From 1ecae1fc238a6b02b3cc2de6a24d73966bc45a03 Mon Sep 17 00:00:00 2001 From: Igor Tsimbalist Date: Fri, 17 Nov 2017 14:34:39 +0100 Subject: [PATCH] Enable building libgcc with CET options. Enable building libgcc with CET options by default on Linux/x86 if binutils supports CET v2.0. It can be disabled with --disable-cet. It is an error to configure GCC with --enable-cet if bintuiils doesn't support CET v2.0. ENDBR instruction is added to __morestack_large_model since it is called indirectly. 2017-11-17 Igor Tsimbalist config/ * cet.m4: New file. gcc/ * config.gcc (extra_headers): Add cet.h for x86 targets. * config/i386/cet.h: New file. * doc/install.texi: Add --enable-cet/--disable-cet. libgcc/ * Makefile.in (configure_deps): Add $(srcdir)/../config/cet.m4. (CET_FLAGS): New. * config/i386/morestack.S: Include . (__morestack_large_model): Add _CET_ENDBR at function entrance. * config/i386/resms64.h: Include . * config/i386/resms64f.h: Likewise. * config/i386/resms64fx.h: Likewise. * config/i386/resms64x.h: Likewise. * config/i386/savms64.h: Likewise. * config/i386/savms64f.h: Likewise. * config/i386/t-linux (HOST_LIBGCC2_CFLAGS): Add $(CET_FLAGS). (CRTSTUFF_T_CFLAGS): Likewise. * configure.ac: Include ../config/cet.m4. Set and substitute CET_FLAGS. * configure: Regenerated. From-SVN: r254868 --- config/ChangeLog | 4 ++ config/cet.m4 | 38 ++++++++++++++ gcc/ChangeLog | 6 +++ gcc/config.gcc | 4 +- gcc/config/i386/cet.h | 93 ++++++++++++++++++++++++++++++++++ gcc/doc/install.texi | 13 +++++ libgcc/ChangeLog | 18 +++++++ libgcc/Makefile.in | 5 +- libgcc/config/i386/morestack.S | 3 ++ libgcc/config/i386/resms64.h | 2 + libgcc/config/i386/resms64f.h | 2 + libgcc/config/i386/resms64fx.h | 2 + libgcc/config/i386/resms64x.h | 2 + libgcc/config/i386/savms64.h | 2 + libgcc/config/i386/savms64f.h | 2 + libgcc/config/i386/t-linux | 3 +- libgcc/configure | 72 ++++++++++++++++++++++++++ libgcc/configure.ac | 4 ++ 18 files changed, 271 insertions(+), 4 deletions(-) create mode 100644 config/cet.m4 create mode 100644 gcc/config/i386/cet.h diff --git a/config/ChangeLog b/config/ChangeLog index 90e1af4779d..2bb5244caa4 100644 --- a/config/ChangeLog +++ b/config/ChangeLog @@ -1,3 +1,7 @@ +2017-11-17 Igor Tsimbalist + + * cet.m4: New file. + 2017-11-15 Alexandre Oliva * bootstrap-debug-lean.mk (do-compare): Use the diff --git a/config/cet.m4 b/config/cet.m4 new file mode 100644 index 00000000000..715f4bded19 --- /dev/null +++ b/config/cet.m4 @@ -0,0 +1,38 @@ +dnl +dnl GCC_CET_FLAGS +dnl (SHELL-CODE_HANDLER) +dnl +AC_DEFUN([GCC_CET_FLAGS],[dnl +GCC_ENABLE(cet, default, ,[enable Intel CET in target libraries], + permit yes|no|default) +case "$host" in + i[[34567]]86-*-linux* | x86_64-*-linux*) + case "$enable_cet" in + default) + # Check if assembler supports CET. + AC_COMPILE_IFELSE( + [AC_LANG_PROGRAM( + [], + [asm ("setssbsy");])], + [enable_cet=yes], + [enable_cet=no]) + ;; + yes) + # Check if assembler supports CET. + AC_COMPILE_IFELSE( + [AC_LANG_PROGRAM( + [], + [asm ("setssbsy");])], + [], + [AC_MSG_ERROR([assembler with CET support is required for --enable-cet])]) + ;; + esac + ;; + *) + enable_cet=no + ;; +esac +if test x$enable_cet = xyes; then + $1="-fcf-protection -mcet" +fi +]) diff --git a/gcc/ChangeLog b/gcc/ChangeLog index 030a13ca282..a08574d7aaf 100644 --- a/gcc/ChangeLog +++ b/gcc/ChangeLog @@ -1,3 +1,9 @@ +2017-11-17 Igor Tsimbalist + + * config.gcc (extra_headers): Add cet.h for x86 targets. + * config/i386/cet.h: New file. + * doc/install.texi: Add --enable-cet/--disable-cet. + 2017-11-17 Richard Biener PR tree-optimization/83017 diff --git a/gcc/config.gcc b/gcc/config.gcc index 8ee8e8c7c8b..24f904455b0 100644 --- a/gcc/config.gcc +++ b/gcc/config.gcc @@ -379,7 +379,7 @@ i[34567]86-*-*) avx512vbmivlintrin.h avx5124fmapsintrin.h avx5124vnniwintrin.h avx512vpopcntdqintrin.h clwbintrin.h mwaitxintrin.h clzerointrin.h pkuintrin.h sgxintrin.h cetintrin.h - gfniintrin.h" + gfniintrin.h cet.h" ;; x86_64-*-*) cpu_type=i386 @@ -404,7 +404,7 @@ x86_64-*-*) avx512vbmivlintrin.h avx5124fmapsintrin.h avx5124vnniwintrin.h avx512vpopcntdqintrin.h clwbintrin.h mwaitxintrin.h clzerointrin.h pkuintrin.h sgxintrin.h cetintrin.h - gfniintrin.h" + gfniintrin.h cet.h" ;; ia64-*-*) extra_headers=ia64intrin.h diff --git a/gcc/config/i386/cet.h b/gcc/config/i386/cet.h new file mode 100644 index 00000000000..73008449ee0 --- /dev/null +++ b/gcc/config/i386/cet.h @@ -0,0 +1,93 @@ +/* ELF program property for Intel CET. + Copyright (C) 2017 Free Software Foundation, Inc. + + This file is free software; you can redistribute it and/or modify it + under the terms of the GNU General Public License as published by the + Free Software Foundation; either version 3, or (at your option) any + later version. + + This file is distributed in the hope that it will be useful, but + WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + General Public License for more details. + + Under Section 7 of GPL version 3, you are granted additional + permissions described in the GCC Runtime Library Exception, version + 3.1, as published by the Free Software Foundation. + + You should have received a copy of the GNU General Public License and + a copy of the GCC Runtime Library Exception along with this program; + see the files COPYING3 and COPYING.RUNTIME respectively. If not, see + . + */ + +/* Add x86 feature with IBT and/or SHSTK bits to ELF program property + if they are enabled. Otherwise, contents in this header file are + unused. Define _CET_ENDBR for assembly codes. _CET_ENDBR should be + placed unconditionally at the entrance of a function whose address + may be taken. */ + +#ifndef _CET_H_INCLUDED +#define _CET_H_INCLUDED + +#ifdef __ASSEMBLER__ + +# ifdef __IBT__ +# ifdef __x86_64__ +# define _CET_ENDBR endbr64 +# else +# define _CET_ENDBR endbr32 +# endif +# else +# define _CET_ENDBR +# endif + +# ifdef __ELF__ +# ifdef __CET__ +# ifdef __IBT__ +/* GNU_PROPERTY_X86_FEATURE_1_IBT. */ +# define __PROPERTY_IBT 0x1 +# else +# define __PROPERTY_IBT 0x0 +# endif + +# ifdef __SHSTK__ +/* GNU_PROPERTY_X86_FEATURE_1_SHSTK. */ +# define __PROPERTY_SHSTK 0x2 +# else +# define __PROPERTY_SHSTK 0x0 +# endif + +# define __PROPERTY_BITS (__PROPERTY_IBT | __PROPERTY_SHSTK) + +# ifdef __LP64__ +# define __PROPERTY_ALIGN 3 +# else +# define __PROPERTY_ALIGN 2 +# endif + + .pushsection ".note.gnu.property", "a" + .p2align __PROPERTY_ALIGN + .long 1f - 0f /* name length. */ + .long 4f - 1f /* data length. */ + /* NT_GNU_PROPERTY_TYPE_0. */ + .long 5 /* note type. */ +0: + .asciz "GNU" /* vendor name. */ +1: + .p2align __PROPERTY_ALIGN + /* GNU_PROPERTY_X86_FEATURE_1_AND. */ + .long 0xc0000002 /* pr_type. */ + .long 3f - 2f /* pr_datasz. */ +2: + /* GNU_PROPERTY_X86_FEATURE_1_XXX. */ + .long __PROPERTY_BITS +3: + .p2align __PROPERTY_ALIGN +4: + .popsection +# endif /* __CET__ */ +# endif /* __ELF__ */ +#endif /* __ASSEMBLER__ */ + +#endif /* _CET_H_INCLUDED */ diff --git a/gcc/doc/install.texi b/gcc/doc/install.texi index 22e5731f6cd..a9032c9021c 100644 --- a/gcc/doc/install.texi +++ b/gcc/doc/install.texi @@ -2065,6 +2065,19 @@ explicitly specify the directory where they are installed. The shorthand for @option{--with-hsa-runtime-lib=@/@var{hsainstalldir}/lib} and @option{--with-hsa-runtime-include=@/@var{hsainstalldir}/include}. + +@item --enable-cet +@itemx --disable-cet +Enable building target run-time libraries with control-flow +instrumentation, see @option{-fcf-protection} option. When +@code{--enable-cet} is specified target libraries are configured +to add @option{-fcf-protection} and, if needed, other target +specific options to a set of building options. + +The option is enabled by default on Linux/x86 if target binutils +supports @code{Intel CET} instructions. In this case the target +libraries are configured to get additional @option{-fcf-protection} +and @option{-mcet} options. @end table @subheading Cross-Compiler-Specific Options diff --git a/libgcc/ChangeLog b/libgcc/ChangeLog index a069cd79511..da4d1adad91 100644 --- a/libgcc/ChangeLog +++ b/libgcc/ChangeLog @@ -1,3 +1,21 @@ +2017-11-17 Igor Tsimbalist + + * Makefile.in (configure_deps): Add $(srcdir)/../config/cet.m4. + (CET_FLAGS): New. + * config/i386/morestack.S: Include . + (__morestack_large_model): Add _CET_ENDBR at function entrance. + * config/i386/resms64.h: Include . + * config/i386/resms64f.h: Likewise. + * config/i386/resms64fx.h: Likewise. + * config/i386/resms64x.h: Likewise. + * config/i386/savms64.h: Likewise. + * config/i386/savms64f.h: Likewise. + * config/i386/t-linux (HOST_LIBGCC2_CFLAGS): Add $(CET_FLAGS). + (CRTSTUFF_T_CFLAGS): Likewise. + * configure.ac: Include ../config/cet.m4. + Set and substitute CET_FLAGS. + * configure: Regenerated. + 2017-11-14 Rainer Orth * config.host (*-*-solaris2*): Adapt comment for Solaris 12 diff --git a/libgcc/Makefile.in b/libgcc/Makefile.in index a1a392de88d..eaa68b5c646 100644 --- a/libgcc/Makefile.in +++ b/libgcc/Makefile.in @@ -171,7 +171,8 @@ configure_deps = \ $(srcdir)/../config/dfp.m4 \ $(srcdir)/../config/unwind_ipinfo.m4 \ $(srcdir)/../config/gthr.m4 \ - $(srcdir)/../config/sjlj.m4 + $(srcdir)/../config/sjlj.m4 \ + $(srcdir)/../config/cet.m4 $(srcdir)/configure: @MAINT@ $(srcdir)/configure.ac $(configure_deps) cd $(srcdir) && $(AUTOCONF) @@ -254,6 +255,8 @@ HOST_LIBGCC2_CFLAGS = PICFLAG = @PICFLAG@ +CET_FLAGS = @CET_FLAGS@ + # Defined in libgcc2.c, included only in the static library. LIB2FUNCS_ST = _eprintf __gcc_bcmp diff --git a/libgcc/config/i386/morestack.S b/libgcc/config/i386/morestack.S index 9d185c111ea..79d5db949e9 100644 --- a/libgcc/config/i386/morestack.S +++ b/libgcc/config/i386/morestack.S @@ -91,6 +91,8 @@ # __morestack to call __morestack_non_split instead. We just bump the # requested stack space by 16K. +#include + .global __morestack_non_split .hidden __morestack_non_split @@ -701,6 +703,7 @@ DW.ref.