mikros/rust
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Rollup merge of #73404 - ajpaverd:cfguard_syntax, r=Mark-Simulacrum

Browse Source 
Update CFGuard syntax

Update the naming and syntax of the control-flow-guard option, as discussed in #68793.

r? @Mark-Simulacrum
This commit is contained in:
Ralf Jung 2020-06-20 16:39:53 +02:00 committed by GitHub
commit 91bd3337e3
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
8 changed files with 33 additions and 20 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
src/bootstrap/builder.rs
View File

@ -1206,7 +1206,7 @@ pub fn cargo(
); );
} }
// If Control Flow Guard is enabled, pass the `control_flow_guard=checks` flag to rustc // If Control Flow Guard is enabled, pass the `control-flow-guard` flag to rustc
// when compiling the standard library, since this might be linked into the final outputs // when compiling the standard library, since this might be linked into the final outputs
// produced by rustc. Since this mitigation is only available on Windows, only enable it // produced by rustc. Since this mitigation is only available on Windows, only enable it
// for the standard library in case the compiler is run on a non-Windows platform. // for the standard library in case the compiler is run on a non-Windows platform.
@ -1217,7 +1217,7 @@ pub fn cargo(
&& self.config.control_flow_guard && self.config.control_flow_guard
&& compiler.stage >= 1 && compiler.stage >= 1
{ {
rustflags.arg("-Zcontrol_flow_guard=checks"); rustflags.arg("-Zcontrol-flow-guard");
} }
// For `cargo doc` invocations, make rustdoc print the Rust version into the docs // For `cargo doc` invocations, make rustdoc print the Rust version into the docs

10
src/doc/unstable-book/src/compiler-flags/control-flow-guard.md
View File

@ -1,10 +1,10 @@
# `control_flow_guard` # `control-flow-guard`
The tracking issue for this feature is: [#68793](https://github.com/rust-lang/rust/issues/68793). The tracking issue for this feature is: [#68793](https://github.com/rust-lang/rust/issues/68793).
------------------------ ------------------------
The rustc flag `-Z control_flow_guard=checks` enables the Windows [Control Flow Guard](https://docs.microsoft.com/en-us/windows/win32/secbp/control-flow-guard) (CFG) platform security feature. The rustc flag `-Z control-flow-guard` enables the Windows [Control Flow Guard](https://docs.microsoft.com/en-us/windows/win32/secbp/control-flow-guard) (CFG) platform security feature.
CFG is an exploit mitigation designed to enforce control-flow integrity for software running on supported Windows platforms (Windows 8.1 onwards). Specifically, CFG uses runtime checks to validate the target address of every indirect call/jump before allowing the call to complete. CFG is an exploit mitigation designed to enforce control-flow integrity for software running on supported Windows platforms (Windows 8.1 onwards). Specifically, CFG uses runtime checks to validate the target address of every indirect call/jump before allowing the call to complete.
@ -29,7 +29,7 @@ The CFG checks and metadata can potentially increase binary size and runtime ove
## Testing Control Flow Guard ## Testing Control Flow Guard
The rustc flag `-Z control_flow_guard=nochecks` instructs LLVM to emit the list of valid call targets without inserting runtime checks. This flag should only be used for testing purposes as it does not provide security enforcement. The rustc flag `-Z control-flow-guard=nochecks` instructs LLVM to emit the list of valid call targets without inserting runtime checks. This flag should only be used for testing purposes as it does not provide security enforcement.
## Control Flow Guard in libraries ## Control Flow Guard in libraries
@ -44,14 +44,14 @@ For example:
```cmd ```cmd
rustup toolchain install --force nightly rustup toolchain install --force nightly
rustup component add rust-src rustup component add rust-src
SET RUSTFLAGS=-Z control_flow_guard=checks SET RUSTFLAGS=-Z control-flow-guard
cargo +nightly build -Z build-std --target x86_64-pc-windows-msvc cargo +nightly build -Z build-std --target x86_64-pc-windows-msvc
``` ```
```PowerShell ```PowerShell
rustup toolchain install --force nightly rustup toolchain install --force nightly
rustup component add rust-src rustup component add rust-src
$Env:RUSTFLAGS = "-Z control_flow_guard=checks" $Env:RUSTFLAGS = "-Z control-flow-guard"
cargo +nightly build -Z build-std --target x86_64-pc-windows-msvc cargo +nightly build -Z build-std --target x86_64-pc-windows-msvc
``` ```

2
src/librustc_interface/tests.rs
View File

@ -465,7 +465,6 @@ macro_rules! untracked {
untracked!(ast_json_noexpand, true); untracked!(ast_json_noexpand, true);
untracked!(borrowck, String::from("other")); untracked!(borrowck, String::from("other"));
untracked!(borrowck_stats, true); untracked!(borrowck_stats, true);
untracked!(control_flow_guard, CFGuard::Checks);
untracked!(deduplicate_diagnostics, true); untracked!(deduplicate_diagnostics, true);
untracked!(dep_tasks, true); untracked!(dep_tasks, true);
untracked!(dont_buffer_diagnostics, true); untracked!(dont_buffer_diagnostics, true);
@ -539,6 +538,7 @@ macro_rules! tracked {
tracked!(binary_dep_depinfo, true); tracked!(binary_dep_depinfo, true);
tracked!(chalk, true); tracked!(chalk, true);
tracked!(codegen_backend, Some("abc".to_string())); tracked!(codegen_backend, Some("abc".to_string()));
tracked!(control_flow_guard, CFGuard::Checks);
tracked!(crate_attr, vec!["abc".to_string()]); tracked!(crate_attr, vec!["abc".to_string()]);
tracked!(debug_macros, true); tracked!(debug_macros, true);
tracked!(dep_info_omit_d_target, true); tracked!(dep_info_omit_d_target, true);

