From Alex's pull request:

* improve cross-build KVM coverage * new --without-default-features configure flag * add __repr__ for ConsoleSocket for debugging * build tcg tests with -Werror * test 32 bit builds with fedora * remove last traces of debian9 * hotfix for centos8 powertools repo * Move lots of feature detection code to meson (Alex, myself) * CFI and LTO support (Daniele) * test-char dangling pointer (Eduardo) * Build system and win32 fixes (Marc-André) * Initialization fixes (myself) * TCG include cleanup (Richard, myself) * x86 'int N' fix (Peter) -----BEGIN PGP SIGNATURE----- iQFIBAABCAAyFiEE8TM4V0tmI4mGbHaCv/vSX3jHroMFAl/1gRUUHHBib256aW5p QHJlZGhhdC5jb20ACgkQv/vSX3jHroPTwAf+J/ffnckmzpckB1gwZ5vEnkYNDreq NrYWDpmnOX6mICXC68WsTmyOvoAvn5es/PF36rOEZ3mDHdF7/RGn/5zxKculLTKp uISs0wdApEC5n78iQwIlec6nzgjteg+DIfaLqQ4P4sVuEtFkuAVsv5E3BJGVoHLg sXy8gTEf95KS9r5bZpzP70rAjIbmxcAjbET4fvdELjkGDNCTRKmpEYPj0sE6qaBp 0/VdqVLpLthuEQoDuEWube7Y2LA/ZuY3Gfxq1em+abXqFJBTAXBf2GET6a/BjLU6 N7wO5FEQ0CUG8fst/Zw3Xp1htGPZTYYMtr0dipYEI2np0A7/CITjTWsekg== =rsil -----END PGP SIGNATURE----- Merge remote-tracking branch 'remotes/bonzini-gitlab/tags/for-upstream' into staging From Alex's pull request: * improve cross-build KVM coverage * new --without-default-features configure flag * add __repr__ for ConsoleSocket for debugging * build tcg tests with -Werror * test 32 bit builds with fedora * remove last traces of debian9 * hotfix for centos8 powertools repo * Move lots of feature detection code to meson (Alex, myself) * CFI and LTO support (Daniele) * test-char dangling pointer (Eduardo) * Build system and win32 fixes (Marc-André) * Initialization fixes (myself) * TCG include cleanup (Richard, myself) * x86 'int N' fix (Peter) # gpg: Signature made Wed 06 Jan 2021 09:21:25 GMT # gpg: using RSA key F13338574B662389866C7682BFFBD25F78C7AE83 # gpg: issuer "pbonzini@redhat.com" # gpg: Good signature from "Paolo Bonzini <bonzini@gnu.org>" [full] # gpg: aka "Paolo Bonzini <pbonzini@redhat.com>" [full] # Primary key fingerprint: 46F5 9FBD 57D6 12E7 BFD4 E2F7 7E15 100C CD36 69B1 # Subkey fingerprint: F133 3857 4B66 2389 866C 7682 BFFB D25F 78C7 AE83 * remotes/bonzini-gitlab/tags/for-upstream: (52 commits) win32: drop fd registration to the main-loop on setting non-block configure: move tests/qemu-iotests/common.env generation to meson meson.build: convert --with-default-devices to meson libattr: convert to meson cap_ng: convert to meson virtfs: convert to meson seccomp: convert to meson zstd: convert to meson lzfse: convert to meson snappy: convert to meson lzo: convert to meson rbd: convert to meson libnfs: convert to meson libiscsi: convert to meson bzip2: convert to meson glusterfs: convert to meson curl: convert to meson curl: remove compatibility code, require 7.29.0 brlapi: convert to meson configure: remove CONFIG_FILEVERSION and CONFIG_PRODUCTVERSION ... Signed-off-by: Peter Maydell <peter.maydell@linaro.org> # Conflicts: # trace/meson.build
2025-08-03 15:53:54 -06:00 · 2021-01-06 15:55:29 +00:00 · 2021-01-06 15:55:29 +00:00 · aadac5b3d9
commit aadac5b3d9
parent 30918661c1 c8b2b7fed9
67 changed files with 1013 additions and 874 deletions
--- a/docs/devel/control-flow-integrity.rst
+++ b/docs/devel/control-flow-integrity.rst
@ -0,0 +1,137 @@
+============================
+Control-Flow Integrity (CFI)
+============================
+
+This document describes the current control-flow integrity (CFI) mechanism in
+QEMU. How it can be enabled, its benefits and deficiencies, and how it affects
+new and existing code in QEMU
+
+Basics
+------
+
+CFI is a hardening technique that focusing on guaranteeing that indirect
+function calls have not been altered by an attacker.
+The type used in QEMU is a forward-edge control-flow integrity that ensures
+function calls performed through function pointers, always call a "compatible"
+function. A compatible function is a function with the same signature of the
+function pointer declared in the source code.
+
+This type of CFI is entirely compiler-based and relies on the compiler knowing
+the signature of every function and every function pointer used in the code.
+As of now, the only compiler that provides support for CFI is Clang.
+
+CFI is best used on production binaries, to protect against unknown attack
+vectors.
+
+In case of a CFI violation (i.e. call to a non-compatible function) QEMU will
+terminate abruptly, to stop the possible attack.
+
+Building with CFI
+-----------------
+
+NOTE: CFI requires the use of link-time optimization. Therefore, when CFI is
+selected, LTO will be automatically enabled.
+
