From 8d6c973c7f77e63a9c5d1ce4b7c71a37fcc46f4d Mon Sep 17 00:00:00 2001 From: Andrew Brown Date: Fri, 28 Jan 2022 09:48:59 -0800 Subject: [PATCH] Add support for control-flow protection This change adds a flag for configuring control-flow protection in the LLVM backend. In Clang, this flag is exposed as `-fcf-protection` with options `none|branch|return|full`. This convention is followed for `rustc`, though as a codegen option: `rustc -Z cf-protection=`. Co-authored-by: BlackHoleFox --- compiler/rustc_codegen_llvm/src/context.rs | 21 +++++++++- compiler/rustc_session/src/config.rs | 25 ++++++++++-- compiler/rustc_session/src/options.rs | 22 ++++++++++ .../src/compiler-flags/cf-protection.md | 40 +++++++++++++++++++ src/test/codegen/cf-protection.rs | 38 ++++++++++++++++++ 5 files changed, 141 insertions(+), 5 deletions(-) create mode 100644 src/doc/unstable-book/src/compiler-flags/cf-protection.md create mode 100644 src/test/codegen/cf-protection.rs diff --git a/compiler/rustc_codegen_llvm/src/context.rs b/compiler/rustc_codegen_llvm/src/context.rs index 8672459b5da..373ae21d192 100644 --- a/compiler/rustc_codegen_llvm/src/context.rs +++ b/compiler/rustc_codegen_llvm/src/context.rs @@ -21,7 +21,8 @@ use rustc_middle::ty::layout::{ }; use rustc_middle::ty::{self, Instance, Ty, TyCtxt}; use rustc_middle::{bug, span_bug}; -use rustc_session::config::{BranchProtection, CFGuard, CrateType, DebugInfo, PAuthKey, PacRet}; +use rustc_session::config::{BranchProtection, CFGuard, CFProtection}; +use rustc_session::config::{CrateType, DebugInfo, PAuthKey, PacRet}; use rustc_session::Session; use rustc_span::source_map::Span; use rustc_span::symbol::Symbol; @@ -287,6 +288,24 @@ pub unsafe fn create_module<'ll>( ); } + // Pass on the control-flow protection flags to LLVM (equivalent to `-fcf-protection` in Clang). + if let CFProtection::Branch | CFProtection::Full = sess.opts.debugging_opts.cf_protection { + llvm::LLVMRustAddModuleFlag( + llmod, + llvm::LLVMModFlagBehavior::Override, + "cf-protection-branch\0".as_ptr().cast(), + 1, + ) + } + if let CFProtection::Return | CFProtection::Full = sess.opts.debugging_opts.cf_protection { + llvm::LLVMRustAddModuleFlag( + llmod, + llvm::LLVMModFlagBehavior::Override, + "cf-protection-return\0".as_ptr().cast(), + 1, + ) + } + llmod } diff --git a/compiler/rustc_session/src/config.rs b/compiler/rustc_session/src/config.rs index 79962d5db89..68e7cc3dc98 100644 --- a/compiler/rustc_session/src/config.rs +++ b/compiler/rustc_session/src/config.rs @@ -63,6 +63,22 @@ pub enum CFGuard { Checks, } +/// The different settings that the `-Z cf-protection` flag can have. +#[derive(Clone, Copy, PartialEq, Hash, Debug)] +pub enum CFProtection { + /// Do not enable control-flow protection + None, + + /// Emit control-flow protection for branches (enables indirect branch tracking). + Branch, + + /// Emit control-flow protection for returns. + Return, + + /// Emit control-flow protection for both branches and returns. + Full, +} + #[derive(Clone, Copy, Debug, PartialEq, Hash)] pub enum OptLevel { No, // -O0 @@ -2630,11 +2646,11 @@ impl PpMode { /// we have an opt-in scheme here, so one is hopefully forced to think about /// how the hash should be calculated when adding a new command-line argument. crate mod dep_tracking { - use super::LdImpl; use super::{ - BranchProtection, CFGuard, CrateType, DebugInfo, ErrorOutputType, InstrumentCoverage, - LinkerPluginLto, LocationDetail, LtoCli, OptLevel, OutputType, OutputTypes, Passes, - SourceFileHashAlgorithm, SwitchWithOptPath, SymbolManglingVersion, TrimmedDefPaths, + BranchProtection, CFGuard, CFProtection, CrateType, DebugInfo, ErrorOutputType, + InstrumentCoverage, LdImpl, LinkerPluginLto, LocationDetail, LtoCli, OptLevel, OutputType, + OutputTypes, Passes, SourceFileHashAlgorithm, SwitchWithOptPath, SymbolManglingVersion, + TrimmedDefPaths, }; use crate::lint; use crate::options::WasiExecModel; @@ -2715,6 +2731,7 @@ crate mod dep_tracking { NativeLibKind, SanitizerSet, CFGuard, + CFProtection, TargetTriple, Edition, LinkerPluginLto, diff --git a/compiler/rustc_session/src/options.rs b/compiler/rustc_session/src/options.rs index ae1b638c344..c069144fa9f 100644 --- a/compiler/rustc_session/src/options.rs +++ b/compiler/rustc_session/src/options.rs @@ -380,6 +380,7 @@ mod desc { pub const parse_sanitizer_memory_track_origins: &str = "0, 1, or 2"; pub const parse_cfguard: &str = "either a boolean (`yes`, `no`, `on`, `off`, etc), `checks`, or `nochecks`"; + pub const parse_cfprotection: &str = "`none`|`no`|`n` (default), `branch`, `return`, or `full`|`yes`|`y` (equivalent to `branch` and `return`)"; pub const parse_strip: &str = "either `none`, `debuginfo`, or `symbols`"; pub const parse_linker_flavor: &str = ::rustc_target::spec::LinkerFlavor::one_of(); pub