CI: Check that all compilation units have CET support

This commit adds a workflow that checks if we properly support CET by compiling with -fcf-protection=full. This primarily checks that all assembly compilation units set the required note.gnu.property section signaling CET support (this can be achieved by setting -Wl,-z,cet-report=error). This does _not_ make sure all global symbols have the required endbr64 instructions. Our binaries do not use indirect branches anywhere, so if those instructions would be missing, there would not be any fault. Signed-off-by: Matthias J. Kannwischer <[email protected]>
pq-code-package · Feb 8, 2025 · 851964b · 851964b
1 parent 4b4f933
commit 851964b
Showing 1 changed file with 26 additions and 0 deletions.
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -481,6 +481,32 @@ jobs:
           nistkat: true
           kat: false
           acvp: false
+  check-cf-protections:
+    name: Test control-flow protections  (${{ matrix.compiler.name }}, x86_64)
+    needs: [quickcheck, quickcheck-windows, quickcheck-c90, quickcheck-lib, examples, lint-markdown-link]
+    strategy:
+      fail-fast: false
+      matrix:
+        compiler:
+         - name: gcc-14
+           shell: ci_gcc14
+         - name: clang-19
+           shell: ci_clang19
+    # On AArch64 -fcf-protection is not supported anyway
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - name: Test control-flow protections
+        uses: ./.github/actions/multi-functest
+        with:
+          gh_token: ${{ secrets.GITHUB_TOKEN }}
+          compile_mode: native
+          cflags: "-Wl,-z,cet-report=error -fcf-protection=full"
+          func: true
+          nistkat: true
+          kat: false
+          acvp: false
+          nix-shell: ${{ matrix.compiler.shell }}
   # ensure that kem.h and mlkem_native.h; api.h and native backends are compatible
   check-apis:
     strategy: