[PATCH 3/5] libcpp: Enable Intel CET on Intel CET enabled host for jit

H.J. Lu hjl.tools@gmail.com
Sat May 9 15:43:06 GMT 2020 

Since on Intel CET enabled host, dlopen in Intel CET enabled applications
fails on shared libraries which aren't Intel CET enabled, compile with
-fcf-protection on Intel CET enabled host when jit is enabled to enable
Intel CET on libgccjit.

	* Makefile.in (CET_HOST_FLAGS): New.
	(COMPILER): Add $(CET_HOST_FLAGS).
	* configure.ac: Add GCC_CET_HOST_FLAGS(CET_HOST_FLAGS) and
	AC_SUBST(CET_HOST_FLAGS).  Clear CET_HOST_FLAGS if jit isn't
	enabled.
	* aclocal.m4: Regenerated.
	* configure: Likewise.
---
 libcpp/Makefile.in  |   6 +-
 libcpp/aclocal.m4   |   2 +
 libcpp/configure    | 153 ++++++++++++++++++++++++++++++++++++++++++++
 libcpp/configure.ac |  11 ++++
 4 files changed, 170 insertions(+), 2 deletions(-)

diff --git a/libcpp/Makefile.in b/libcpp/Makefile.in
index 3d9ca0baaf6..ebbca07f542 100644
--- a/libcpp/Makefile.in
+++ b/libcpp/Makefile.in
@@ -58,6 +58,7 @@ CXXDEPMODE = @CXXDEPMODE@
 DEPDIR = @DEPDIR@
 NOEXCEPTION_FLAGS = @noexception_flags@
 PICFLAG = @PICFLAG@
+CET_HOST_FLAGS = @CET_HOST_FLAGS@
 
 datarootdir = @datarootdir@
 datadir = @datadir@
@@ -73,9 +74,10 @@ depcomp = $(SHELL) $(srcdir)/../depcomp
 INCLUDES = -I$(srcdir) -I. -I$(srcdir)/../include @INCINTL@ \
 	-I$(srcdir)/include
 
-ALL_CFLAGS = $(CFLAGS) $(WARN_CFLAGS) $(INCLUDES) $(CPPFLAGS) $(PICFLAG)
+ALL_CFLAGS = $(CFLAGS) $(WARN_CFLAGS) $(INCLUDES) $(CPPFLAGS) $(PICFLAG) \
+	$(CET_HOST_FLAGS)
 ALL_CXXFLAGS = $(CXXFLAGS) $(WARN_CXXFLAGS) $(NOEXCEPTION_FLAGS) $(INCLUDES) \
-	$(CPPFLAGS) $(PICFLAG)
+	$(CPPFLAGS) $(PICFLAG) $(CET_HOST_FLAGS)
 
 # The name of the compiler to use.
 COMPILER = $(CXX)
diff --git a/libcpp/aclocal.m4 b/libcpp/aclocal.m4
index 46bb65a228d..70c3eff750b 100644
--- a/libcpp/aclocal.m4
+++ b/libcpp/aclocal.m4
@@ -13,8 +13,10 @@
 
 m4_ifndef([AC_CONFIG_MACRO_DIRS], [m4_defun([_AM_CONFIG_MACRO_DIRS], [])m4_defun([AC_CONFIG_MACRO_DIRS], [_AM_CONFIG_MACRO_DIRS($@)])])
 m4_include([../config/acx.m4])
+m4_include([../config/cet.m4])
 m4_include([../config/codeset.m4])
 m4_include([../config/depstand.m4])
+m4_include([../config/enable.m4])
 m4_include([../config/gettext-sister.m4])
 m4_include([../config/iconv.m4])
 m4_include([../config/lead-dot.m4])
diff --git a/libcpp/configure b/libcpp/configure
index 11da199083b..64bbf545791 100755
--- a/libcpp/configure
+++ b/libcpp/configure
@@ -623,6 +623,7 @@ ac_includes_default="\
 #endif"
 
 ac_subst_vars='LTLIBOBJS
+CET_HOST_FLAGS
 PICFLAG
 MAINT
 USED_CATALOGS
@@ -735,6 +736,7 @@ enable_maintainer_mode
 enable_checking
 enable_canonical_system_headers
 enable_host_shared
+enable_cet
 enable_valgrind_annotations
 '
       ac_precious_vars='build_alias
@@ -1375,6 +1377,7 @@ Optional Features:
   --enable-canonical-system-headers
                           enable or disable system headers canonicalization
   --enable-host-shared    build host code as shared libraries
+  --enable-cet            enable Intel CET in host libraries [default=auto]
   --enable-valgrind-annotations
                           enable valgrind runtime interaction
 
@@ -7443,6 +7446,156 @@ fi
 
 
 
