| Message ID | 20220523173954.1979043-1-hjl.tools@gmail.com |
|---|---|
| State | New |
| Headers | show |
| Series | [v3] x86: Document -mcet-switch | expand |
On Mon, 23 May 2022, H.J. Lu wrote: > When -fcf-protection=branch is used, the compiler will generate jump > tables for switch statements where the indirect jump is prefixed with > the NOTRACK prefix, so it can jump to non-ENDBR targets. Since the > indirect jump targets are generated by the compiler and stored in > read-only memory, this does not result in a direct loss of hardening. > But if the jump table index is attacker-controlled, the indirect jump > may not be constrained by CET. > > Document -mcet-switch to generate jump tables for switch statements with > ENDBR and skip the NOTRACK prefix for indirect jump. This option should > be used when the NOTRACK prefix is disabled. OK. > PR target/104816 > * config/i386/i386.opt: Remove Undocumented. > * doc/invoke.texi: Document -mcet-switch. > --- > gcc/config/i386/i386.opt | 2 +- > gcc/doc/invoke.texi | 14 +++++++++++++- > 2 files changed, 14 insertions(+), 2 deletions(-) > > diff --git a/gcc/config/i386/i386.opt b/gcc/config/i386/i386.opt > index a6b0e28f238..0dbaacb57ed 100644 > --- a/gcc/config/i386/i386.opt > +++ b/gcc/config/i386/i386.opt > @@ -1047,7 +1047,7 @@ Enable shadow stack built-in functions from Control-flow Enforcement > Technology (CET). > > mcet-switch > -Target Undocumented Var(flag_cet_switch) Init(0) > +Target Var(flag_cet_switch) Init(0) > Turn on CET instrumentation for switch statements that use a jump table and > an indirect jump. > > diff --git a/gcc/doc/invoke.texi b/gcc/doc/invoke.texi > index d8095e3128f..1f38e91b50b 100644 > --- a/gcc/doc/invoke.texi > +++ b/gcc/doc/invoke.texi > @@ -1425,7 +1425,8 @@ See RS/6000 and PowerPC Options. > -msse4a -m3dnow -m3dnowa -mpopcnt -mabm -mbmi -mtbm -mfma4 -mxop @gol > -madx -mlzcnt -mbmi2 -mfxsr -mxsave -mxsaveopt -mrtm -mhle -mlwp @gol > -mmwaitx -mclzero -mpku -mthreads -mgfni -mvaes -mwaitpkg @gol > --mshstk -mmanual-endbr -mforce-indirect-call -mavx512vbmi2 -mavx512bf16 -menqcmd @gol > +-mshstk -mmanual-endbr -mcet-switch -mforce-indirect-call @gol > +-mavx512vbmi2 -mavx512bf16 -menqcmd @gol > -mvpclmulqdq -mavx512bitalg -mmovdiri -mmovdir64b -mavx512vpopcntdq @gol > -mavx5124fmaps -mavx512vnni -mavx5124vnniw -mprfchw -mrdpid @gol > -mrdseed -msgx -mavx512vp2intersect -mserialize -mtsxldtrk@gol > @@ -32719,6 +32720,17 @@ function attribute. This is useful when used with the option > @option{-fcf-protection=branch} to control ENDBR insertion at the > function entry. > > +@item -mcet-switch > +@opindex mcet-switch > +By default, CET instrumentation is turned off on switch statements that > +use a jump table and indirect branch track is disabled. Since jump > +tables are stored in read-only memory, this does not result in a direct > +loss of hardening. But if the jump table index is attacker-controlled, > +the indirect jump may not be constrained by CET. This option turns on > +CET instrumentation to enable indirect branch track for switch statements > +with jump tables which leads to the jump targets reachable via any indirect > +jumps. > + > @item -mcall-ms2sysv-xlogues > @opindex mcall-ms2sysv-xlogues > @opindex mno-call-ms2sysv-xlogues >
diff --git a/gcc/config/i386/i386.opt b/gcc/config/i386/i386.opt index a6b0e28f238..0dbaacb57ed 100644 --- a/gcc/config/i386/i386.opt +++ b/gcc/config/i386/i386.opt @@ -1047,7 +1047,7 @@ Enable shadow stack built-in functions from Control-flow Enforcement Technology (CET). mcet-switch -Target Undocumented Var(flag_cet_switch) Init(0) +Target Var(flag_cet_switch) Init(0) Turn on CET instrumentation for switch statements that use a jump table and an indirect jump. diff --git a/gcc/doc/invoke.texi b/gcc/doc/invoke.texi index d8095e3128f..1f38e91b50b 100644 --- a/gcc/doc/invoke.texi +++ b/gcc/doc/invoke.texi @@ -1425,7 +1425,8 @@ See RS/6000 and PowerPC Options. -msse4a -m3dnow -m3dnowa -mpopcnt -mabm -mbmi -mtbm -mfma4 -mxop @gol -madx -mlzcnt -mbmi2 -mfxsr -mxsave -mxsaveopt -mrtm -mhle -mlwp @gol -mmwaitx -mclzero -mpku -mthreads -mgfni -mvaes -mwaitpkg @gol --mshstk -mmanual-endbr -mforce-indirect-call -mavx512vbmi2 -mavx512bf16 -menqcmd @gol +-mshstk -mmanual-endbr -mcet-switch -mforce-indirect-call @gol +-mavx512vbmi2 -mavx512bf16 -menqcmd @gol -mvpclmulqdq -mavx512bitalg -mmovdiri -mmovdir64b -mavx512vpopcntdq @gol -mavx5124fmaps -mavx512vnni -mavx5124vnniw -mprfchw -mrdpid @gol -mrdseed -msgx -mavx512vp2intersect -mserialize -mtsxldtrk@gol @@ -32719,6 +32720,17 @@ function attribute. This is useful when used with the option @option{-fcf-protection=branch} to control ENDBR insertion at the function entry. +@item -mcet-switch +@opindex mcet-switch +By default, CET instrumentation is turned off on switch statements that +use a jump table and indirect branch track is disabled. Since jump +tables are stored in read-only memory, this does not result in a direct +loss of hardening. But if the jump table index is attacker-controlled, +the indirect jump may not be constrained by CET. This option turns on +CET instrumentation to enable indirect branch track for switch statements +with jump tables which leads to the jump targets reachable via any indirect +jumps. + @item -mcall-ms2sysv-xlogues @opindex mcall-ms2sysv-xlogues @opindex mno-call-ms2sysv-xlogues