public inbox for gcc-cvs@sourceware.org
help / color / mirror / Atom feed
* [gcc r13-744] x86: Document -mcet-switch
@ 2022-05-24 16:06 H.J. Lu
0 siblings, 0 replies; only message in thread
From: H.J. Lu @ 2022-05-24 16:06 UTC (permalink / raw)
To: gcc-cvs
https://gcc.gnu.org/g:2f4f7de787e5844515d27b2269fc472f95a9916a
commit r13-744-g2f4f7de787e5844515d27b2269fc472f95a9916a
Author: H.J. Lu <hjl.tools@gmail.com>
Date: Fri Mar 11 12:51:34 2022 -0800
x86: Document -mcet-switch
When -fcf-protection=branch is used, the compiler will generate jump
tables for switch statements where the indirect jump is prefixed with
the NOTRACK prefix, so it can jump to non-ENDBR targets. Since the
indirect jump targets are generated by the compiler and stored in
read-only memory, this does not result in a direct loss of hardening.
But if the jump table index is attacker-controlled, the indirect jump
may not be constrained by CET.
Document -mcet-switch to generate jump tables for switch statements with
ENDBR and skip the NOTRACK prefix for indirect jump. This option should
be used when the NOTRACK prefix is disabled.
PR target/104816
* config/i386/i386.opt: Remove Undocumented.
* doc/invoke.texi: Document -mcet-switch.
Diff:
---
gcc/config/i386/i386.opt | 2 +-
gcc/doc/invoke.texi | 14 +++++++++++++-
2 files changed, 14 insertions(+), 2 deletions(-)
diff --git a/gcc/config/i386/i386.opt b/gcc/config/i386/i386.opt
index a6b0e28f238..0dbaacb57ed 100644
--- a/gcc/config/i386/i386.opt
+++ b/gcc/config/i386/i386.opt
@@ -1047,7 +1047,7 @@ Enable shadow stack built-in functions from Control-flow Enforcement
Technology (CET).
mcet-switch
-Target Undocumented Var(flag_cet_switch) Init(0)
+Target Var(flag_cet_switch) Init(0)
Turn on CET instrumentation for switch statements that use a jump table and
an indirect jump.
diff --git a/gcc/doc/invoke.texi b/gcc/doc/invoke.texi
index 8becba39522..a2f85f0a4ea 100644
--- a/gcc/doc/invoke.texi
+++ b/gcc/doc/invoke.texi
@@ -1425,7 +1425,8 @@ See RS/6000 and PowerPC Options.
-msse4a -m3dnow -m3dnowa -mpopcnt -mabm -mbmi -mtbm -mfma4 -mxop @gol
-madx -mlzcnt -mbmi2 -mfxsr -mxsave -mxsaveopt -mrtm -mhle -mlwp @gol
-mmwaitx -mclzero -mpku -mthreads -mgfni -mvaes -mwaitpkg @gol
--mshstk -mmanual-endbr -mforce-indirect-call -mavx512vbmi2 -mavx512bf16 -menqcmd @gol
+-mshstk -mmanual-endbr -mcet-switch -mforce-indirect-call @gol
+-mavx512vbmi2 -mavx512bf16 -menqcmd @gol
-mvpclmulqdq -mavx512bitalg -mmovdiri -mmovdir64b -mavx512vpopcntdq @gol
-mavx5124fmaps -mavx512vnni -mavx5124vnniw -mprfchw -mrdpid @gol
-mrdseed -msgx -mavx512vp2intersect -mserialize -mtsxldtrk@gol
@@ -32724,6 +32725,17 @@ function attribute. This is useful when used with the option
@option{-fcf-protection=branch} to control ENDBR insertion at the
function entry.
+@item -mcet-switch
+@opindex mcet-switch
+By default, CET instrumentation is turned off on switch statements that
+use a jump table and indirect branch track is disabled. Since jump
+tables are stored in read-only memory, this does not result in a direct
+loss of hardening. But if the jump table index is attacker-controlled,
+the indirect jump may not be constrained by CET. This option turns on
+CET instrumentation to enable indirect branch track for switch statements
+with jump tables which leads to the jump targets reachable via any indirect
+jumps.
+
@item -mcall-ms2sysv-xlogues
@opindex mcall-ms2sysv-xlogues
@opindex mno-call-ms2sysv-xlogues
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2022-05-24 16:06 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-05-24 16:06 [gcc r13-744] x86: Document -mcet-switch H.J. Lu
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).