Pointer authentication config and user facing options#156712
Conversation
This comment has been minimized.
This comment has been minimized.
77fe412 to
b0a7e47
Compare
This comment has been minimized.
This comment has been minimized.
b0a7e47 to
4e8d9e3
Compare
This comment has been minimized.
This comment has been minimized.
4e8d9e3 to
418f447
Compare
This comment has been minimized.
This comment has been minimized.
418f447 to
6af45da
Compare
|
@davidtwco, @folkertdev, @tgross35, @madsmtm FWI this is a follow up to #155722 and #156548 |
|
This PR modifies If appropriate, please update Some changes occurred in src/tools/compiletest cc @jieyouxu The GCC codegen subtree was changed
Some changes occurred in src/doc/rustc/src/platform-support cc @Noratrieb This PR modifies cc @jieyouxu These commits modify compiler targets. |
|
r? @mejrs rustbot has assigned @mejrs. Use Why was this reviewer chosen?The reviewer was selected based on:
|
This comment has been minimized.
This comment has been minimized.
82f7a40 to
1c7ac6d
Compare
This comment has been minimized.
This comment has been minimized.
|
Hi, I am not qualified to review this. r? madsmtm or reroll maybe |
94235aa to
565f58e
Compare
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
565f58e to
8685c8b
Compare
This comment has been minimized.
This comment has been minimized.
8685c8b to
638efe3
Compare
|
This PR was rebased onto a different main commit. Here's a range-diff highlighting what actually changed. Rebasing is a normal part of keeping PRs up to date, so no action is needed—this note is just to help reviewers. |
|
Hi all (@davidtwco, @folkertdev, @tgross35, @madsmtm, @bjorn3), The PR introducing the pauthtest target has been merged into main. I'd be very grateful if we could move this one forward as well. Thank you! |
| layout: abi::Scalar, | ||
| llty: Self::Type, | ||
| pac: Option<PacMetadata>, | ||
| schema: Option<&PointerAuthSchema>, |
There was a problem hiding this comment.
Don't know if it got lost or I commented this on another PR, but it should be possible for both the builder and the codegen context to get this info from the session they store.
There was a problem hiding this comment.
While you are right that PointerAuthSchema can be accessed through the session from both places, it is unfortunately a bit more complicated than that.
The key point is that the only place the schema is actually used is in maybe_sign_fn_ptr. That function effectively “consumes” the schema, and it is only a helper for get_fn_addr.
However, at the point where we obtain the function address, we have already lost the contextual information about which signing schema should be used. Note that (for now) there are two schemas defined in the session:
As a result, it is up to the callers of get_fn_addr to provide the correct schema. The complication is that the information about whether a value will be emitted into init/fini arrays is only known at const_alloc_to_llvm time, which then calls into the scalar-to-backend routine (whose signature had to be also extended).
As a side note, the current implementation is a simplification. We deliberately assume only two schema choices: init/fini or default function pointer. Both are provided as a constant snapshot in the session. In reality, it should be possible for the schema to change throughout the compilation pipeline, which means we will likely need to move away from relying on the session as the source of truth. This is reflected in my WIP PR that you commented on.
| "whether to use the PLT when calling into shared libraries; | ||
| only has effect for PIC code on systems with ELF binaries | ||
| (default: PLT is disabled if full relro is enabled on x86_64)"), | ||
| pointer_authentication: Vec<(PointerAuthOption, bool)> = (Vec::new(), parse_pointer_authentication_list_with_polarity, [TRACKED], |
There was a problem hiding this comment.
Should this be a target modifier?
There was a problem hiding this comment.
