dotnet · trylek · Jul 30, 2022 · Jun 30, 2022 · Jul 20, 2022 · Jul 20, 2022
diff --git a/eng/pipelines/common/templates/runtimes/run-test-job.yml b/eng/pipelines/common/templates/runtimes/run-test-job.yml
@@ -11,6 +11,7 @@ parameters:
   liveLibrariesBuildConfig: ''
   crossgen2: false
   compositeBuildMode: false
+  useCodeFlowEnforcement: ''
   helixQueues: ''
   condition: true
   stagedBuild: false
@@ -112,6 +113,13 @@ jobs:
       - name: runtimeVariantArg
         value: '/p:RuntimeVariant=${{ parameters.runtimeVariant }}'
 
+    - name: codeFlowEnforcementArg
+      value: ''
+
+    - ${{ if ne(parameters.useCodeFlowEnforcement, '') }}:
+      - name: codeFlowEnforcementArg
+        value: '/p:UseCodeFlowEnforcement=${{ parameters.useCodeFlowEnforcement }}'
+
     - name: crossgenArg
       value: ''
     - name: LogNamePrefix
@@ -301,8 +309,8 @@ jobs:
     # during product build (so that we could zip up the files in their final test location
     # and directly unzip them there after download). Unfortunately the logic to copy
     # the native artifacts to the final test folders is dependent on availability of the
-    # managed test artifacts.
-    - script: $(Build.SourcesDirectory)/src/tests/build$(scriptExt) copynativeonly $(logRootNameArg)Native $(testTreeFilterArg) $(runtimeFlavorArgs) $(crossgenArg) $(buildConfig) $(archType) $(priorityArg) $(librariesOverrideArg)
+    # managed test artifacts. This step also generates the final test execution scripts.
+    - script: $(Build.SourcesDirectory)/src/tests/build$(scriptExt) copynativeonly $(logRootNameArg)Native $(testTreeFilterArg) $(runtimeFlavorArgs) $(crossgenArg) $(buildConfig) $(archType) $(priorityArg) $(librariesOverrideArg) $(codeFlowEnforcementArg)
       displayName: Copy native test components to test output folder
 
 

diff --git a/eng/pipelines/runtime-cet.yml b/eng/pipelines/runtime-cet.yml
@@ -82,3 +82,4 @@ jobs:
     jobParameters:
       testGroup: innerloop
       liveLibrariesBuildConfig: release
+      useCodeFlowEnforcement: true
diff --git a/src/tests/Directory.Build.targets b/src/tests/Directory.Build.targets
@@ -83,6 +83,10 @@
     </ProjectReference>
   </ItemGroup>
 
+  <PropertyGroup Condition="'$(RequiresCodeFlowEnforcement)' == 'true'">
+    <CLRTestTargetUnsupported Condition="'$(UseCodeFlowEnforcement)' != 'true'">true</CLRTestTargetUnsupported>
+  </PropertyGroup>
+
   <!-- Determine if this project should be built or not -->
   <PropertyGroup>
     <BuildAllProjects Condition="'$(BuildAllProjects)' == ''">false</BuildAllProjects>

diff --git a/src/tests/baseservices/CET/CETCheck.cpp b/src/tests/baseservices/CET/CETCheck.cpp
@@ -0,0 +1,11 @@
+// Licensed to the .NET Foundation under one or more agreements.
+// The .NET Foundation licenses this file to you under the MIT license.
+
+#if defined(TARGET_AMD64) && defined(TARGET_WINDOWS)
+#include <intrin.h>
+
+extern "C" __declspec(dllexport) __int64 ReadShadowStackPointer()
+{
+    return _rdsspq();
+}
+#endif
diff --git a/src/tests/baseservices/CET/CMakeLists.txt b/src/tests/baseservices/CET/CMakeLists.txt
@@ -0,0 +1,4 @@
+add_library(cet_check SHARED CETCheck.cpp)
+
+# add the install targets
+install (TARGETS cet_check DESTINATION bin)
diff --git a/src/tests/baseservices/CET/CheckCETPresence.cs b/src/tests/baseservices/CET/CheckCETPresence.cs
@@ -0,0 +1,20 @@
+// Licensed to the .NET Foundation under one or more agreements.
+// The .NET Foundation licenses this file to you under the MIT license.
+
+using System;
+using System.Runtime.InteropServices;
+
+static class Program
+{
+    [DllImport("cet_check.dll")]
+    private static extern long ReadShadowStackPointer();
+
+    public static int Main()
+    {
+        Console.WriteLine("Checking whether codeflow enforcement technology (CET) is active");
+        long ssp = ReadShadowStackPointer();
+        Console.WriteLine("Shadow stack pointer: 0x{0:x16}", ssp);
+        // Non-zero shadow stack pointer value confirms that CET is active on the runtime processor.
+        return ssp != 0 ? 100 : 101;
+    }
+}
diff --git a/src/tests/baseservices/CET/CheckCETPresence.csproj b/src/tests/baseservices/CET/CheckCETPresence.csproj
@@ -0,0 +1,14 @@
+<Project Sdk="Microsoft.NET.Sdk">
+  <PropertyGroup>
+    <OutputType>Exe</OutputType>
+    <RequiresCodeFlowEnforcement>true</RequiresCodeFlowEnforcement>
+    <RequiresProcessIsolation>true</RequiresProcessIsolation>
+    <CLRTestTargetUnsupported Condition="'$(TargetArchitecture)' != 'x64' or '$(TargetOS)' != 'windows'">true</CLRTestTargetUnsupported>
+  </PropertyGroup>
+  <ItemGroup>
+    <Compile Include="$(MSBuildProjectName).cs" />
+  </ItemGroup>
+  <ItemGroup>
+    <CMakeProjectReference Include="CMakeLists.txt" />
+  </ItemGroup>
+</Project>
diff --git a/src/tests/build.proj b/src/tests/build.proj
@@ -486,6 +486,7 @@
       <GroupBuildCmd>$(GroupBuildCmd) "/p:RuntimeFlavor=$(RuntimeFlavor)"</GroupBuildCmd>
       <GroupBuildCmd>$(GroupBuildCmd) "/p:RuntimeVariant=$(RuntimeVariant)"</GroupBuildCmd>
       <GroupBuildCmd>$(GroupBuildCmd) "/p:CLRTestBuildAllTargets=$(CLRTestBuildAllTargets)"</GroupBuildCmd>
+      <GroupBuildCmd>$(GroupBuildCmd) "/p:UseCodeFlowEnforcement=$(UseCodeFlowEnforcement)"</GroupBuildCmd>
       <GroupBuildCmd>$(GroupBuildCmd) "/p:__TestGroupToBuild=$(__TestGroupToBuild)"</GroupBuildCmd>
       <GroupBuildCmd>$(GroupBuildCmd) "/p:__SkipRestorePackages=1"</GroupBuildCmd>
       <GroupBuildCmd>$(GroupBuildCmd) /nodeReuse:false</GroupBuildCmd>