Commit 91e42257 authored by Jim Harris's avatar Jim Harris
Browse files

configure: add --enable-cet to build with CET support 



Intel Control-flow Enforcement Technology (CET) is a
processor feature that blocks return/jump-oriented
programming (ROP) attacks.

It is currently only supported on Tiger Lake client
processors, but will be available on other processors
in the future.

CET requires toolchain support.  gcc8 does support it.
For now, this will opt-in only at least until the
technology is available on server processors.

Signed-off-by: default avatarJim Harris <james.r.harris@intel.com>
Change-Id: I8c7f882eeeaed26484c31dc0d67d5cc42baeaa2d

Reviewed-on: https://review.spdk.io/gerrit/c/spdk/spdk/+/5921


Community-CI: Broadcom CI
Community-CI: Mellanox Build Bot
Tested-by: default avatarSPDK CI Jenkins <sys_sgci@intel.com>
Reviewed-by: default avatarTomasz Zawadzki <tomasz.zawadzki@intel.com>
Reviewed-by: default avatarShuhei Matsumoto <shuhei.matsumoto.xt@hitachi.com>
parent 5636dabc

CONFIG

+3 −0
Original line number Diff line number Diff line
@@ -76,6 +76,9 @@ CONFIG_UNIT_TESTS=y 
# Build examples

CONFIG_EXAMPLES=y



# Build with Control-flow Enforcement Technology (CET)

CONFIG_CET=n



# Directory that contains the desired SPDK environment library.

# By default, this is implemented using DPDK.

CONFIG_ENV=

configure

+15 −0
Original line number Diff line number Diff line
@@ -32,6 +32,7 @@ function usage() 
	echo " --enable-lto              Enable link-time optimization"

	echo " --enable-pgo-capture      Enable generation of profile guided optimization data"

	echo " --enable-pgo-use          Use previously captured profile guided optimization data"

	echo " --enable-cet              Enable Intel Control-flow Enforcement Technology (CET)"

	echo " --disable-tests           Disable building of functional tests"

	echo " --disable-unit-tests      Disable building of unit tests"

	echo " --disable-examples        Disable building of examples"
@@ -267,6 +268,12 @@ for i in "$@"; do 
		--disable-werror)

			CONFIG[WERROR]=n

			;;

		--enable-cet)

			CONFIG[CET]=y

			;;

		--disable-cet)

			CONFIG[CET]=n

			;;

		--with-dpdk=*)

			check_dir "$i"

			CONFIG[DPDK_DIR]=$(readlink -f ${i#*=})
@@ -810,6 +817,14 @@ if [[ "${CONFIG[FUSE]}" = "y" ]]; then 
	fi

fi



if [ "${CONFIG[CET]}" = "y" ]; then

	if ! echo -e 'int main(void) { return 0; }\n' | ${BUILD_CMD[@]} -fcf-protection - 2>/dev/null; then

		echo --enable-cet requires compiler/linker that supports CET.

		echo Please install then re-run this script.

		exit 1

	fi

fi



# We are now ready to generate final configuration. But first do sanity

# check to see if all keys in CONFIG array have its reflection in CONFIG file.

if [ $(egrep -c "^\s*CONFIG_[[:alnum:]_]+=" $rootdir/CONFIG) -ne ${#CONFIG[@]} ]; then

dpdkbuild/Makefile

+5 −0
Original line number Diff line number Diff line
@@ -88,6 +88,11 @@ else 
DPDK_CFLAGS += -Wno-error

endif



ifeq ($(CONFIG_CET),y)

DPDK_CFLAGS += -fcf-protection

DPDK_LDFLAGS += -fcf-protection

endif



ifdef EXTRA_DPDK_CFLAGS

$(warning EXTRA_DPDK_CFLAGS defined, possibly to work around an unsupported compiler version)

$(shell sleep 1)

mk/spdk.common.mk

+5 −0
Original line number Diff line number Diff line
@@ -107,6 +107,11 @@ COMMON_CFLAGS += -fprofile-use=$(SPDK_ROOT_DIR)/build/pgo 
LDFLAGS += -fprofile-use=$(SPDK_ROOT_DIR)/build/pgo

endif



ifeq ($(CONFIG_CET),y)

COMMON_CFLAGS += -fcf-protection

LDFLAGS += -fcf-protection

endif



COMMON_CFLAGS += -Wformat -Wformat-security



COMMON_CFLAGS += -D_GNU_SOURCE