2
src/librustc_session/config.rs
View File

@ -103,7 +103,7 @@ pub enum Strip {
Symbols, Symbols,
} }
/// The different settings that the `-Z control_flow_guard` flag can have. /// The different settings that the `-Z control-flow-guard` flag can have.
#[derive(Clone, Copy, PartialEq, Hash, Debug)] #[derive(Clone, Copy, PartialEq, Hash, Debug)]
pub enum CFGuard { pub enum CFGuard {
/// Do not emit Control Flow Guard metadata or checks. /// Do not emit Control Flow Guard metadata or checks.

29
src/librustc_session/options.rs
View File

@ -250,7 +250,8 @@ mod $mod_desc {
pub const parse_relro_level: &str = "one of: `full`, `partial`, or `off`"; pub const parse_relro_level: &str = "one of: `full`, `partial`, or `off`";
pub const parse_sanitizers: &str = "comma separated list of sanitizers: `address`, `leak`, `memory` or `thread`"; pub const parse_sanitizers: &str = "comma separated list of sanitizers: `address`, `leak`, `memory` or `thread`";
pub const parse_sanitizer_memory_track_origins: &str = "0, 1, or 2"; pub const parse_sanitizer_memory_track_origins: &str = "0, 1, or 2";
pub const parse_cfguard: &str = "either `disabled`, `nochecks`, or `checks`"; pub const parse_cfguard: &str =
"either a boolean (`yes`, `no`, `on`, `off`, etc), `checks`, or `nochecks`";
pub const parse_strip: &str = "either `none`, `debuginfo`, or `symbols`"; pub const parse_strip: &str = "either `none`, `debuginfo`, or `symbols`";
pub const parse_linker_flavor: &str = ::rustc_target::spec::LinkerFlavor::one_of(); pub const parse_linker_flavor: &str = ::rustc_target::spec::LinkerFlavor::one_of();
pub const parse_optimization_fuel: &str = "crate=integer"; pub const parse_optimization_fuel: &str = "crate=integer";
@ -495,12 +496,24 @@ fn parse_strip(slot: &mut Strip, v: Option<&str>) -> bool {
} }
fn parse_cfguard(slot: &mut CFGuard, v: Option<&str>) -> bool { fn parse_cfguard(slot: &mut CFGuard, v: Option<&str>) -> bool {
match v { if v.is_some() {
Some("disabled") => *slot = CFGuard::Disabled, let mut bool_arg = None;
Some("nochecks") => *slot = CFGuard::NoChecks, if parse_opt_bool(&mut bool_arg, v) {
Some("checks") => *slot = CFGuard::Checks, *slot = if bool_arg.unwrap() {
_ => return false, CFGuard::Checks
} else {
CFGuard::Disabled
};
return true
} }
}
*slot = match v {
None => CFGuard::Checks,
Some("checks") => CFGuard::Checks,
Some("nochecks") => CFGuard::NoChecks,
Some(_) => return false,
};
true true
} }
@ -796,8 +809,8 @@ fn parse_target_feature(slot: &mut String, v: Option<&str>) -> bool {
"enable the experimental Chalk-based trait solving engine"), "enable the experimental Chalk-based trait solving engine"),
codegen_backend: Option<String> = (None, parse_opt_string, [TRACKED], codegen_backend: Option<String> = (None, parse_opt_string, [TRACKED],
"the backend to use"), "the backend to use"),
control_flow_guard: CFGuard = (CFGuard::Disabled, parse_cfguard, [UNTRACKED], control_flow_guard: CFGuard = (CFGuard::Disabled, parse_cfguard, [TRACKED],
"use Windows Control Flow Guard (`disabled`, `nochecks` or `checks`)"), "use Windows Control Flow Guard (default: no)"),
crate_attr: Vec<String> = (Vec::new(), parse_string_push, [TRACKED], crate_attr: Vec<String> = (Vec::new(), parse_string_push, [TRACKED],
"inject the given attribute in the crate"), "inject the given attribute in the crate"),
debug_macros: bool = (false, parse_bool, [TRACKED], debug_macros: bool = (false, parse_bool, [TRACKED],

2
src/test/codegen/cfguard_checks.rs
View File

@ -1,4 +1,4 @@
// compile-flags: -Z control_flow_guard=checks // compile-flags: -Z control-flow-guard=checks
#![crate_type = "lib"] #![crate_type = "lib"]

2
src/test/codegen/cfguard_disabled.rs
View File

@ -1,4 +1,4 @@
// compile-flags: -Z control_flow_guard=disabled // compile-flags: -Z control-flow-guard=no
#![crate_type = "lib"] #![crate_type = "lib"]

2
src/test/codegen/cfguard_nochecks.rs
View File

@ -1,4 +1,4 @@
// compile-flags: -Z control_flow_guard=nochecks // compile-flags: -Z control-flow-guard=nochecks
#![crate_type = "lib"] #![crate_type = "lib"]