86_FEATURE_1_IBT)) {
+ warn(toString(f) + ": --require-cet: file is not compatible with CET");
+ features |= GNU_PROPERTY_X86_FEATURE_1_IBT;
+ }
I tried a trivial program with 2 PLT calls.
gcc -fcf-protection=full -c a.c
gcc -fcf-protection=full a.c -o a '-###' # Retrieve linker command line, replace ld with
My GCC crt files are not CET compatible but I think that is probably irrelevant.
% ld.lld --eh-frame-hdr -m elf_x86_64 "--hash-style=gnu" -dynamic-linker /lib64/ld-linux-x86-64.so.2 -pie -o a /usr/lib/gcc/x86_64-linux-gnu/8/../../
../x86_64-linux-gnu/Scrt1.o /usr/lib/gcc/x86_64-linux-gnu/8/../../../x86_64-linux-gnu/crti.o /usr/lib/gcc/x86_64-linux-gnu/8/crtbeginS.o -L/usr/lib/gc
c/x86_64-linux-gnu/8 -L/usr/lib/gcc/x86_64-linux-gnu/8/../../../x86_64-linux-gnu -L/usr/lib/gcc/x86_64-linux-gnu/8/../../../../lib -L/lib/x86_64-linux
-gnu -L/lib/../lib -L/usr/lib/x86_64-linux-gnu -L/usr/lib/../lib -L/usr/lib/gcc/x86_64-linux-gnu/8/../../.. a.o -lgcc --push-state --as-needed -lgcc_s
--pop-state -lc -lgcc --push-state --as-needed -lgcc_s --pop-state /usr/lib/gcc/x86_64-linux-gnu/8/crtendS.o /usr/lib/gcc/x86_64-linux-gnu/8/../../..
/x86_64-linux-gnu/crtn.o --require-cet -o a
ld.lld: warning: /usr/lib/gcc/x86_64-linux-gnu/8/../../../x86_64-linux-gnu/Scrt1.o: --require-cet: file is not compatible with CET
ld.lld: warning: /usr/lib/gcc/x86_64-linux-gnu/8/../../../x86_64-linux-gnu/crti.o: --require-cet: file is not compatible with CET
ld.lld: warning: /usr/lib/gcc/x86_64-linux-gnu/8/crtbeginS.o: --require-cet: file is not compatible with CET
ld.lld: warning: /usr/lib/x86_64-linux-gnu/libc_nonshared.a(elf-init.oS): --require-cet: file is not compatible with CET
ld.lld: warning: /usr/lib/gcc/x86_64-linux-gnu/8/crtendS.o: --require-cet: file is not compatible with CET
ld.lld: warning: /usr/lib/gcc/x86_64-linux-gnu/8/../../../x86_64-linux-gnu/crtn.o: --require-cet: file is not compatible with CET
OK, it segfaults. So there may be some issues in the PLT.
./a => segmentation fault
Peter Smith implemented `--force-bti` for AArch64 in D62609 <https://reviews.llvm.org/D62609>.
Its semantic is:
> --force-bti : Act as if all relocatable inputs had GNU_PROPERTY_AARCH64_FEATURE_1_BTI and warn for every relocatable object that does not.
Do you think it makes more sense to change `--require-cet` to `--force-cet` or `--force-ibt`?
There is also some glibc code
@peter.smith I find that in binutils-gdb, the AArch64 option is named `-z force-bti`, not `--force-bti` (commit `[BFD, LD, AArch64, 2/3] Add --force-bti to enable BTI and to select BTI enabled PLTs`). Do you intend to make them consistent?
Repository:
rG LLVM Github Monorepo
CHANGES SINCE LAST ACTION
https://reviews.llvm.org/D59780/new/
https://reviews.llvm.org/D59780
More information about the llvm-commits
mailing list