configure: add --enable-cet to build with CET support

Intel Control-flow Enforcement Technology (CET) is a
processor feature that blocks return/jump-oriented
programming (ROP) attacks.

It is currently only supported on Tiger Lake client
processors, but will be available on other processors
in the future.

CET requires toolchain support.  gcc8 does support it.
For now, this will opt-in only at least until the
technology is available on server processors.

Signed-off-by: Jim Harris <james.r.harris@intel.com>
Change-Id: I8c7f882eeeaed26484c31dc0d67d5cc42baeaa2d

Reviewed-on: https://review.spdk.io/gerrit/c/spdk/spdk/+/5921
Community-CI: Broadcom CI
Community-CI: Mellanox Build Bot
Tested-by: SPDK CI Jenkins <sys_sgci@intel.com>
Reviewed-by: Tomasz Zawadzki <tomasz.zawadzki@intel.com>
Reviewed-by: Shuhei Matsumoto <shuhei.matsumoto.xt@hitachi.com>

CONFIG

@@ -76,6 +76,9 @@ CONFIG_UNIT_TESTS=y
 # Build examples
 CONFIG_EXAMPLES=y
 
+# Build with Control-flow Enforcement Technology (CET)
+CONFIG_CET=n
+
 # Directory that contains the desired SPDK environment library.
 # By default, this is implemented using DPDK.
 CONFIG_ENV=

configure

@@ -32,6 +32,7 @@ function usage()
 	echo " --enable-lto              Enable link-time optimization"
 	echo " --enable-pgo-capture      Enable generation of profile guided optimization data"
 	echo " --enable-pgo-use          Use previously captured profile guided optimization data"
+	echo " --enable-cet              Enable Intel Control-flow Enforcement Technology (CET)"
 	echo " --disable-tests           Disable building of functional tests"
 	echo " --disable-unit-tests      Disable building of unit tests"
 	echo " --disable-examples        Disable building of examples"
@@ -267,6 +268,12 @@ for i in "$@"; do
 		--disable-werror)
 			CONFIG[WERROR]=n
 			;;
+		--enable-cet)
+			CONFIG[CET]=y
+			;;
+		--disable-cet)
+			CONFIG[CET]=n
+			;;
 		--with-dpdk=*)
 			check_dir "$i"
 			CONFIG[DPDK_DIR]=$(readlink -f ${i#*=})
@@ -810,6 +817,14 @@ if [[ "${CONFIG[FUSE]}" = "y" ]]; then
 	fi
 fi
 
+if [ "${CONFIG[CET]}" = "y" ]; then
+	if ! echo -e 'int main(void) { return 0; }\n' | ${BUILD_CMD[@]} -fcf-protection - 2>/dev/null; then
+		echo --enable-cet requires compiler/linker that supports CET.
+		echo Please install then re-run this script.
+		exit 1
+	fi
+fi
+
 # We are now ready to generate final configuration. But first do sanity
 # check to see if all keys in CONFIG array have its reflection in CONFIG file.
 if [ $(egrep -c "^\s*CONFIG_[[:alnum:]_]+=" $rootdir/CONFIG) -ne ${#CONFIG[@]} ]; then

dpdkbuild/Makefile

@@ -88,6 +88,11 @@ else
 DPDK_CFLAGS += -Wno-error
 endif
 
+ifeq ($(CONFIG_CET),y)
+DPDK_CFLAGS += -fcf-protection
+DPDK_LDFLAGS += -fcf-protection
+endif
+
 ifdef EXTRA_DPDK_CFLAGS
 $(warning EXTRA_DPDK_CFLAGS defined, possibly to work around an unsupported compiler version)
 $(shell sleep 1)

mk/spdk.common.mk

@@ -107,6 +107,11 @@ COMMON_CFLAGS += -fprofile-use=$(SPDK_ROOT_DIR)/build/pgo
 LDFLAGS += -fprofile-use=$(SPDK_ROOT_DIR)/build/pgo
 endif
 
+ifeq ($(CONFIG_CET),y)
+COMMON_CFLAGS += -fcf-protection
+LDFLAGS += -fcf-protection
+endif
+
 COMMON_CFLAGS += -Wformat -Wformat-security
 
 COMMON_CFLAGS += -D_GNU_SOURCE