FS#57831 - [chromium] Enable control-flow integrity

Attached to Project: Arch Linux
Opened by xsmile (xsmile) - Wednesday, 14 March 2018, 04:43 GMT
Last edited by Evangelos Foutras (foutrelis) - Saturday, 31 March 2018, 01:50 GMT
Task Type Feature Request
Category Packages: Extra
Status Closed
Assigned To Evangelos Foutras (foutrelis)
Architecture All
Severity Low
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 1
Private No


Consider enabling Control Flow Integrity (CFI) [1] for virtual calls as it is done in official Chrome builds.
At the same time, link-time optimization - ThinLTO [2] to be specific - will be enabled as a requirement for CFI.
See [3] for a description of the relevant GN build flag.

Steps to reproduce:
Add 'is_cfi=true' to the _flags array in the PKGBUILD.

1: https://www.chromium.org/developers/testing/control-flow-integrity
2: https://clang.llvm.org/docs/ThinLTO.html
3: https://chromium.googlesource.com/chromium/src/+/65.0.3325.165/build/config/sanitizers/sanitizers.gni#54
This task depends upon

Closed by  Evangelos Foutras (foutrelis)
Saturday, 31 March 2018, 01:50 GMT
Reason for closing:  Implemented
Additional comments about closing:  chromium 65.0.3325.181-2
Comment by Evangelos Foutras (foutrelis) - Friday, 16 March 2018, 18:36 GMT
Seems like a good idea, didn't work right away though: https://bugs.chromium.org/p/chromium/issues/detail?id=822820

Thanks for the proposal, hopefully the above is an easy fix for upstream.
Comment by Evangelos Foutras (foutrelis) - Saturday, 24 March 2018, 04:11 GMT
chromium 65.0.3325.181-2 in [testing] is built with is_cfi=true.
Comment by xsmile (xsmile) - Sunday, 25 March 2018, 12:54 GMT
Thanks for the investigation and the fix.

65.0.3325.181-2 in [testing] seems to work fine so far.
Comment by loqs (loqs) - Friday, 30 March 2018, 22:41 GMT
  • Field changed: Percent Complete (100% → 0%)
is_cfi=true was dropped again in 65.0.3325.181-4 was this intentional?
Comment by xsmile (xsmile) - Friday, 30 March 2018, 23:49 GMT
The recent addition of "is_official_build=true" should set "is_cfi=true".
Comment by Evangelos Foutras (foutrelis) - Saturday, 31 March 2018, 01:49 GMT
Like xsmile said, it defaults to: is_cfi = target_os == "linux" && !is_chromeos && target_cpu == "x64" && is_official_build

Having it be set implicitly means it will get the correct value on non-x86_64 arches, so that's why I left it off.

Thanks for looking out though, I added a note next to the is_official_build flag to make the intention clear.