[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[xen staging] x86: Use control flow typechecking where possible

commit 5d59421815d57f437fccea6ac516c2d23a35bbdb
Author:     Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
AuthorDate: Thu Nov 11 13:09:19 2021 +0000
Commit:     Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
CommitDate: Wed Feb 23 15:33:43 2022 +0000

    x86: Use control flow typechecking where possible
    
    Now all indirect branch targets have been annotated, turn on typechecking to
    catch issues in the future.
    
    This extension isn't in a released version of GCC yet, so provide a 
container
    to use with the extension included, and add it to CI.  RANDCONFIG is 
necessary
    because some stubs for compiled-out subsystems are used as function pointer
    targets.
    
    Signed-off-by: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
    Acked-by: Jan Beulich <jbeulich@xxxxxxxx>
---
 automation/build/debian/buster-gcc-ibt.dockerfile | 66 +++++++++++++++++++++++
 automation/gitlab-ci/build.yaml                   |  6 +++
 automation/scripts/containerize                   |  1 +
 xen/arch/x86/arch.mk                              |  1 +
 4 files changed, 74 insertions(+)

diff --git a/automation/build/debian/buster-gcc-ibt.dockerfile 
b/automation/build/debian/buster-gcc-ibt.dockerfile
new file mode 100644
index 0000000000..441d9a9ab3
--- /dev/null
+++ b/automation/build/debian/buster-gcc-ibt.dockerfile
@@ -0,0 +1,66 @@
+FROM debian:buster-slim AS builder
+
+ENV DEBIAN_FRONTEND=noninteractive
+ENV USER root
+
+RUN apt-get update && \
+    apt-get --quiet --yes install \
+        bison \
+        build-essential \
+        flex \
+        libc6-dev-i386 \
+        libgmp-dev \
+        libisl-dev \
+        libmpc-dev \
+        libmpfr-dev \
+        patch \
+        wget
+
+RUN mkdir /build
+WORKDIR /build
+
+RUN wget -q https://ftp.gnu.org/gnu/gcc/gcc-11.2.0/gcc-11.2.0.tar.xz -O - | 
tar xJ --strip=1
+RUN wget -q 
https://xenbits.xen.org/people/andrewcoop/gcc-11.2-Add-fcf-check-attribute-yes-no.patch
 -O - | patch -p1
+RUN ./configure \
+        --prefix=/opt/gcc-11-ibt \
+        --enable-languages=c \
+        --disable-nls \
+        --disable-threads \
+        --disable-bootstrap \
+        --disable-shared \
+        --disable-libmudflap \
+        --disable-libssp \
+        --disable-libgomp \
+        --disable-decimal-float \
+        --disable-libquadmath \
+        --disable-libatomic \
+        --disable-libcc1 \
+        --disable-libmpx
+RUN make -j`nproc` && make -j`nproc` install
+
+
+FROM debian:buster-slim
+COPY --from=builder /opt/gcc-11-ibt /opt/gcc-11-ibt
+
+LABEL maintainer.name="The Xen Project" \
+      maintainer.email="xen-devel@xxxxxxxxxxxxxxxxxxxx"
+
+ENV DEBIAN_FRONTEND=noninteractive
+ENV USER root
+ENV PATH="/opt/gcc-11-ibt/bin:${PATH}"
+
+RUN mkdir /build
+WORKDIR /build
+
+RUN apt-get update && \
+    apt-get --quiet --yes install \
+        bison \
+        checkpolicy \
+        flex \
+        gawk \
+        make \
+        python3 \
+        && \
+        apt-get autoremove -y && \
+        apt-get clean && \
+        rm -rf /var/lib/apt/lists* /tmp/* /var/tmp/*
diff --git a/automation/gitlab-ci/build.yaml b/automation/gitlab-ci/build.yaml
index fdd5c76582..cc36428cf5 100644
--- a/automation/gitlab-ci/build.yaml
+++ b/automation/gitlab-ci/build.yaml
@@ -294,6 +294,12 @@ debian-stretch-32-gcc-debug:
   variables:
     CONTAINER: debian:stretch-i386
 
+debian-buster-gcc-ibt:
+  extends: .gcc-x86-64-build
+  variables:
+    CONTAINER: debian:buster-gcc-ibt
+    RANDCONFIG: y
+
 debian-unstable-clang:
   extends: .clang-x86-64-build
   variables:
diff --git a/automation/scripts/containerize b/automation/scripts/containerize
index 7682ccd347..8992c67278 100755
--- a/automation/scripts/containerize
+++ b/automation/scripts/containerize
@@ -33,6 +33,7 @@ case "_${CONTAINER}" in
     _focal) CONTAINER="${BASE}/ubuntu:focal" ;;
     _jessie) CONTAINER="${BASE}/debian:jessie" ;;
     _stretch|_) CONTAINER="${BASE}/debian:stretch" ;;
+    _buster-gcc-ibt) CONTAINER="${BASE}/debian:buster-gcc-ibt" ;;
     _unstable|_) CONTAINER="${BASE}/debian:unstable" ;;
     _trusty) CONTAINER="${BASE}/ubuntu:trusty" ;;
     _xenial) CONTAINER="${BASE}/ubuntu:xenial" ;;
diff --git a/xen/arch/x86/arch.mk b/xen/arch/x86/arch.mk
index f780c912a9..92fd198110 100644
--- a/xen/arch/x86/arch.mk
+++ b/xen/arch/x86/arch.mk
@@ -54,6 +54,7 @@ endif
 
 ifdef CONFIG_XEN_IBT
 CFLAGS += -fcf-protection=branch -mmanual-endbr
+$(call cc-option-add,CFLAGS,CC,-fcf-check-attribute=no)
 else
 $(call cc-option-add,CFLAGS,CC,-fcf-protection=none)
 endif
--
generated by git-patchbot for /home/xen/git/xen.git#staging

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.