const parse_optimization_fuel: &str = "crate=integer"; @@ -695,6 +696,25 @@ mod parse { true } + crate fn parse_cfprotection(slot: &mut CFProtection, v: Option<&str>) -> bool { + if v.is_some() { + let mut bool_arg = None; + if parse_opt_bool(&mut bool_arg, v) { + *slot = if bool_arg.unwrap() { CFProtection::Full } else { CFProtection::None }; + return true; + } + } + + *slot = match v { + None | Some("none") => CFProtection::None, + Some("branch") => CFProtection::Branch, + Some("return") => CFProtection::Return, + Some("full") => CFProtection::Full, + Some(_) => return false, + }; + true + } + crate fn parse_linker_flavor(slot: &mut Option, v: Option<&str>) -> bool { match v.and_then(LinkerFlavor::from_str) { Some(lf) => *slot = Some(lf), @@ -1142,6 +1162,8 @@ options! { "select which borrowck is used (`mir` or `migrate`) (default: `migrate`)"), branch_protection: BranchProtection = (BranchProtection::default(), parse_branch_protection, [TRACKED], "set options for branch target identification and pointer authentication on AArch64"), + cf_protection: CFProtection = (CFProtection::None, parse_cfprotection, [TRACKED], + "instrument control-flow architecture protection"), cgu_partitioning_strategy: Option = (None, parse_opt_string, [TRACKED], "the codegen unit partitioning strategy to use"), chalk: bool = (false, parse_bool, [TRACKED], diff --git a/src/doc/unstable-book/src/compiler-flags/cf-protection.md b/src/doc/unstable-book/src/compiler-flags/cf-protection.md new file mode 100644 index 00000000000..cc580ca9b42 --- /dev/null +++ b/src/doc/unstable-book/src/compiler-flags/cf-protection.md @@ -0,0 +1,40 @@ +# `cf-protection` + +This option enables control-flow enforcement technology (CET) on x86; a more detailed description of +CET is available [here]. Similar to `clang`, this flag takes one of the following values: + +- `none` - Disable CET completely (this is the default). +- `branch` - Enable indirect branch tracking (`IBT`). +- `return` - Enable shadow stack (`SHSTK`). +- `full` - Enable both `branch` and `return`. + +[here]: https://www.intel.com/content/www/us/en/develop/articles/technical-look-control-flow-enforcement-technology.html + +This flag only applies to the LLVM backend: it sets the `cf-protection-branch` and +`cf-protection-return` flags on LLVM modules. Note, however, that all compiled modules linked +together must have the flags set for the compiled output to be CET-enabled. Currently, Rust's +standard library does not ship with CET enabled by default, so you may need to rebuild all standard +modules with a `cargo` command like: + +```sh +$ RUSTFLAGS="-Z cf-protection=full" RUSTC="rustc-custom" cargo +nightly build -Z build-std --target x86_64-unknown-linux-gnu +``` + +### Detection + +An ELF binary is CET-enabled if it has the `IBT` and `SHSTK` tags, e.g.: + +```sh +$ readelf -a target/x86_64-unknown-linux-gnu/debug/example | grep feature: + Properties: x86 feature: IBT, SHSTK +``` + +### Troubleshooting + +To display modules that are not CET enabled, examine the linker errors available when `cet-report` is enabled: + +```sh +$ RUSTC_LOG=rustc_codegen_ssa::back::link=info rustc-custom -v -Z cf-protection=full -C link-arg="-Wl,-z,cet-report=warning" -o example example.rs +... +/usr/bin/ld: /.../build/x86_64-unknown-linux-gnu/stage1/lib/rustlib/x86_64-unknown-linux-gnu/lib/libstd-d73f7266be14cb8b.rlib(std-d73f7266be14cb8b.std.f7443020-cgu.12.rcgu.o): warning: missing IBT and SHSTK properties +``` diff --git a/src/test/codegen/cf-protection.rs b/src/test/codegen/cf-protection.rs new file mode 100644 index 00000000000..ccbc863f571 --- /dev/null +++ b/src/test/codegen/cf-protection.rs @@ -0,0 +1,38 @@ +// Test that the correct module flags are emitted with different control-flow protection flags. + +// revisions: undefined none branch return full +// needs-llvm-components: x86 +// [undefined] compile-flags: +// [none] compile-flags: -Z cf-protection=none +// [branch] compile-flags: -Z cf-protection=branch +// [return] compile-flags: -Z cf-protection=return +// [full] compile-flags: -Z cf-protection=full +// compile-flags: --target x86_64-unknown-linux-gnu + +#![crate_type = "lib"] +#![feature(no_core, lang_items)] +#![no_core] + +#[lang="sized"] +trait Sized { } + +// A basic test function. +pub fn test() { +} + +// undefined-NOT: !"cf-protection-branch" +// undefined-NOT: !"cf-protection-return" + +// none-NOT: !"cf-protection-branch" +// none-NOT: !"cf-protection-return" + +// branch-NOT: !"cf-protection-return" +// branch: !"cf-protection-branch", i32 1 +// branch-NOT: !"cf-protection-return" + +// return-NOT: !"cf-protection-branch" +// return: !"cf-protection-return", i32 1 +// return-NOT: !"cf-protection-branch" + +// full: !"cf-protection-branch", i32 1 +// full: !"cf-protection-return", i32 1