[PATCH v2] peflags: add support for IMAGE_DLLCHARACTERISTICS_GUARD_CF

[PATCH v2] peflags: add support for IMAGE_DLLCHARACTERISTICS_GUARD_CF

[Christoph Reiter]

This allows for setting, clearing, and displaying the value of the
"control flow guard" dll characteristics flag.

The flag for MSVC is called "/guard:cf" and the macro ends with "GUARD_CF".
To keep things consistent, it would make sense to name the option "guard-cf".
However, there's already "-c"/"control-flow-guard" in genpeimg for this flag,
and genpeimg shares all other options with peflags so far.
So, follow genpeimg and go with "-c" and "--control-flow-guard".

This is motivated by mingw-w64 and llvm v16 gaining support for
CFG (Control Flow Guard).
---
Renamed the option from -g/--guard-cf to -c/--control-flow-guard

 peflags.c | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

diff --git a/peflags.c b/peflags.c
index b1cd7a8..93eaa0b 100644
--- a/peflags.c
+++ b/peflags.c
@@ -121,7 +121,7 @@ static const symbolic_flags_t pe_symbolic_flags[] = {
   CF(0x0800, no-bind),
 /*CF(0x1000, reserved_0x1000),*/
   CF(0x2000, wdmdriver),
-/*CF(0x4000, reserved_0x4000),*/
+  CF(0x4000, control-flow-guard),
   CF(0x8000, tsaware),
   {0, 0, 0}
 };
@@ -182,6 +182,7 @@ sizeof_values_t sizeof_vals[5] = {
 static struct option long_options[] = {
   {"dynamicbase",  optional_argument, NULL, 'd'},
   {"high-entropy-va", optional_argument, NULL, 'e'},
+  {"control-flow-guard", optional_argument, NULL, 'c'},
   {"forceinteg",   optional_argument, NULL, 'f'},
   {"nxcompat",     optional_argument, NULL, 'n'},
   {"no-isolation", optional_argument, NULL, 'i'},
@@ -204,7 +205,7 @@ static struct option long_options[] = {
   {NULL, no_argument, NULL, 0}
 };
 static const char *short_options
-	= "d::e::f::n::i::s::b::W::t::w::l::S::x::X::y::Y::z::T:vhV";
+	= "d::e::c::f::n::i::s::b::W::t::w::l::S::x::X::y::Y::z::T:vhV";
 
 static void short_usage (FILE *f);
 static void help (FILE *f);
@@ -706,6 +707,11 @@ parse_args (int argc, char *argv[])
 	                         optarg,
 	                         IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA);
 	  break;
+	case 'c':
+	  handle_pe_flag_option (long_options[option_index].name,
+	                         optarg,
+	                         IMAGE_DLLCHARACTERISTICS_GUARD_CF);
+	  break;
 	case 'n':
 	  handle_pe_flag_option (long_options[option_index].name,
 	                         optarg,
@@ -1079,6 +1085,8 @@ help (FILE *f)
 "  -e,\n"
 "  --high-entropy-va  [BOOL]   Image is compatible with 64-bit address space\n"
 "                              layout randomization (ASLR).\n"
+"  -c,\n"
+"  --control-flow-guard [BOOL] Image supports Control Flow Guard.\n"
 "  -f, --forceinteg   [BOOL]   Code integrity checks are enforced.\n"
 "  -n, --nxcompat     [BOOL]   Image is compatible with data execution\n"
 "                              prevention (DEP).\n"
-- 
2.40.0

Re: [PATCH v2] peflags: add support for IMAGE_DLLCHARACTERISTICS_GUARD_CF

[Corinna Vinschen]

Hi Christoph,

On Apr 17 20:40, Christoph Reiter via Cygwin-apps wrote:
> This allows for setting, clearing, and displaying the value of the
> "control flow guard" dll characteristics flag.
> 
> The flag for MSVC is called "/guard:cf" and the macro ends with "GUARD_CF".
> To keep things consistent, it would make sense to name the option "guard-cf".
> However, there's already "-c"/"control-flow-guard" in genpeimg for this flag,
> and genpeimg shares all other options with peflags so far.
> So, follow genpeimg and go with "-c" and "--control-flow-guard".
> 
> This is motivated by mingw-w64 and llvm v16 gaining support for
> CFG (Control Flow Guard).
> ---
> Renamed the option from -g/--guard-cf to -c/--control-flow-guard
> 
>  peflags.c | 12 ++++++++++--
>  1 file changed, 10 insertions(+), 2 deletions(-)

Pash pushed.  I new rebase 4.6.3 release with your patch is just
building.


Thanks,
Corinna

Re: [PATCH v2] peflags: add support for IMAGE_DLLCHARACTERISTICS_GUARD_CF

[Christoph Reiter]

On Tue, Apr 18, 2023 at 9:44 AM Corinna Vinschen
<corinna-cygwin@cygwin.com> wrote:
> Pash pushed.  I new rebase 4.6.3 release with your patch is just
> building.

Thanks!

Re: [PATCH v2] peflags: add support for IMAGE_DLLCHARACTERISTICS_GUARD_CF

[Brian Inglis]

On 2023-04-18 10:47, Christoph Reiter wrote:
> On Tue, Apr 18, 2023 at 9:44 AM Corinna Vinschen wrote:
>> Pash pushed.  I new rebase 4.6.3 release with your patch is just
>> building.

Extended DLL Characteristics was added for IBT/CET/CFI and AMD/Intel Shadow 
Stack support has been available since W10 [20]20H1/[20]2004 in a PE Debug 
Directory entry with Debug Type IMAGE_DEBUG_TYPE_EX_DLLCHARACTERISTICS (20.) 
with value IMAGE_DLLCHARACTERISTICS_EX_CET_COMPAT (1)

https://learn.microsoft.com/en-us/windows/win32/debug/pe-format#extended-dll-characteristics

Are there any plans to support those debug directory entries and flags in 
genpeimg and/or peflags, and Windows shadow stack support in mingw64 and/or Cygwin?

The Linux implementation is discussed in https://lwn.net/Articles/883340/ as 
Intel architected the (soon former) Linux CoW PTE bit combo Write 0 Dirty 1 as 
Shadow Stack page flag, possibly anticipating that they could contribute kernel 
patches to work around this more quickly than has transpired.

I got interested in this as I plan to add Linux cpuinfo flag user_shstk, on 
recent CPUs and Windows releases with that support, to next Cygwin cpuinfo patch.

-- 
Take care. Thanks, Brian Inglis              Calgary, Alberta, Canada

La perfection est atteinte                   Perfection is achieved
non pas lorsqu'il n'y a plus rien à ajouter  not when there is no more to add
mais lorsqu'il n'y a plus rien à retirer     but when there is no more to cut
                                 -- Antoine de Saint-Exupéry