Pointer authentication config and user facing options#156712
Conversation
Co-authored-by: Daniil Kovalev <dkovalev@accesssoftek.com>
Allow PAC metadata to be passed to `get_fn_addr` and related API changes.
The set of supported attributes is: function * "aarch64-jump-table-hardening" * "ptrauth-auth-traps" * "ptrauth-calls" * "ptrauth-indirect-gotos" * "ptrauth-returns" module * "ptrauth-elf-got" * "ptrauth-sign-personality"
Also add flag for ELF-GOT signing.
Also: * update tests to force dynamic library when targetting pauthtest * various test fixes * introduce end-to-end tests for pauthtest (in run-make)
rustbot
added
A-compiletest
This comment has been minimized.
This comment has been minimized.
jchlanda
force-pushed
the
jakub/pac_config
branch
from
77fe412 to
b0a7e47
Compare
This comment has been minimized.
This comment has been minimized.
jchlanda
force-pushed
the
jakub/pac_config
branch
from
b0a7e47 to
4e8d9e3
Compare
This comment has been minimized.
This comment has been minimized.
jchlanda
force-pushed
the
jakub/pac_config
branch
from
4e8d9e3 to
418f447
Compare
This comment has been minimized.
This comment has been minimized.
This patch brings: * unified handling of pointer authentication options through: `-Zpointer-authentication`, with possible values: `aarch64-jump-table-hardening`, `auth-traps`, `calls`, `elf-got`, `function-pointer-type-discrimination`, `indirect-gotos`, `init-fini`, `init-fini-address-discrimination`, `return-addresses`. Toggled with `+`/`-`. * centralized handling of pointer authentication features. Session holds `pointer_auth_config: Option<PointerAuthConfig>` * encapsulation of schema for function pointers and init/fini through `PointerAuthSchema`. This allowed for retiring of `PacMetadata`. * refactor enabling of pointer authentication in code, instead of relying on the target (`pauthtest`) use the session
jchlanda
force-pushed
the
jakub/pac_config
branch
from
418f447 to
6af45da
Compare
|
@davidtwco, @folkertdev, @tgross35, @madsmtm FWI this is a follow up to #155722 and #156548 |
|
This PR modifies If appropriate, please update Some changes occurred in src/tools/compiletest cc @jieyouxu The GCC codegen subtree was changed
Some changes occurred in src/doc/rustc/src/platform-support cc @Noratrieb This PR modifies cc @jieyouxu These commits modify compiler targets. |
rustbot
added
S-waiting-on-review
|
r? @mejrs rustbot has assigned @mejrs. Use Why was this reviewer chosen?The reviewer was selected based on:
|
This comment has been minimized.
This comment has been minimized.
jchlanda
force-pushed
the
jakub/pac_config
branch
from
82f7a40 to
1c7ac6d
Compare
|
☔ The latest upstream changes (presumably #156116) made this pull request unmergeable. Please resolve the merge conflicts. |
|
Hi, I am not qualified to review this. r? madsmtm or reroll maybe |
|
|
| // <llvm_root>/llvm/include/llvm/BinaryFormat/ELF.h. | ||
| // FIXME (jchlanda) extend possible values once we start supporting other platforms (for | ||
| // example: AARCH64_PAUTH_PLATFORM_BAREMETAL = 0x1); | ||
| let aarch64_pauth_platform_llvm_linux = 0x10000002; |
There was a problem hiding this comment.
Would it be better to use const instead of let here?
| } | ||
|
|
||
| pub struct PointerAuthSchema { | ||
| pub kind: PointerAuthKind, |
There was a problem hiding this comment.
I suppose that your intention was to mimic the implementation in clang. It looks like that in clang checks against getKind() != Kind::None (for example, via isEnabled() member function or via cast to bool) are used to understand if we have some schema present or not. Your implementation seems to keep this kind field untouched and instead wrap the whole PointerAuthSchema in the Option wrapper.
