diff options
| author | Evgeniy Stepanov <eugeni.stepanov@gmail.com> | 2015-12-15 23:00:20 +0000 |
|---|---|---|
| committer | Evgeniy Stepanov <eugeni.stepanov@gmail.com> | 2015-12-15 23:00:20 +0000 |
| commit | 3a8ad7e2f6acb0e823154d76a203b828d32e9aa7 (patch) | |
| tree | a776a11e6918adc4741b81ecd804378ef30a4e47 /docs/ControlFlowIntegrity.rst | |
| parent | 86fda4a2ffb1b93ea97556a504cdd41063aaced2 (diff) | |
Cross-DSO control flow integrity (Clang part).
Clang-side cross-DSO CFI.
* Adds a command line flag -f[no-]sanitize-cfi-cross-dso.
* Links a runtime library when enabled.
* Emits __cfi_slowpath calls is bitset test fails.
* Emits extra hash-based bitsets for external CFI checks.
* Sets a module flag to enable __cfi_check generation during LTO.
This mode does not yet support diagnostics.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@255694 91177308-0d34-0410-b5e6-96231b3b80d8
Diffstat (limited to 'docs/ControlFlowIntegrity.rst')
| -rw-r--r-- | docs/ControlFlowIntegrity.rst | 22 |
1 files changed, 18 insertions, 4 deletions
diff --git a/docs/ControlFlowIntegrity.rst b/docs/ControlFlowIntegrity.rst index 3c76f0065e..780ff882d0 100644 --- a/docs/ControlFlowIntegrity.rst +++ b/docs/ControlFlowIntegrity.rst @@ -24,10 +24,14 @@ You can also enable a subset of available :ref:`schemes <cfi-schemes>`. As currently implemented, all schemes rely on link-time optimization (LTO); so it is required to specify ``-flto``, and the linker used must support LTO, for example via the `gold plugin`_. -To allow the checks to be implemented efficiently, the program must -be structured such that certain object files are compiled with CFI enabled, -and are statically linked into the program. This may preclude the use of -shared libraries in some cases. + +To allow the checks to be implemented efficiently, the program must be +structured such that certain object files are compiled with CFI +enabled, and are statically linked into the program. This may preclude +the use of shared libraries in some cases. Experimental support for +:ref:`cross-DSO control flow integrity <cfi-cross-dso>` exists that +does not have these requirements. This cross-DSO support has unstable +ABI at this time. .. _gold plugin: http://llvm.org/docs/GoldPlugin.html @@ -245,6 +249,16 @@ are typically defined outside of the linked program. # Ignore all types with a uuid attribute. type:attr:uuid +.. _cfi-cross-dso: + +Shared library support +====================== + +Use **-f[no-]sanitize-cfi-cross-dso** to enable the cross-DSO control +flow integrity mode, which allows all CFI schemes listed above to +apply across DSO boundaries. As in the regular CFI, each DSO must be +built with ``-flto``. + Design ====== |