[Qemu-devel] [PATCH 3/7] configure: add CET support

[Paolo Bonzini]

CET requires object files to note which features are supported.  The linker
will merge them to the set of features that are supported by all object
files.  The compiler creates these notes when the -fcf-protection option
is passed, but we have to blacklist some object files that only support
a subset of the full CET feature set.  The next patches will improve the
situation so that QEMU can be built with full protection.

Signed-off-by: Paolo Bonzini <address@hidden>
---
 configure          | 27 +++++++++++++++++++++++++++
 Makefile.target    |  3 +++
 util/Makefile.objs |  5 +++++
 3 files changed, 35 insertions(+)

diff --git a/configure b/configure
index 42a7e479fd..4470fe8e74 100755
--- a/configure
+++ b/configure
@@ -446,6 +446,7 @@ win_sdk="no"
 want_tools="yes"
 libiscsi=""
 libnfs=""
+cet="no"      # leave it disabled until we can test performance
 coroutine=""
 coroutine_pool=""
 debug_stack_usage="no"
@@ -1246,6 +1247,10 @@ for opt do
   ;;
   --with-pkgversion=*) pkgversion="$optarg"
   ;;
+  --enable-cet) cet="yes"
+  ;;
+  --disable-cet) cet="no"
+  ;;
   --with-coroutine=*) coroutine="$optarg"
   ;;
   --disable-coroutine-pool) coroutine_pool="no"
@@ -1757,6 +1762,7 @@ disabled with --disable-FEATURE, default is enabled if 
available:
   lzfse           support of lzfse compression library
                   (for reading lzfse-compressed dmg images)
   seccomp         seccomp support
+  cet             Control-flow Enforcement Technology
   coroutine-pool  coroutine freelist (better performance)
   glusterfs       GlusterFS backend
   tpm             TPM support
@@ -5074,6 +5080,23 @@ if have_backend "dtrace"; then
   fi
 fi
 
+##########################################
+# detect CET support in the toolchain
+
+if test "$cet" != no; then
+  write_c_skeleton;
+  if ! compile_prog "-fcf-protection" "" ; then
+    if test "$cet" = yes; then
+      feature_not_found "cet" 'CET is not supported by your toolchain'
+    fi
+    cet=no
+  fi
+fi
+if test "$cet" = ""; then
+  cet=yes
+  QEMU_CFLAGS="-fcf-protection $QEMU_CFLAGS"
+fi
+
 ##########################################
 # check and set a backend for coroutine
 
@@ -6258,6 +6281,7 @@ echo "netmap support    $netmap"
 echo "Linux AIO support $linux_aio"
 echo "ATTR/XATTR support $attr"
 echo "Install blobs     $blobs"
+echo "CET support       $cet"
 echo "KVM support       $kvm"
 echo "HAX support       $hax"
 echo "HVF support       $hvf"
@@ -6468,6 +6492,9 @@ fi
 if test "$profiler" = "yes" ; then
   echo "CONFIG_PROFILER=y" >> $config_host_mak
 fi
+if test "$cet" = "yes" ; then
+  echo "CONFIG_CET=y" >> $config_host_mak
+fi
 if test "$slirp" != "no"; then
   echo "CONFIG_SLIRP=y" >> $config_host_mak
   echo "CONFIG_SMBD_COMMAND=\"$smbd\"" >> $config_host_mak
diff --git a/Makefile.target b/Makefile.target
index d8048aab8f..fa143d7b4b 100644
--- a/Makefile.target
+++ b/Makefile.target
@@ -113,6 +113,9 @@ obj-y += exec.o
 obj-y += accel/
 obj-$(CONFIG_TCG) += tcg/tcg.o tcg/tcg-op.o tcg/tcg-op-vec.o tcg/tcg-op-gvec.o
 obj-$(CONFIG_TCG) += tcg/tcg-common.o tcg/optimize.o
+ifeq ($(CONFIG_CET),y)
+tcg/tcg.o-cflags := -fcf-protection=return
+endif
 obj-$(CONFIG_TCG_INTERPRETER) += tcg/tci.o
 obj-$(CONFIG_TCG_INTERPRETER) += disas/tci.o
 obj-$(CONFIG_TCG) += fpu/softfloat.o
diff --git a/util/Makefile.objs b/util/Makefile.objs
index 0808d86a19..93a8397aae 100644
--- a/util/Makefile.objs
+++ b/util/Makefile.objs
@@ -39,6 +39,11 @@ util-obj-y += qemu-coroutine.o qemu-coroutine-lock.o 
qemu-coroutine-io.o
 util-obj-y += qemu-coroutine-sleep.o
 util-obj-y += coroutine-$(CONFIG_COROUTINE_BACKEND).o
 coroutine-x86.o-cflags := -mno-red-zone
+ifeq ($(CONFIG_CET),y)
+coroutine-sigaltstack.o-cflags := -fcf-protection=branch
+coroutine-ucontext.o-cflags := -fcf-protection=branch
+coroutine-x86.o-cflags += -fcf-protection=branch
+endif
 util-obj-y += buffer.o
 util-obj-y += timed-average.o
 util-obj-y += base64.o
-- 
2.20.1