Skip to content

Pointer authentication config and user facing options#156712

Open
jchlanda wants to merge 12 commits into
rust-lang:mainfrom
jchlanda:jakub/pac_config
Open

Pointer authentication config and user facing options#156712
jchlanda wants to merge 12 commits into
rust-lang:mainfrom
jchlanda:jakub/pac_config

Conversation

@jchlanda

@jchlanda jchlanda commented May 18, 2026

Copy link
Copy Markdown
Contributor

View all comments

This patch brings:

  • unified handling of pointer authentication options through:
    -Zpointer-authentication, with possible values:
    aarch64-jump-table-hardening, auth-traps, calls, elf-got,
    function-pointer-type-discrimination, indirect-gotos, init-fini,
    init-fini-address-discrimination, return-addresses. Toggled with
    +/-.
  • centralized handling of pointer authentication features. Session holds
    pointer_auth_config: Option<PointerAuthConfig>
  • encapsulation of schema for function pointers and init/fini through
    PointerAuthSchema. This allowed for retiring of PacMetadata.
  • refactor enabling of pointer authentication in code, instead of
    relying on the target (pauthtest) use the session

@rustbot rustbot added A-compiletest Area: The compiletest test runner A-LLVM Area: Code generation parts specific to LLVM. Both correctness bugs and optimization-related issues. A-run-make Area: port run-make Makefiles to rmake.rs A-test-infra-minicore Area: `minicore` test auxiliary and `//@ add-core-stubs` A-testsuite Area: The testsuite used to check the correctness of rustc S-waiting-on-author Status: This is awaiting some action (such as code changes or more information) from the author. T-bootstrap Relevant to the bootstrap subteam: Rust's build system (x.py and src/bootstrap) T-compiler Relevant to the compiler team, which will review and decide on the PR/issue. T-libs Relevant to the library team, which will review and decide on the PR/issue. labels May 18, 2026
@rust-log-analyzer

This comment has been minimized.

@jchlanda jchlanda force-pushed the jakub/pac_config branch from 77fe412 to b0a7e47 Compare May 18, 2026 13:15
@rust-log-analyzer

This comment has been minimized.

@jchlanda jchlanda force-pushed the jakub/pac_config branch from b0a7e47 to 4e8d9e3 Compare May 18, 2026 13:23
@rust-log-analyzer

This comment has been minimized.

@jchlanda jchlanda force-pushed the jakub/pac_config branch from 4e8d9e3 to 418f447 Compare May 18, 2026 13:39
@rust-log-analyzer

This comment has been minimized.

@jchlanda jchlanda force-pushed the jakub/pac_config branch from 418f447 to 6af45da Compare May 18, 2026 14:26
@jchlanda

Copy link
Copy Markdown
Contributor Author

@davidtwco, @folkertdev, @tgross35, @madsmtm FWI this is a follow up to #155722 and #156548
This will have to be rebased once the above are merged.

@jchlanda jchlanda marked this pull request as ready for review May 19, 2026 12:17
@rustbot

rustbot commented May 19, 2026

Copy link
Copy Markdown
Collaborator

This PR modifies src/bootstrap/src/core/config.

If appropriate, please update CONFIG_CHANGE_HISTORY in src/bootstrap/src/utils/change_tracker.rs.

Some changes occurred in src/tools/compiletest

cc @jieyouxu

The GCC codegen subtree was changed

cc @antoyo, @GuillaumeGomez

compiletest directives have been modified. Please add or update docs for the
new or modified directive in src/doc/rustc-dev-guide/.

Some changes occurred in src/doc/rustc/src/platform-support

cc @Noratrieb

This PR modifies tests/auxiliary/minicore.rs.

cc @jieyouxu

These commits modify compiler targets.
(See the Target Tier Policy.)

@rustbot rustbot added S-waiting-on-review Status: Awaiting review from the assignee but also interested parties. and removed S-waiting-on-author Status: This is awaiting some action (such as code changes or more information) from the author. labels May 19, 2026
@rustbot

rustbot commented May 19, 2026

Copy link
Copy Markdown
Collaborator

r? @mejrs

rustbot has assigned @mejrs.
They will have a look at your PR within the next two weeks and either review your PR or reassign to another reviewer.

Use r? to explicitly pick a reviewer

Why was this reviewer chosen?