__gcc_personality_v0: __morestack_large_model: .cfi_startproc + _CET_ENDBR movq %r10, %r11 andl $0xffffffff, %r10d diff --git a/libgcc/config/i386/resms64.h b/libgcc/config/i386/resms64.h index f01b41897bc..45a42da158f 100644 --- a/libgcc/config/i386/resms64.h +++ b/libgcc/config/i386/resms64.h @@ -23,6 +23,8 @@ a copy of the GCC Runtime Library Exception along with this program; see the files COPYING3 and COPYING.RUNTIME respectively. If not, see . */ +#include + #ifdef __x86_64__ #include "i386-asm.h" diff --git a/libgcc/config/i386/resms64f.h b/libgcc/config/i386/resms64f.h index 743ec514cef..00805b33a1e 100644 --- a/libgcc/config/i386/resms64f.h +++ b/libgcc/config/i386/resms64f.h @@ -23,6 +23,8 @@ a copy of the GCC Runtime Library Exception along with this program; see the files COPYING3 and COPYING.RUNTIME respectively. If not, see . */ +#include + #ifdef __x86_64__ #include "i386-asm.h" diff --git a/libgcc/config/i386/resms64fx.h b/libgcc/config/i386/resms64fx.h index 965807a1299..85083cd1b07 100644 --- a/libgcc/config/i386/resms64fx.h +++ b/libgcc/config/i386/resms64fx.h @@ -23,6 +23,8 @@ a copy of the GCC Runtime Library Exception along with this program; see the files COPYING3 and COPYING.RUNTIME respectively. If not, see . */ +#include + #ifdef __x86_64__ #include "i386-asm.h" diff --git a/libgcc/config/i386/resms64x.h b/libgcc/config/i386/resms64x.h index 689a1dec20b..fcf885e2311 100644 --- a/libgcc/config/i386/resms64x.h +++ b/libgcc/config/i386/resms64x.h @@ -23,6 +23,8 @@ a copy of the GCC Runtime Library Exception along with this program; see the files COPYING3 and COPYING.RUNTIME respectively. If not, see . */ +#include + #ifdef __x86_64__ #include "i386-asm.h" diff --git a/libgcc/config/i386/savms64.h b/libgcc/config/i386/savms64.h index 28d5e3548ab..570902daf9d 100644 --- a/libgcc/config/i386/savms64.h +++ b/libgcc/config/i386/savms64.h @@ -23,6 +23,8 @@ a copy of the GCC Runtime Library Exception along with this program; see the files COPYING3 and COPYING.RUNTIME respectively. If not, see . */ +#include + #ifdef __x86_64__ #include "i386-asm.h" diff --git a/libgcc/config/i386/savms64f.h b/libgcc/config/i386/savms64f.h index 723e1080f5c..51c9d9704ae 100644 --- a/libgcc/config/i386/savms64f.h +++ b/libgcc/config/i386/savms64f.h @@ -23,6 +23,8 @@ a copy of the GCC Runtime Library Exception along with this program; see the files COPYING3 and COPYING.RUNTIME respectively. If not, see . */ +#include + #ifdef __x86_64__ #include "i386-asm.h" diff --git a/libgcc/config/i386/t-linux b/libgcc/config/i386/t-linux index 11bb46e0ee4..8506a635790 100644 --- a/libgcc/config/i386/t-linux +++ b/libgcc/config/i386/t-linux @@ -3,4 +3,5 @@ # t-slibgcc-elf-ver and t-linux SHLIB_MAPFILES = libgcc-std.ver $(srcdir)/config/i386/libgcc-glibc.ver -HOST_LIBGCC2_CFLAGS += -mlong-double-80 -DUSE_ELF_SYMVER +HOST_LIBGCC2_CFLAGS += -mlong-double-80 -DUSE_ELF_SYMVER $(CET_FLAGS) +CRTSTUFF_T_CFLAGS += $(CET_FLAGS) diff --git a/libgcc/configure b/libgcc/configure index 20169b18fe9..38a28c2a48f 100644 --- a/libgcc/configure +++ b/libgcc/configure @@ -573,6 +573,7 @@ vis_hide real_host_noncanonical accel_dir_suffix force_explicit_eh_registry +CET_FLAGS fixed_point enable_decimal_float decimal_float @@ -675,6 +676,7 @@ with_build_libsubdir enable_largefile enable_decimal_float with_system_libunwind +enable_cet enable_explicit_exception_frame_registration with_glibc_version enable_tls @@ -1314,6 +1316,8 @@ Optional Features: enable decimal float extension to C. Selecting 'bid' or 'dpd' choses which decimal floating point format to use + --enable-cet enable Intel CET in target libraries + [default=default] --enable-explicit-exception-frame-registration register exception tables explicitly at module start, for use e.g. for compatibility with @@ -4773,6 +4777,74 @@ fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_sjlj_exceptions" >&5 $as_echo "$ac_cv_sjlj_exceptions" >&6; } + # Check whether --enable-cet was given. +if test "${enable_cet+set}" = set; then : + enableval=$enable_cet; + case "$enableval" in + yes|no|default) ;; + *) as_fn_error "Unknown argument to enable/disable cet" "$LINENO" 5 ;; + esac + +else + enable_cet=default +fi + + +case "$host" in + i[34567]86-*-linux* | x86_64-*-linux*) + case "$enable_cet" in + default) + # Check if assembler supports CET. + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +int +main () +{ +asm ("setssbsy"); + ; + return 0; +} +_ACEOF +if ac_fn_c_try_compile "$LINENO"; then : + enable_cet=yes +else + enable_cet=no +fi +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext + ;; + yes) + # Check if assembler supports CET. + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +int +main () +{ +asm ("setssbsy"); + ; + return 0; +} +_ACEOF +if ac_fn_c_try_compile "$LINENO"; then : + +else + as_fn_error "assembler with CET support is required for --enable-cet" "$LINENO" 5 +fi +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext + ;; + esac + ;; + *) + enable_cet=no + ;; +esac +if test x$enable_cet = xyes; then + CET_FLAGS="-fcf-protection -mcet" +fi + + + # Check whether --enable-explicit-exception-frame-registration was given. if test "${enable_explicit_exception_frame_registration+set}" = set; then : enableval=$enable_explicit_exception_frame_registration; diff --git a/libgcc/configure.ac b/libgcc/configure.ac index 53e77757aa8..6e76a68bc0c 100644 --- a/libgcc/configure.ac +++ b/libgcc/configure.ac @@ -11,6 +11,7 @@ sinclude(../config/dfp.m4) sinclude(../config/unwind_ipinfo.m4) sinclude(../config/gthr.m4) sinclude(../config/sjlj.m4) +sinclude(../config/cet.m4) AC_PREREQ(2.64) AC_INIT([GNU C Runtime Library], 1.0,,[libgcc]) @@ -236,6 +237,9 @@ GCC_CHECK_UNWIND_GETIPINFO # Check if the compiler is configured for setjmp/longjmp exceptions. GCC_CHECK_SJLJ_EXCEPTIONS +GCC_CET_FLAGS(CET_FLAGS) +AC_SUBST(CET_FLAGS) + AC_ARG_ENABLE([explicit-exception-frame-registration], [AC_HELP_STRING([--enable-explicit-exception-frame-registration], [register exception tables explicitly at module start, for use -- 2.30.2