So, it looks like we are just duplicating the 'optional' functionality. Can we just use the kind field for checking if the schema is none or not (just as we do in clang)?
| fn get_fn_addr( | ||
| &self, | ||
| instance: Instance<'tcx>, | ||
| schema: Option<&PointerAuthSchema>, |
There was a problem hiding this comment.
Would it be better to rename the argument to smth like pointerAuthSchema? The function by itself is not pauth-related, so I suppose that the reader might not have all the context in their mind on "what kind of schema is meant" (unless they look at function signature here)
| llfn: &'ll llvm::Value, | ||
| schema: &PointerAuthSchema, | ||
| ) -> &'ll llvm::Value { | ||
| if !cx.tcx.sess.pointer_authentication_functions() { |
There was a problem hiding this comment.
Is this check needed? My understanding was that we define schema argument somewhere earlier in the call stack based on the cx.tcx.sess.pointer_authentication_functions(), and if it's not set, the schema would just have kind == None.
So, can we delete the check and instead add an assertion against schema kind not being none?
I might be missing smth, and if so - I would appreciate your explanation on this topic
|
|
||
| /// Types of address discrimination. | ||
| pub enum PointerAuthAddressDiscriminator { | ||
| /// Enable/disable hardware address discrimination. |
There was a problem hiding this comment.
Is the term "hardware address discrimination" used anywhere else in existing projects (mostly interesting - in clang)?
If yes, could you please refer me to such term usage cases?
If no, I would prefer to avoid introducing new terms here and try to stick with well-established wording. Actually, this "hardware" framing might be a bit misleading here (one might think it might be related to physical <-> virtual address mapping? while totally unrelated)
| } | ||
| pub fn from_raw(raw: &[(PointerAuthOption, bool)], target: &Target) -> Option<Self> { | ||
| if target.cfg_abi != CfgAbi::Pauthtest { | ||
| return None; |
There was a problem hiding this comment.
Would it be feasible to support this for target with non-pauthtest CfgAbi (like how it's done in clang)?
If it's too challenging and you think that it's not worth including in this PR - could we at least emit some sort of error and not just silently ignore the flag values passed by user?
| //@[DISABLE_VT_PTR_TYPE] needs-llvm-components: aarch64 | ||
| //@[DISABLE_VT_PTR_TYPE] compile-flags: --target=aarch64-unknown-linux-pauthtest -Zpointer-authentication=-vt-ptr-type-discrimination | ||
| //@[NONE] needs-llvm-components: aarch64 | ||
| //@[NONE] compile-flags: --target=aarch64-unknown-linux-pauthtest -Zpointer-authentication=-aarch64-jump-table-hardening,-auth-traps,-calls,-indirect-gotos,-return-addresses,-init-fini,-init-fini-address-discrimination,-intrinsics,-typeinfo-vt-ptr-discrimination,-vt-ptr-addr-discrimination,-vt-ptr-type-discrimination |
There was a problem hiding this comment.
For -init-fini (signing disabled), is it somehow tested?
| cfg.function_pointers = None; | ||
| } | ||
| } | ||
| PointerAuthOption::FunctionPointerTypeDiscrimination => { |
There was a problem hiding this comment.
While function pointer type discrimination support is not yet implemented and it's not in the "default" pauthtest configuration - can we safely emit an error on that to make things explicit?
I'm just not sure if there are any use cases which would benefit from silently setting this option while it's not affecting anything (compared to emitting a compile error - since silent ignore would just result in runtime error with any kind of C interop involved)
But if such cases exist - please let me know, I might be missing smth.
6 participants
This patch brings:
-Zpointer-authentication, with possible values:aarch64-jump-table-hardening,auth-traps,calls,elf-got,function-pointer-type-discrimination,indirect-gotos,init-fini,init-fini-address-discrimination,return-addresses. Toggled with+/-.pointer_auth_config: Option<PointerAuthConfig>PointerAuthSchema. This allowed for retiring ofPacMetadata.relying on the target (
pauthtest) use the session