+To build with CFI, the minimum requirement is Clang 6+. If you
+are planning to also enable fuzzing, then Clang 11+ is needed (more on this
+later).
+
+Given the use of LTO, a version of AR that supports LLVM IR is required.
+The easies way of doing this is by selecting the AR provided by LLVM::
+
+ AR=llvm-ar-9 CC=clang-9 CXX=lang++-9 /path/to/configure --enable-cfi
+
+CFI is enabled on every binary produced.
+
+If desired, an additional flag to increase the verbosity of the output in case
+of a CFI violation is offered (``--enable-debug-cfi``).
+
+Using QEMU built with CFI
+-------------------------
+
+A binary with CFI will work exactly like a standard binary. In case of a CFI
+violation, the binary will terminate with an illegal instruction signal.
+
+Incompatible code with CFI
+--------------------------
+
+As mentioned above, CFI is entirely compiler-based and therefore relies on
+compile-time knowledge of the code. This means that, while generally supported
+for most code, some specific use pattern can break CFI compatibility, and
+create false-positives. The two main patterns that can cause issues are:
+
+* Just-in-time compiled code: since such code is created at runtime, the jump
+  to the buffer containing JIT code will fail.
+
+* Libraries loaded dynamically, e.g. with dlopen/dlsym, since the library was
+  not known at compile time.
+
+Current areas of QEMU that are not entirely compatible with CFI are:
+
+1. TCG, since the idea of TCG is to pre-compile groups of instructions at
+   runtime to speed-up interpretation, quite similarly to a JIT compiler
+
+2. TCI, where the interpreter has to interpret the generic *call* operation
+
+3. Plugins, since a plugin is implemented as an external library
+
+4. Modules, since they are implemented as an external library
+
+5. Directly calling signal handlers from the QEMU source code, since the
+   signal handler may have been provided by an external library or even plugged
+   at runtime.
+
+Disabling CFI for a specific function
+-------------------------------------
+
+If you are working on function that is performing a call using an
+incompatible way, as described before, you can selectively disable CFI checks
+for such function by using the decorator ``QEMU_DISABLE_CFI`` at function
+definition, and add an explanation on why the function is not compatible
+with CFI. An example of the use of ``QEMU_DISABLE_CFI`` is provided here::
+
+	/*
+	 * Disable CFI checks.
+	 * TCG creates binary blobs at runtime, with the transformed code.
+	 * A TB is a blob of binary code, created at runtime and called with an
+	 * indirect function call. Since such function did not exist at compile time,
+	 * the CFI runtime has no way to verify its signature and would fail.
+	 * TCG is not considered a security-sensitive part of QEMU so this does not
+	 * affect the impact of CFI in environment with high security requirements
+	 */
+	QEMU_DISABLE_CFI
+	static inline tcg_target_ulong cpu_tb_exec(CPUState *cpu, TranslationBlock *itb)
+
+NOTE: CFI needs to be disabled at the **caller** function, (i.e. a compatible
+cfi function that calls a non-compatible one), since the check is performed
+when the function call is performed.
+
+CFI and fuzzing
+---------------
+
+There is generally no advantage of using CFI and fuzzing together, because
+they target different environments (production for CFI, debug for fuzzing).
+
+CFI could be used in conjunction with fuzzing to identify a broader set of
+bugs that may not end immediately in a segmentation fault or triggering
+an assertion. However, other sanitizers such as address and ub sanitizers
+can identify such bugs in a more precise way than CFI.
+
+There is, however, an interesting use case in using CFI in conjunction with
+fuzzing, that is to make sure that CFI is not triggering any false positive
+in remote-but-possible parts of the code.
+
+CFI can be enabled with fuzzing, but with some caveats:
+1. Fuzzing relies on the linker performing function wrapping at link-time.
+The standard BFD linker does not support function wrapping when LTO is
+also enabled. The workaround is to use LLVM's lld linker.
+2. Fuzzing also relies on a custom linker script, which is only supported by
+lld with version 11+.
+
+In other words, to compile with fuzzing and CFI, clang 11+ is required, and
+lld needs to be used as a linker::
+
+ AR=llvm-ar-11 CC=clang-11 CXX=lang++-11 /path/to/configure --enable-cfi \
+                           -enable-fuzzing --extra-ldflags="-fuse-ld=lld"
+
+and then, compile the fuzzers as usual.
--- a/docs/devel/index.rst
+++ b/docs/devel/index.rst
@ -15,14 +15,15 @@ Contents:

