Feature: indirect branch tracking #15122
Open
+50
−23
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Adds support for indirect branch tracking for X86[_64] (CET) and AArch64 targets through the following compile time flags (taken from gcc/clang/rust):
-Dcf-protection=branch
(or=return
or=full
) for X86-Dbranch-protection=bti
for AArch64These flags are automatically set for OpenBSD, that enforces IBT or BTI on all user land applications. The patch also removes the
-Wl-znobtcfi
linker option since we don't need to disable it anymore.OpenBSD is the only OS I know to support and enforce IBT or BTI in user land. Linux for example only supports it for kernel code (for the time being). I manually tested IBT in an OpenBSD VM on x86_64 with a supported CPU (Intel Raptor Lake). I can compile & recompile crystal as well as run
gmake std_spec
without running into IBT issues 👍Notes:
-Dkey=value
then test forflag?("key=value")
and it just worked 😲aarch64-unknown-openbsd
target; there are little reasons it wouldn't work though;-Dcf-protection=return
). I'm not sure we really support it though, since fibers are messing with the stacks?closes #13665
follow up to #15118 itself a followup of #15115