From 91e422572a993304ef51e356f31574f99990373c Mon Sep 17 00:00:00 2001 From: Jim Harris Date: Thu, 14 Jan 2021 04:06:33 -0700 Subject: [PATCH] configure: add --enable-cet to build with CET support Intel Control-flow Enforcement Technology (CET) is a processor feature that blocks return/jump-oriented programming (ROP) attacks. It is currently only supported on Tiger Lake client processors, but will be available on other processors in the future. CET requires toolchain support. gcc8 does support it. For now, this will opt-in only at least until the technology is available on server processors. Signed-off-by: Jim Harris Change-Id: I8c7f882eeeaed26484c31dc0d67d5cc42baeaa2d Reviewed-on: https://review.spdk.io/gerrit/c/spdk/spdk/+/5921 Community-CI: Broadcom CI Community-CI: Mellanox Build Bot Tested-by: SPDK CI Jenkins Reviewed-by: Tomasz Zawadzki Reviewed-by: Shuhei Matsumoto --- CONFIG | 3 +++ configure | 15 +++++++++++++++ dpdkbuild/Makefile | 5 +++++ mk/spdk.common.mk | 5 +++++ 4 files changed, 28 insertions(+) diff --git a/CONFIG b/CONFIG index 2d82e27bb..aafb4d4ab 100644 --- a/CONFIG +++ b/CONFIG @@ -76,6 +76,9 @@ CONFIG_UNIT_TESTS=y # Build examples CONFIG_EXAMPLES=y +# Build with Control-flow Enforcement Technology (CET) +CONFIG_CET=n + # Directory that contains the desired SPDK environment library. # By default, this is implemented using DPDK. CONFIG_ENV= diff --git a/configure b/configure index 3bd19fcd9..6a20d2404 100755 --- a/configure +++ b/configure @@ -32,6 +32,7 @@ function usage() echo " --enable-lto Enable link-time optimization" echo " --enable-pgo-capture Enable generation of profile guided optimization data" echo " --enable-pgo-use Use previously captured profile guided optimization data" + echo " --enable-cet Enable Intel Control-flow Enforcement Technology (CET)" echo " --disable-tests Disable building of functional tests" echo " --disable-unit-tests Disable building of unit tests" echo " --disable-examples Disable building of examples" @@ -267,6 +268,12 @@ for i in "$@"; do --disable-werror) CONFIG[WERROR]=n ;; + --enable-cet) + CONFIG[CET]=y + ;; + --disable-cet) + CONFIG[CET]=n + ;; --with-dpdk=*) check_dir "$i" CONFIG[DPDK_DIR]=$(readlink -f ${i#*=}) @@ -810,6 +817,14 @@ if [[ "${CONFIG[FUSE]}" = "y" ]]; then fi fi +if [ "${CONFIG[CET]}" = "y" ]; then + if ! echo -e 'int main(void) { return 0; }\n' | ${BUILD_CMD[@]} -fcf-protection - 2>/dev/null; then + echo --enable-cet requires compiler/linker that supports CET. + echo Please install then re-run this script. + exit 1 + fi +fi + # We are now ready to generate final configuration. But first do sanity # check to see if all keys in CONFIG array have its reflection in CONFIG file. if [ $(egrep -c "^\s*CONFIG_[[:alnum:]_]+=" $rootdir/CONFIG) -ne ${#CONFIG[@]} ]; then diff --git a/dpdkbuild/Makefile b/dpdkbuild/Makefile index 78a52bf1e..e18536e56 100644 --- a/dpdkbuild/Makefile +++ b/dpdkbuild/Makefile @@ -88,6 +88,11 @@ else DPDK_CFLAGS += -Wno-error endif +ifeq ($(CONFIG_CET),y) +DPDK_CFLAGS += -fcf-protection +DPDK_LDFLAGS += -fcf-protection +endif + ifdef EXTRA_DPDK_CFLAGS $(warning EXTRA_DPDK_CFLAGS defined, possibly to work around an unsupported compiler version) $(shell sleep 1) diff --git a/mk/spdk.common.mk b/mk/spdk.common.mk index f43f3f693..f3fe5c248 100644 --- a/mk/spdk.common.mk +++ b/mk/spdk.common.mk @@ -107,6 +107,11 @@ COMMON_CFLAGS += -fprofile-use=$(SPDK_ROOT_DIR)/build/pgo LDFLAGS += -fprofile-use=$(SPDK_ROOT_DIR)/build/pgo endif +ifeq ($(CONFIG_CET),y) +COMMON_CFLAGS += -fcf-protection +LDFLAGS += -fcf-protection +endif + COMMON_CFLAGS += -Wformat -Wformat-security COMMON_CFLAGS += -D_GNU_SOURCE