   build-system
   kconfig
+   testing
+   fuzzing
+   control-flow-integrity
   loads-stores
   memory
   migration
   atomics
   stable-process
-   testing
   qtest
-   fuzzing
   decodetree
   secure-coding-practices
   tcg
--- a/docs/devel/kconfig.rst
+++ b/docs/devel/kconfig.rst
@ -288,21 +288,20 @@ they will include all these symbols and some help text on what they do.
 ----------------

 In some special cases, a configurable element depends on host features
-that are detected by QEMU's configure script; for example some devices
-depend on the availability of KVM or on the presence of a library on
-the host.
+that are detected by QEMU's configure or ``meson.build`` scripts; for
+example some devices depend on the availability of KVM or on the presence
+of a library on the host.

 These symbols should be listed in ``Kconfig.host`` like this::

-    config KVM
+    config TPM
      bool

-and also listed as follows in the top-level Makefile's ``MINIKCONF_ARGS``
+and also listed as follows in the top-level meson.build's host_kconfig
 variable::

-    MINIKCONF_ARGS = \
-      $@ $*/config-devices.mak.d $< $(MINIKCONF_INPUTS) \
-      CONFIG_KVM=$(CONFIG_KVM) \
-      CONFIG_SPICE=$(CONFIG_SPICE) \
-      CONFIG_TPM=$(CONFIG_TPM) \
+    host_kconfig = \
+      ('CONFIG_TPM' in config_host ? ['CONFIG_TPM=y'] : []) + \
+      ('CONFIG_SPICE' in config_host ? ['CONFIG_SPICE=y'] : []) + \
+      ('CONFIG_IVSHMEM' in config_host ? ['CONFIG_IVSHMEM=y'] : []) + \
      ...