The reviewer was selected based on:

  • Owners of files modified in this PR: compiler
  • compiler expanded to 73 candidates
  • Random selection from 20 candidates

@rust-log-analyzer

This comment has been minimized.

@rust-bors

This comment has been minimized.

@mejrs

mejrs commented May 24, 2026

Copy link
Copy Markdown
Contributor

Hi, I am not qualified to review this.

r? madsmtm or reroll maybe

@rustbot

This comment has been minimized.

@rust-bors

This comment has been minimized.

@rustbot

This comment has been minimized.

@rustbot

rustbot commented Jun 30, 2026

Copy link
Copy Markdown
Collaborator

This PR was rebased onto a different main commit. Here's a range-diff highlighting what actually changed.

Rebasing is a normal part of keeping PRs up to date, so no action is needed—this note is just to help reviewers.

@jchlanda

jchlanda commented Jul 1, 2026

Copy link
Copy Markdown
Contributor Author

Hi all (@davidtwco, @folkertdev, @tgross35, @madsmtm, @bjorn3),

The PR introducing the pauthtest target has been merged into main. I'd be very grateful if we could move this one forward as well.

Thank you!

layout: abi::Scalar,
llty: Self::Type,
pac: Option<PacMetadata>,
schema: Option<&PointerAuthSchema>,

@bjorn3 bjorn3 Jul 1, 2026

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Don't know if it got lost or I commented this on another PR, but it should be possible for both the builder and the codegen context to get this info from the session they store.

View changes since the review

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

While you are right that PointerAuthSchema can be accessed through the session from both places, it is unfortunately a bit more complicated than that.

The key point is that the only place the schema is actually used is in maybe_sign_fn_ptr. That function effectively “consumes” the schema, and it is only a helper for get_fn_addr.

However, at the point where we obtain the function address, we have already lost the contextual information about which signing schema should be used. Note that (for now) there are two schemas defined in the session:

As a result, it is up to the callers of get_fn_addr to provide the correct schema. The complication is that the information about whether a value will be emitted into init/fini arrays is only known at const_alloc_to_llvm time, which then calls into the scalar-to-backend routine (whose signature had to be also extended).

As a side note, the current implementation is a simplification. We deliberately assume only two schema choices: init/fini or default function pointer. Both are provided as a constant snapshot in the session. In reality, it should be possible for the schema to change throughout the compilation pipeline, which means we will likely need to move away from relying on the session as the source of truth. This is reflected in my WIP PR that you commented on.

Comment thread compiler/rustc_session/src/options.rs Outdated
"whether to use the PLT when calling into shared libraries;
only has effect for PIC code on systems with ELF binaries
(default: PLT is disabled if full relro is enabled on x86_64)"),
pointer_authentication: Vec<(PointerAuthOption, bool)> = (Vec::new(), parse_pointer_authentication_list_with_polarity, [TRACKED],

@davidtwco davidtwco Jul 2, 2026

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should this be a target modifier?

View changes since the review

@jchlanda jchlanda Jul 3, 2026

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I wasn't aware of target_modifiers before, but after reading the docs, I'd say yes. I don't think it makes that much of a difference just now, as the mismatches will always be cough by lld. You'd get something along the lines of:

   = note: ld.lld: error: incompatible values of AArch64 PAuth core info found
           platform:
           >>> /opt/llvm-pauth/lib/clang/23/lib/aarch64-unknown-linux-pauthtest/clang_rt.crtbegin.o: 0x0000000010000002
           >>> /home/jakub/Work/AccessSoftek/rust/build/aarch64-unknown-linux-gnu/test/ui/target_modifiers/incompatible_pauth/auxiliary/pauth.pauth.13435d650a747a4e-cgu.0.rcgu.o: 0x0000000010000002
           version:
           >>> /opt/llvm-pauth/lib/clang/23/lib/aarch64-unknown-linux-pauthtest/clang_rt.crtbegin.o: 0x00000000000006ff
           >>> /home/jakub/Work/AccessSoftek/rust/build/aarch64-unknown-linux-gnu/test/ui/target_modifiers/incompatible_pauth/auxiliary/pauth.pauth.13435d650a747a4e-cgu.0.rcgu.o: 0x000000000000063f
           clang: error: linker command failed with exit code 1 (use -v to see invocation)

However, having it explicit, at Rust level, before it hits the linker sounds like a clear win.

