From patchwork Mon May 23 17:39:54 2022
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: "H.J. Lu" <hjl.tools@gmail.com>
X-Patchwork-Id: 54304
Return-Path: <gcc-patches-bounces+patchwork=sourceware.org@gcc.gnu.org>
X-Original-To: patchwork@sourceware.org
Delivered-To: patchwork@sourceware.org
Received: from server2.sourceware.org (localhost [IPv6:::1])
	by sourceware.org (Postfix) with ESMTP id 08A6C3851C0A
	for <patchwork@sourceware.org>; Mon, 23 May 2022 17:40:28 +0000 (GMT)
DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 08A6C3851C0A
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gcc.gnu.org;
	s=default; t=1653327628;
	bh=jWdBLrNCVVv21cTWgwSNuRfNuggCC9qGAWQdSLFRn6g=;
	h=To:Subject:Date:List-Id:List-Unsubscribe:List-Archive:List-Post:
	 List-Help:List-Subscribe:From:Reply-To:Cc:From;
	b=C/HynZzxWd160wPFzRMKK4QfPg1Zn6C16vGBkCZPEsIh06ParvL59bwO8Jkv+vXNb
	 MrB4hy9eF3THvOpVJ9ctXWaPH31VsT7CG2+ERBNyh/01KzEX3+BeGUt9Ru/aoJS4IO
	 9koTrX/4z1m42OglW0eOT62rNx60x0OrQANpyefA=
X-Original-To: gcc-patches@gcc.gnu.org
Delivered-To: gcc-patches@gcc.gnu.org
Received: from mail-pg1-x52e.google.com (mail-pg1-x52e.google.com
 [IPv6:2607:f8b0:4864:20::52e])
 by sourceware.org (Postfix) with ESMTPS id 86DDC3858D32
 for <gcc-patches@gcc.gnu.org>; Mon, 23 May 2022 17:39:58 +0000 (GMT)
DMARC-Filter: OpenDMARC Filter v1.4.1 sourceware.org 86DDC3858D32
Received: by mail-pg1-x52e.google.com with SMTP id h186so14277897pgc.3
 for <gcc-patches@gcc.gnu.org>; Mon, 23 May 2022 10:39:58 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20210112;
 h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version
 :content-transfer-encoding;
 bh=jWdBLrNCVVv21cTWgwSNuRfNuggCC9qGAWQdSLFRn6g=;
 b=ZoyFvxDW4cxN2tQShX+krI1WuTtByRx5XSC8MFBw3UesDSDP6voQfAuSZ5F0EcZXge
 qd/Z5lv26qYmpGp1bmnYf9GJOPBYzeIeKHbhLlNjM5Kc5tpeEOon6x7FwzfnzAh2peRr
 rNQJg4ZbQp/xxRJ04PTm2/mbBxkO5DONywDOFd8pbmuTSxKqS7vWMhWy1VlMSuRtmJIJ
 ChGrL1Qis9XQlFNwUbSzIHmfqgoOKEw0Rp86Jf8h3X0TSDgohwX/1BUh1sV3QfZEmtaq
 TjD/qPfvtz/7FeKFh8I5umEJ4i83UdkcOdXAqJrnQMWyi8Nfh/Wq+CdyOAlT4Ka4646S
 bL9w==
X-Gm-Message-State: AOAM5331DI5OAEYVP8ZpwG6JHMDqXMgUalGFy4399TVsxINcslnOR/tH
 RAFew7L5cXv7UfKxCKVzhcQFFwwsr2Y=
X-Google-Smtp-Source: 
 ABdhPJwbleJOFmzjH8vfCro8x2ogz4+N9CWukIS7uziBc1KTrCVe9PGBfmeTsqXNIQZRRaz+2+lxQQ==
X-Received: by 2002:a65:6d15:0:b0:382:4e6d:dd0d with SMTP id
 bf21-20020a656d15000000b003824e6ddd0dmr20567439pgb.333.1653327597084;
 Mon, 23 May 2022 10:39:57 -0700 (PDT)
Received: from gnu-tgl-3.localdomain ([172.58.88.122])
 by smtp.gmail.com with ESMTPSA id
 c21-20020aa78815000000b0051894243fc5sm3708174pfo.147.2022.05.23.10.39.56
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Mon, 23 May 2022 10:39:56 -0700 (PDT)
Received: from gnu-tgl-3.. (localhost [IPv6:::1])
 by gnu-tgl-3.localdomain (Postfix) with ESMTP id 059D2C0306;
 Mon, 23 May 2022 10:39:55 -0700 (PDT)
To: gcc-patches@gcc.gnu.org
Subject: [PATCH v3] x86: Document -mcet-switch
Date: Mon, 23 May 2022 10:39:54 -0700
Message-Id: <20220523173954.1979043-1-hjl.tools@gmail.com>
X-Mailer: git-send-email 2.36.1
MIME-Version: 1.0
X-Spam-Status: No, score=-3028.2 required=5.0 tests=BAYES_00, DKIM_SIGNED,
 DKIM_VALID, DKIM_VALID_AU, DKIM_VALID_EF, FREEMAIL_FROM, GIT_PATCH_0,
 RCVD_IN_DNSWL_NONE, SPF_HELO_NONE, SPF_PASS, TXREP,
 T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
 server2.sourceware.org
X-BeenThere: gcc-patches@gcc.gnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Gcc-patches mailing list <gcc-patches.gcc.gnu.org>
List-Unsubscribe: <https://gcc.gnu.org/mailman/options/gcc-patches>,
 <mailto:gcc-patches-request@gcc.gnu.org?subject=unsubscribe>
List-Archive: <https://gcc.gnu.org/pipermail/gcc-patches/>
List-Post: <mailto:gcc-patches@gcc.gnu.org>
List-Help: <mailto:gcc-patches-request@gcc.gnu.org?subject=help>
List-Subscribe: <https://gcc.gnu.org/mailman/listinfo/gcc-patches>,
 <mailto:gcc-patches-request@gcc.gnu.org?subject=subscribe>
X-Patchwork-Original-From: "H.J. Lu via Gcc-patches" <gcc-patches@gcc.gnu.org>
From: "H.J. Lu" <hjl.tools@gmail.com>
Reply-To: "H.J. Lu" <hjl.tools@gmail.com>
Cc: Florian Weimer <fweimer@redhat.com>, Richard Biener <rguenther@suse.de>
Errors-To: gcc-patches-bounces+patchwork=sourceware.org@gcc.gnu.org
Sender: "Gcc-patches"
 <gcc-patches-bounces+patchwork=sourceware.org@gcc.gnu.org>

