x86_64: Add CET instructions and check in CI #761
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
mkannwischer
force-pushed
the
cf-protections
branch
9 times, most recently
from
0c95f79 to
cb3a0f9
Compare
mkannwischer
force-pushed
the
cf-protections
branch
6 times, most recently
from
0b87872 to
851964b
Compare
mkannwischer
force-pushed
the
cf-protections
branch
from
851964b to
91f3f99
Compare
hanno-becker
reviewed
Feb 8, 2025
hanno-becker
reviewed
Feb 8, 2025
hanno-becker
requested changes
Feb 8, 2025
Modern x86_64 support hardware features through the CET instructions to protect against return-oriented programming (ROP) attacks. Those protections can be enabled through -fcf-protection=. For this to work, all compilation units (including assembly) need to support CET. This commit adds support and contains two main changes: 1) Each assembly file needs to set the the appropriate note.gnu.property section to signal that it does support CET. We achieve this by including cet.h in all assembly files which sets the required properties. Note that this applies also to empty compilation units (e.g., the aarch64 assembly files when compiling for x86_64). 2) Each label that can potentially be a target of an indirect branch needs to start with en endbr64 instruction, otherwise the branch faults. Our assembly does not use indirect branches and, hence, any internal branching is unaffected by this. However, the global symbols may potentially be targets of indirect branches (they don't seem to be though). To address this, we add endb64 to every global symbol by using the _CET_ENDBR macro provided by cet.h. Note that this is only adding the instruction in case CET is enabled. We introduce a new macro MLK_ASM_FN_SYMBOL that adds this automatically for X86 systems. This way our assembly simplification scripts are unaffected as the endbr64 instructions are out of scope. Signed-off-by: Matthias J. Kannwischer <[email protected]> .
Signed-off-by: Matthias J. Kannwischer <[email protected]>
This commit adds a workflow that checks if we properly support CET by compiling with -fcf-protection=full. This primarily checks that all assembly compilation units set the required note.gnu.property section signaling CET support (this can be achieved by setting -Wl,-z,cet-report=error). This does _not_ make sure all global symbols have the required endbr64 instructions. Our binaries do not use indirect branches anywhere, so if those instructions would be missing, there would not be any fault. Signed-off-by: Matthias J. Kannwischer <[email protected]>
mkannwischer
force-pushed
the
cf-protections
branch
from
91f3f99 to
9e9d899
Compare
hanno-becker
approved these changes
Feb 8, 2025
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Modern x86_64 support hardware features through the CET instructions to protect
against return-oriented programming (ROP) attacks. Those protections can be
enabled through -fcf-protection=.
For this to work, all compilation units (including assembly) need to support
CET.
This commit adds support and contains two main changes:
Each assembly file needs to set the the appropriate note.gnu.property
section to signal that it does support CET. We achieve this by including cet.h
in all assembly files which sets the required properties.
Note that this applies also to empty compilation units (e.g., the aarch64
assembly files when compiling for x86_64).
Each label that can potentially be a target of an indirect branch needs
to start with en endbr64 instruction, otherwise the branch faults.
Our assembly does not use indirect branches and, hence, any internal branching
is unaffected by this.
However, the global symbols may potentially be targets of indirect branches
(they don't seem to be though). To address this, we add endb64 to every global
symbol by using the _CET_ENDBR macro provided by cet.h. Note that this is
only adding the instruction in case CET is enabled.
We introduce a new macro MLK_ASM_FN_SYMBOL that adds this automatically for
X86 systems. This way our assembly simplification scripts are unaffected as
the endbr64 instructions are out of scope.
Resolves #762