Add support for control-flow protection

This change adds a flag for configuring control-flow protection in the
LLVM backend. In Clang, this flag is exposed as `-fcf-protection` with
options `none|branch|return|full`. This convention is followed for
`rustc`, though as a codegen option: `rustc -Z
cf-protection=<none|branch|return|full>`.

Co-authored-by: BlackHoleFox <blackholefoxdev@gmail.com>
This commit is contained in:
Andrew Brown 2022-01-28 09:48:59 -08:00
parent b321742c6c
commit 8d6c973c7f
5 changed files with 141 additions and 5 deletions

View File

@ -21,7 +21,8 @@ use rustc_middle::ty::layout::{
};
use rustc_middle::ty::{self, Instance, Ty, TyCtxt};
use rustc_middle::{bug, span_bug};
use rustc_session::config::{BranchProtection, CFGuard, CrateType, DebugInfo, PAuthKey, PacRet};
use rustc_session::config::{BranchProtection, CFGuard, CFProtection};
use rustc_session::config::{CrateType, DebugInfo, PAuthKey, PacRet};
use rustc_session::Session;
use rustc_span::source_map::Span;
use rustc_span::symbol::Symbol;
@ -287,6 +288,24 @@ pub unsafe fn create_module<'ll>(
);
}
// Pass on the control-flow protection flags to LLVM (equivalent to `-fcf-protection` in Clang).
if let CFProtection::Branch | CFProtection::Full = sess.opts.debugging_opts.cf_protection {
llvm::LLVMRustAddModuleFlag(
llmod,
llvm::LLVMModFlagBehavior::Override,
"cf-protection-branch\0".as_ptr().cast(),
1,
)
}
if let CFProtection::Return | CFProtection::Full = sess.opts.debugging_opts.cf_protection {
llvm::LLVMRustAddModuleFlag(
llmod,
llvm::LLVMModFlagBehavior::Override,
"cf-protection-return\0".as_ptr().cast(),
1,
)
}
llmod
}

View File

@ -63,6 +63,22 @@ pub enum CFGuard {
Checks,
}
/// The different settings that the `-Z cf-protection` flag can have.
#[derive(Clone, Copy, PartialEq, Hash, Debug)]
pub enum CFProtection {
/// Do not enable control-flow protection
None,
/// Emit control-flow protection for branches (enables indirect branch tracking).
Branch,
/// Emit control-flow protection for returns.
Return,
/// Emit control-flow protection for both branches and returns.
Full,
}
#[derive(Clone, Copy, Debug, PartialEq, Hash)]
pub enum OptLevel {
No, // -O0
@ -2630,11 +2646,11 @@ impl PpMode {
/// we have an opt-in scheme here, so one is hopefully forced to think about
/// how the hash should be calculated when adding a new command-line argument.
crate mod dep_tracking {
use super::LdImpl;
use super::{
BranchProtection, CFGuard, CrateType, DebugInfo, ErrorOutputType, InstrumentCoverage,
LinkerPluginLto, LocationDetail, LtoCli, OptLevel, OutputType, OutputTypes, Passes,
SourceFileHashAlgorithm, SwitchWithOptPath, SymbolManglingVersion, TrimmedDefPaths,
BranchProtection, CFGuard, CFProtection, CrateType, DebugInfo, ErrorOutputType,
InstrumentCoverage, LdImpl, LinkerPluginLto, LocationDetail, LtoCli, OptLevel, OutputType,
OutputTypes, Passes, SourceFileHashAlgorithm, SwitchWithOptPath, SymbolManglingVersion,
TrimmedDefPaths,
};
use crate::lint;
use crate::options::WasiExecModel;
@ -2715,6 +2731,7 @@ crate mod dep_tracking {
NativeLibKind,
SanitizerSet,
CFGuard,
CFProtection,
TargetTriple,
Edition,
LinkerPluginLto,