When -fcf-protection=branch is used, the compiler will generate jump
tables for switch statements where the indirect jump is prefixed with
the NOTRACK prefix, so it can jump to non-ENDBR targets.  Since the
indirect jump targets are generated by the compiler and stored in
read-only memory, this does not result in a direct loss of hardening.
But if the jump table index is attacker-controlled, the indirect jump
may not be constrained by CET.

Document -mcet-switch to generate jump tables for switch statements with
ENDBR and skip the NOTRACK prefix for indirect jump.  This option should
be used when the NOTRACK prefix is disabled.

	PR target/104816
	* config/i386/i386.opt: Remove Undocumented.
	* doc/invoke.texi: Document -mcet-switch.
---
 gcc/config/i386/i386.opt |  2 +-
 gcc/doc/invoke.texi      | 14 +++++++++++++-
 2 files changed, 14 insertions(+), 2 deletions(-)

diff --git a/gcc/config/i386/i386.opt b/gcc/config/i386/i386.opt
index a6b0e28f238..0dbaacb57ed 100644
--- a/gcc/config/i386/i386.opt
+++ b/gcc/config/i386/i386.opt
@@ -1047,7 +1047,7 @@ Enable shadow stack built-in functions from Control-flow Enforcement
 Technology (CET).
 
 mcet-switch
-Target Undocumented Var(flag_cet_switch) Init(0)
+Target Var(flag_cet_switch) Init(0)
 Turn on CET instrumentation for switch statements that use a jump table and
 an indirect jump.
 
diff --git a/gcc/doc/invoke.texi b/gcc/doc/invoke.texi
index d8095e3128f..1f38e91b50b 100644
--- a/gcc/doc/invoke.texi
+++ b/gcc/doc/invoke.texi
@@ -1425,7 +1425,8 @@ See RS/6000 and PowerPC Options.
 -msse4a  -m3dnow  -m3dnowa  -mpopcnt  -mabm  -mbmi  -mtbm  -mfma4  -mxop @gol
 -madx  -mlzcnt  -mbmi2  -mfxsr  -mxsave  -mxsaveopt  -mrtm  -mhle  -mlwp @gol
 -mmwaitx  -mclzero  -mpku  -mthreads  -mgfni  -mvaes  -mwaitpkg @gol
--mshstk -mmanual-endbr -mforce-indirect-call  -mavx512vbmi2 -mavx512bf16 -menqcmd @gol
+-mshstk -mmanual-endbr -mcet-switch -mforce-indirect-call @gol
+-mavx512vbmi2 -mavx512bf16 -menqcmd @gol
 -mvpclmulqdq  -mavx512bitalg  -mmovdiri  -mmovdir64b  -mavx512vpopcntdq @gol
 -mavx5124fmaps  -mavx512vnni  -mavx5124vnniw  -mprfchw  -mrdpid @gol
 -mrdseed  -msgx -mavx512vp2intersect -mserialize -mtsxldtrk@gol
@@ -32719,6 +32720,17 @@ function attribute. This is useful when used with the option
 @option{-fcf-protection=branch} to control ENDBR insertion at the
 function entry.
 
+@item -mcet-switch
+@opindex mcet-switch
+By default, CET instrumentation is turned off on switch statements that
+use a jump table and indirect branch track is disabled.  Since jump
+tables are stored in read-only memory, this does not result in a direct
+loss of hardening.  But if the jump table index is attacker-controlled,
+the indirect jump may not be constrained by CET.  This option turns on
+CET instrumentation to enable indirect branch track for switch statements
+with jump tables which leads to the jump targets reachable via any indirect
+jumps.
+
 @item -mcall-ms2sysv-xlogues
 @opindex mcall-ms2sysv-xlogues
 @opindex mno-call-ms2sysv-xlogues