Lines Matching +full:at +full:- +full:compatible
2 Control-Flow Integrity (CFI)
5 This document describes the current control-flow integrity (CFI) mechanism in
10 ------
14 The type used in QEMU is a forward-edge control-flow integrity that ensures
15 function calls performed through function pointers, always call a "compatible"
16 function. A compatible function is a function with the same signature of the
19 This type of CFI is entirely compiler-based and relies on the compiler knowing
26 In case of a CFI violation (i.e. call to a non-compatible function) QEMU will
30 -----------------
32 NOTE: CFI requires the use of link-time optimization. Therefore, when CFI is
42 AR=llvm-ar-9 CC=clang-9 CXX=clang++-9 /path/to/configure --enable-cfi
47 of a CFI violation is offered (``--enable-debug-cfi``).
50 -------------------------
56 --------------------------
58 As mentioned above, CFI is entirely compiler-based and therefore relies on
59 compile-time knowledge of the code. This means that, while generally supported
61 create false-positives. The two main patterns that can cause issues are:
63 * Just-in-time compiled code: since such code is created at runtime, the jump
67 not known at compile time.
69 Current areas of QEMU that are not entirely compatible with CFI are:
71 1. TCG, since the idea of TCG is to pre-compile groups of instructions at
72 runtime to speed-up interpretation, quite similarly to a JIT compiler
82 at runtime.
85 -------------------------------------
89 for such function by using the decorator ``QEMU_DISABLE_CFI`` at function
90 definition, and add an explanation on why the function is not compatible
95 * TCG creates binary blobs at runtime, with the transformed code.
96 * A TB is a blob of binary code, created at runtime and called with an
97 * indirect function call. Since such function did not exist at compile time,
99 * TCG is not considered a security-sensitive part of QEMU so this does not
105 NOTE: CFI needs to be disabled at the **caller** function, (i.e. a compatible
106 cfi function that calls a non-compatible one), since the check is performed
110 ---------------
122 in remote-but-possible parts of the code.
125 1. Fuzzing relies on the linker performing function wrapping at link-time.
134 AR=llvm-ar-11 CC=clang-11 CXX=clang++-11 /path/to/configure --enable-cfi \
135 -enable-fuzzing --extra-ldflags="-fuse-ld=lld"