View File

@ -380,6 +380,7 @@ mod desc {
pub const parse_sanitizer_memory_track_origins: &str = "0, 1, or 2";
pub const parse_cfguard: &str =
"either a boolean (`yes`, `no`, `on`, `off`, etc), `checks`, or `nochecks`";
pub const parse_cfprotection: &str = "`none`|`no`|`n` (default), `branch`, `return`, or `full`|`yes`|`y` (equivalent to `branch` and `return`)";
pub const parse_strip: &str = "either `none`, `debuginfo`, or `symbols`";
pub const parse_linker_flavor: &str = ::rustc_target::spec::LinkerFlavor::one_of();
pub const parse_optimization_fuel: &str = "crate=integer";
@ -695,6 +696,25 @@ mod parse {
true
}
crate fn parse_cfprotection(slot: &mut CFProtection, v: Option<&str>) -> bool {
if v.is_some() {
let mut bool_arg = None;
if parse_opt_bool(&mut bool_arg, v) {
*slot = if bool_arg.unwrap() { CFProtection::Full } else { CFProtection::None };
return true;
}
}
*slot = match v {
None | Some("none") => CFProtection::None,
Some("branch") => CFProtection::Branch,
Some("return") => CFProtection::Return,
Some("full") => CFProtection::Full,
Some(_) => return false,
};
true
}
crate fn parse_linker_flavor(slot: &mut Option<LinkerFlavor>, v: Option<&str>) -> bool {
match v.and_then(LinkerFlavor::from_str) {
Some(lf) => *slot = Some(lf),
@ -1142,6 +1162,8 @@ options! {
"select which borrowck is used (`mir` or `migrate`) (default: `migrate`)"),
branch_protection: BranchProtection = (BranchProtection::default(), parse_branch_protection, [TRACKED],
"set options for branch target identification and pointer authentication on AArch64"),
cf_protection: CFProtection = (CFProtection::None, parse_cfprotection, [TRACKED],
"instrument control-flow architecture protection"),
cgu_partitioning_strategy: Option<String> = (None, parse_opt_string, [TRACKED],
"the codegen unit partitioning strategy to use"),
chalk: bool = (false, parse_bool, [TRACKED],

View File

@ -0,0 +1,40 @@
# `cf-protection`
This option enables control-flow enforcement technology (CET) on x86; a more detailed description of
CET is available [here]. Similar to `clang`, this flag takes one of the following values:
- `none` - Disable CET completely (this is the default).
- `branch` - Enable indirect branch tracking (`IBT`).
- `return` - Enable shadow stack (`SHSTK`).
- `full` - Enable both `branch` and `return`.
[here]: https://www.intel.com/content/www/us/en/develop/articles/technical-look-control-flow-enforcement-technology.html
This flag only applies to the LLVM backend: it sets the `cf-protection-branch` and
`cf-protection-return` flags on LLVM modules. Note, however, that all compiled modules linked
together must have the flags set for the compiled output to be CET-enabled. Currently, Rust's
standard library does not ship with CET enabled by default, so you may need to rebuild all standard
modules with a `cargo` command like:
```sh
$ RUSTFLAGS="-Z cf-protection=full" RUSTC="rustc-custom" cargo +nightly build -Z build-std --target x86_64-unknown-linux-gnu
```
### Detection
An ELF binary is CET-enabled if it has the `IBT` and `SHSTK` tags, e.g.:
```sh
$ readelf -a target/x86_64-unknown-linux-gnu/debug/example | grep feature:
Properties: x86 feature: IBT, SHSTK
```
### Troubleshooting
To display modules that are not CET enabled, examine the linker errors available when `cet-report` is enabled:
```sh
$ RUSTC_LOG=rustc_codegen_ssa::back::link=info rustc-custom -v -Z cf-protection=full -C link-arg="-Wl,-z,cet-report=warning" -o example example.rs
...
/usr/bin/ld: /.../build/x86_64-unknown-linux-gnu/stage1/lib/rustlib/x86_64-unknown-linux-gnu/lib/libstd-d73f7266be14cb8b.rlib(std-d73f7266be14cb8b.std.f7443020-cgu.12.rcgu.o): warning: missing IBT and SHSTK properties
```

View File

@ -0,0 +1,38 @@
// Test that the correct module flags are emitted with different control-flow protection flags.
// revisions: undefined none branch return full
// needs-llvm-components: x86
// [undefined] compile-flags:
// [none] compile-flags: -Z cf-protection=none
// [branch] compile-flags: -Z cf-protection=branch
// [return] compile-flags: -Z cf-protection=return
// [full] compile-flags: -Z cf-protection=full
// compile-flags: --target x86_64-unknown-linux-gnu
#![crate_type = "lib"]
#![feature(no_core, lang_items)]
#![no_core]
#[lang="sized"]
trait Sized { }
// A basic test function.
pub fn test() {
}
// undefined-NOT: !"cf-protection-branch"
// undefined-NOT: !"cf-protection-return"
// none-NOT: !"cf-protection-branch"
// none-NOT: !"cf-protection-return"
// branch-NOT: !"cf-protection-return"
// branch: !"cf-protection-branch", i32 1
// branch-NOT: !"cf-protection-return"
// return-NOT: !"cf-protection-branch"
// return: !"cf-protection-return", i32 1
// return-NOT: !"cf-protection-branch"
// full: !"cf-protection-branch", i32 1
// full: !"cf-protection-return", i32 1