[PATCH] D105603: [X86][CET] Support to build LLVM toolchain with CET enabled.

xiongji90 via Phabricator via llvm-commits llvm-commits at lists.llvm.org
Wed Jul 7 19:11:37 PDT 2021 

xiongji90 created this revision.
xiongji90 added a reviewer: LuoYuanke.
Herald added subscribers: pengfei, mgorny.
xiongji90 requested review of this revision.
Herald added a project: LLVM.
Herald added a subscriber: llvm-commits.

This patch is the first one of a series of patches aiming to support to build llvm toolchain(compiler, tools, libraries) with CET enabled. Currently, CET has been implemented in x86 Linux target and in order to compile source code with CET enabled, "-fcf-protection=full" should be added. CET introduces 'IBT' which restricts the target of indirect jumps and 'SHSTK' is also introduced which aims to check the return address when a function is going to return to caller. This patch introduces the option "LLVM_BUILD_CET_ENABLE", if you want to build compiler and libraries with CET enabled, you can define it to true:
cmake -G "Unix Makefiles" -DLLVM_BUILD_CET_ENABLE=True ...
The default value is false. When LLVM_BUILD_CET_ENABLE is true, "-fcf-protection=full" will be added to C and CXX flag when the compiler used to build LLVM supports.
The source code in llvm project can be split into:

1. pure C or C++ code which doesn't include any inline assembly code
2. C or C++ code include some inline assembly code
3. Assembly code

To 1, adding "-fcf-proection=full" should be enough but to 2 and 3, we need to go through the assembly code and and "endbr" to all target of indirect jumps. Currently, we didn't consider JIT libraries.
With this patch, we can build compiler and most tools such as llvm-link, clang-format, FileCheck with CET enabled and some libraries such as libc++, libc++abi can be CET enabled too. Next, we need to support building libunwind, compiler-rt with CET enabled.


Repository:
  rG LLVM Github Monorepo

https://reviews.llvm.org/D105603

Files:
  llvm/CMakeLists.txt
  llvm/cmake/modules/HandleLLVMOptions.cmake
  llvm/cmake/modules/LLVMConfig.cmake.in
  llvm/docs/CMake.rst


Index: llvm/docs/CMake.rst
===================================================================
--- llvm/docs/CMake.rst
+++ llvm/docs/CMake.rst
@@ -250,6 +250,10 @@
   Build 32-bit executables and libraries on 64-bit systems. This option is
   available only on some 64-bit Unix systems. Defaults to OFF.
 
+**LLVM_BUILD_CET_ENABLE**:BOOL
+  Build executables and libraries with CET enabled. CET is currently implemented
+  in x86 GNU/Linux target. Defaults to OFF.
+
 **LLVM_BUILD_BENCHMARKS**:BOOL
   Adds benchmarks to the list of default targets. Defaults to OFF.
 
Index: llvm/cmake/modules/LLVMConfig.cmake.in
===================================================================
--- llvm/cmake/modules/LLVMConfig.cmake.in
+++ llvm/cmake/modules/LLVMConfig.cmake.in
@@ -74,6 +74,8 @@
 
 set(LLVM_BUILD_32_BITS @LLVM_BUILD_32_BITS@)
 
+set(LLVM_BUILD_CET_ENABLE @LLVM_BUILD_CET_ENABLE@)
+
 if (NOT "@LLVM_PTHREAD_LIB@" STREQUAL "")
   set(LLVM_PTHREAD_LIB "@LLVM_PTHREAD_LIB@")
 endif()
Index: llvm/cmake/modules/HandleLLVMOptions.cmake
===================================================================
--- llvm/cmake/modules/HandleLLVMOptions.cmake
+++ llvm/cmake/modules/HandleLLVMOptions.cmake
@@ -366,6 +366,17 @@
   endif( LLVM_BUILD_32_BITS )
 endif( CMAKE_SIZEOF_VOID_P EQUAL 8 AND NOT WIN32 )
 
+# To enable CET in compilation, "-fcf-protection=full" should
+# be added. Currently, CET has been implemented in x86 GNU/Linux target.
+if(NOT WIN32)
+  if( LLVM_BUILD_CET_ENABLE)
+    add_flag_if_supported("-fcf-protection=full" CET)
+    if((NOT C_SUPPORTS_CET) OR (NOT CXX_SUPPORTS_CET))
+      message(FATAL_ERROR "The compiler used for building doesn't support CET!")
+    endif()
+  endif( LLVM_BUILD_CET_ENABLE)
+endif()
+
 # If building on a GNU specific 32-bit system, make sure off_t is 64 bits
 # so that off_t can stored offset > 2GB.
 # Android until version N (API 24) doesn't support it.
Index: llvm/CMakeLists.txt
===================================================================
--- llvm/CMakeLists.txt
+++ llvm/CMakeLists.txt
@@ -513,6 +513,10 @@
   option(LLVM_BUILD_32_BITS "Build 32 bits executables and libraries." OFF)
 endif()
 
+if(NOT WIN32)
+  option(LLVM_BUILD_CET_ENABLE "Build executables and libraries with CET enabled." OFF)
+endif()
+
 # Define the default arguments to use with 'lit', and an option for the user to
 # override.
 set(LIT_ARGS_DEFAULT "-sv")


-------------- next part --------------
A non-text attachment was scrubbed...
Name: D105603.357113.patch
Type: text/x-patch
Size: 2402 bytes
Desc: not available
URL: <http://lists.llvm.org/pipermail/llvm-commits/attachments/20210708/241f1f29/attachment.bin>

More information about the llvm-commits mailing list