+# Enable Intel CET on Intel CET enabled host if jit is enabled.
+ # Check whether --enable-cet was given.
+if test "${enable_cet+set}" = set; then :
+  enableval=$enable_cet;
+      case "$enableval" in
+       yes|no|auto) ;;
+       *) as_fn_error $? "Unknown argument to enable/disable cet" "$LINENO" 5 ;;
+                          esac
+
+else
+  enable_cet=auto
+fi
+
+
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for CET support" >&5
+$as_echo_n "checking for CET support... " >&6; }
+
+case "$host" in
+  i[34567]86-*-linux* | x86_64-*-linux*)
+    may_have_cet=yes
+    save_CFLAGS="$CFLAGS"
+    CFLAGS="$CFLAGS -fcf-protection"
+    case "$enable_cet" in
+      auto)
+	# Check if target supports multi-byte NOPs
+	# and if assembler supports CET insn.
+	cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
+
+int
+main ()
+{
+
+#if !defined(__SSE2__)
+#error target does not support multi-byte NOPs
+#else
+asm ("setssbsy");
+#endif
+
+  ;
+  return 0;
+}
+_ACEOF
+if ac_fn_c_try_compile "$LINENO"; then :
+  enable_cet=yes
+else
+  enable_cet=no
+fi
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+	;;
+      yes)
+	# Check if assembler supports CET.
+	cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
+
+int
+main ()
+{
+asm ("setssbsy");
+  ;
+  return 0;
+}
+_ACEOF
+if ac_fn_c_try_compile "$LINENO"; then :
+
+else
+  as_fn_error $? "assembler with CET support is required for --enable-cet" "$LINENO" 5
+fi
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+	;;
+    esac
+    CFLAGS="$save_CFLAGS"
+    ;;
+  *)
+    may_have_cet=no
+    enable_cet=no
+    ;;
+esac
+
+if test x$may_have_cet = xyes; then
+  save_LDFLAGS="$LDFLAGS"
+  LDFLAGS="$LDFLAGS -Wl,-z,ibt,-z,shstk"
+  if test "$cross_compiling" = yes; then :
+  { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5
+$as_echo "$as_me: error: in \`$ac_pwd':" >&2;}
+as_fn_error $? "cannot run test program while cross compiling
+See \`config.log' for more details" "$LINENO" 5; }
+else
+  cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
+
+static void
+foo (void)
+{
+}
+
+static void
+__attribute__ ((noinline, noclone))
+xxx (void (*f) (void))
+{
+  f ();
+}
+
+static void
+__attribute__ ((noinline, noclone))
+bar (void)
+{
+  xxx (foo);
+}
+
+int
+main ()
+{
+  bar ();
+  return 0;
+}
+
+_ACEOF
+if ac_fn_c_try_run "$LINENO"; then :
+  have_cet=no
+else
+  have_cet=yes
+fi
+rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext \
+  conftest.$ac_objext conftest.beam conftest.$ac_ext
+fi
+
+  LDFLAGS="$save_LDFLAGS"
+  if test x$enable_cet = xno -a x$have_cet = xyes; then
+    as_fn_error $? "Intel CET must be enabled on Intel CET enabled host" "$LINENO" 5
+  fi
+fi
+if test x$enable_cet = xyes; then
+  CET_HOST_FLAGS="-fcf-protection"
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
+$as_echo "yes" >&6; }
+else
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+fi
+
+case x$enable_languages in
+*jit*)
+  ;;
+*)
+  CET_HOST_FLAGS=
+  ;;
+esac
+
+
 # Check whether --enable-valgrind-annotations was given.
 if test "${enable_valgrind_annotations+set}" = set; then :
   enableval=$enable_valgrind_annotations;
diff --git a/libcpp/configure.ac b/libcpp/configure.ac
index 1779562a3a7..540efeb4629 100644
--- a/libcpp/configure.ac
+++ b/libcpp/configure.ac
@@ -206,6 +206,17 @@ AC_ARG_ENABLE(host-shared,
 [PICFLAG=-fPIC], [PICFLAG=])
 AC_SUBST(PICFLAG)
 
+# Enable Intel CET on Intel CET enabled host if jit is enabled.
+GCC_CET_HOST_FLAGS(CET_HOST_FLAGS)
+case x$enable_languages in
+*jit*)
+  ;;
+*)
+  CET_HOST_FLAGS=
+  ;;
+esac
+AC_SUBST(CET_HOST_FLAGS)
+
 AC_ARG_ENABLE(valgrind-annotations,
 [AS_HELP_STRING([--enable-valgrind-annotations],
 		[enable valgrind runtime interaction])], [],
-- 
2.26.2

More information about the Gcc-patches mailing list