Pretty cool feature that.

I've added it in: 1c82b8f

Comment thread compiler/rustc_session/src/session.rs Outdated
self.pointer_auth_config.is_some()
}

pub fn pointer_authentication_functions(&self) -> bool {

@davidtwco davidtwco Jul 2, 2026

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe return the Option<_> here and use is_some() at the callers that need it, then you can use this in a bunch more places where the value is used too, like in the ssa/mir/* changes.

View changes since the review

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good idea, done.

pub enum PointerAuthOption {
Calls,
ReturnAddresses,
Aarch64JumpTableHardening,

@davidtwco davidtwco Jul 2, 2026

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You can wrap this in // tidy-alphabetical-start and // tidy-alphabetical-end` comments if you want the ordering to stay enforced

View changes since the review

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice, done.

"vt-ptr-addr-discrimination" => Some(Self::VTPtrAddrDisc),
"vt-ptr-type-discrimination" => Some(Self::VTPtrTypeDisc),
_ => None,
}

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think the options make sense as currently proposed - I don't know that we'd want so many different options like Clang does, and if we don't want that then Clang's names aren't great.

Comment thread compiler/rustc_session/src/options.rs Outdated
"whether to use the PLT when calling into shared libraries;
only has effect for PIC code on systems with ELF binaries
(default: PLT is disabled if full relro is enabled on x86_64)"),
pointer_authentication: Vec<(PointerAuthOption, bool)> = (Vec::new(), parse_pointer_authentication_list_with_polarity, [TRACKED],

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Agreed that question should be part of a tracking issue.

@rustbot rustbot added S-waiting-on-author Status: This is awaiting some action (such as code changes or more information) from the author. and removed S-waiting-on-review Status: Awaiting review from the assignee but also interested parties. labels Jul 2, 2026
@rustbot

rustbot commented Jul 2, 2026

Copy link
Copy Markdown
Collaborator

Reminder, once the PR becomes ready for a review, use @rustbot ready.

jchlanda added 6 commits July 3, 2026 10:35
This patch brings:
* unified handling of pointer authentication options through:
  `-Zpointer-authentication`, with possible values:
  `aarch64-jump-table-hardening`, `auth-traps`, `calls`, `elf-got`,
  `function-pointer-type-discrimination`, `indirect-gotos`, `init-fini`,
  `init-fini-address-discrimination`, `return-addresses`. Toggled with
  `+`/`-`.
* centralized handling of pointer authentication features. Session holds
  `pointer_auth_config: Option<PointerAuthConfig>`
* encapsulation of schema for function pointers and init/fini through
  `PointerAuthSchema`. This allowed for retiring of `PacMetadata`.
* refactor enabling of pointer authentication in code, instead of
  relying on the target (`pauthtest`) use the session
- warning on unsupported test
- error on type discrimination
- removal of PointerAuthKind
@jchlanda jchlanda force-pushed the jakub/pac_config branch from 638efe3 to 2556382 Compare July 3, 2026 12:33
@jchlanda

jchlanda commented Jul 3, 2026

Copy link
Copy Markdown
Contributor Author

@rustbot ready

@rustbot rustbot added S-waiting-on-review Status: Awaiting review from the assignee but also interested parties. and removed S-waiting-on-author Status: This is awaiting some action (such as code changes or more information) from the author. labels Jul 3, 2026
Also improve the API design of pointer_authentication_functions, by
making it return Option<&PointerAuthSchema>, rather than bool.
@jchlanda jchlanda force-pushed the jakub/pac_config branch from 2556382 to 1c82b8f Compare July 3, 2026 14:01
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

A-compiletest Area: The compiletest test runner A-LLVM Area: Code generation parts specific to LLVM. Both correctness bugs and optimization-related issues. A-run-make Area: port run-make Makefiles to rmake.rs A-test-infra-minicore Area: `minicore` test auxiliary and `//@ add-core-stubs` A-testsuite Area: The testsuite used to check the correctness of rustc S-waiting-on-review Status: Awaiting review from the assignee but also interested parties. T-bootstrap Relevant to the bootstrap subteam: Rust's build system (x.py and src/bootstrap) T-compiler Relevant to the compiler team, which will review and decide on the PR/issue. T-libs Relevant to the library team, which will review and decide on the PR/issue.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Unify handling of pointer authentication features

8 participants