HomePhabricator

[ELF] Add -z force-ibt and -z shstk for Intel Control-flow Enforcement…

Authored by MaskRay on Dec 10 2019, 6:05 PM.

Description

[ELF] Add -z force-ibt and -z shstk for Intel Control-flow Enforcement Technology

This patch is a joint work by Rui Ueyama and me based on D58102 by Xiang Zhang.

It adds Intel CET (Control-flow Enforcement Technology) support to lld.
The implementation follows the draft version of psABI which you can
download from https://github.com/hjl-tools/x86-psABI/wiki/X86-psABI.

CET introduces a new restriction on indirect jump instructions so that
you can limit the places to which you can jump to using indirect jumps.

In order to use the feature, you need to compile source files with
-fcf-protection=full.

  • IBT is enabled if all input files are compiled with the flag. To force enabling ibt, pass -z force-ibt.
  • SHSTK is enabled if all input files are compiled with the flag, or if -z shstk is specified.

IBT-enabled executables/shared objects have two PLT sections, ".plt" and
".plt.sec". For the details as to why we have two sections, please read
the comments.

Reviewed By: xiangzhangllvm

Differential Revision: https://reviews.llvm.org/D59780

Details