I wasn't aware of target_modifiers before, but after reading the docs, I'd say yes. I don't think it makes that much of a difference just now, as the mismatches will always be cough by lld. You'd get something along the lines of:
= note: ld.lld: error: incompatible values of AArch64 PAuth core info found
platform:
>>> /opt/llvm-pauth/lib/clang/23/lib/aarch64-unknown-linux-pauthtest/clang_rt.crtbegin.o: 0x0000000010000002
>>> /home/jakub/Work/AccessSoftek/rust/build/aarch64-unknown-linux-gnu/test/ui/target_modifiers/incompatible_pauth/auxiliary/pauth.pauth.13435d650a747a4e-cgu.0.rcgu.o: 0x0000000010000002
version:
>>> /opt/llvm-pauth/lib/clang/23/lib/aarch64-unknown-linux-pauthtest/clang_rt.crtbegin.o: 0x00000000000006ff
>>> /home/jakub/Work/AccessSoftek/rust/build/aarch64-unknown-linux-gnu/test/ui/target_modifiers/incompatible_pauth/auxiliary/pauth.pauth.13435d650a747a4e-cgu.0.rcgu.o: 0x000000000000063f
clang: error: linker command failed with exit code 1 (use -v to see invocation)
However, having it explicit, at Rust level, before it hits the linker sounds like a clear win.
Pretty cool feature that.
I've added it in: 1c82b8f
| self.pointer_auth_config.is_some() | ||
| } | ||
|
|
||
| pub fn pointer_authentication_functions(&self) -> bool { |
There was a problem hiding this comment.
Maybe return the Option<_> here and use is_some() at the callers that need it, then you can use this in a bunch more places where the value is used too, like in the ssa/mir/* changes.
| pub enum PointerAuthOption { | ||
| Calls, | ||
| ReturnAddresses, | ||
| Aarch64JumpTableHardening, |
There was a problem hiding this comment.
You can wrap this in // tidy-alphabetical-start and // tidy-alphabetical-end` comments if you want the ordering to stay enforced
| "vt-ptr-addr-discrimination" => Some(Self::VTPtrAddrDisc), | ||
| "vt-ptr-type-discrimination" => Some(Self::VTPtrTypeDisc), | ||
| _ => None, | ||
| } |
There was a problem hiding this comment.
I think the options make sense as currently proposed - I don't know that we'd want so many different options like Clang does, and if we don't want that then Clang's names aren't great.
| "whether to use the PLT when calling into shared libraries; | ||
| only has effect for PIC code on systems with ELF binaries | ||
| (default: PLT is disabled if full relro is enabled on x86_64)"), | ||
| pointer_authentication: Vec<(PointerAuthOption, bool)> = (Vec::new(), parse_pointer_authentication_list_with_polarity, [TRACKED], |
There was a problem hiding this comment.
Agreed that question should be part of a tracking issue.
|
Reminder, once the PR becomes ready for a review, use |
This patch brings: * unified handling of pointer authentication options through: `-Zpointer-authentication`, with possible values: `aarch64-jump-table-hardening`, `auth-traps`, `calls`, `elf-got`, `function-pointer-type-discrimination`, `indirect-gotos`, `init-fini`, `init-fini-address-discrimination`, `return-addresses`. Toggled with `+`/`-`. * centralized handling of pointer authentication features. Session holds `pointer_auth_config: Option<PointerAuthConfig>` * encapsulation of schema for function pointers and init/fini through `PointerAuthSchema`. This allowed for retiring of `PacMetadata`. * refactor enabling of pointer authentication in code, instead of relying on the target (`pauthtest`) use the session
- warning on unsupported test - error on type discrimination - removal of PointerAuthKind
638efe3 to
2556382
Compare
|
@rustbot ready |
Also improve the API design of pointer_authentication_functions, by making it return Option<&PointerAuthSchema>, rather than bool.
2556382 to
1c82b8f
Compare
View all comments
This patch brings:
-Zpointer-authentication, with possible values:aarch64-jump-table-hardening,auth-traps,calls,elf-got,function-pointer-type-discrimination,indirect-gotos,init-fini,init-fini-address-discrimination,return-addresses. Toggled with+/-.pointer_auth_config: Option<PointerAuthConfig>PointerAuthSchema. This allowed for retiring ofPacMetadata.relying on the target (
pauthtest) use the session