* [GCC 11 PATCH 1/5] x86: Remove "%!" before ret
2022-01-31 18:55 [GCC 11 PATCH 0/5] x86: Backport straight-line-speculation mitigation H.J. Lu
@ 2022-01-31 18:55 ` H.J. Lu
2022-02-16 6:46 ` Hongtao Liu
2022-01-31 18:55 ` [GCC 11 PATCH 2/5] x86: Add -mharden-sls=[none|all|return|indirect-branch] H.J. Lu
` (5 subsequent siblings)
6 siblings, 1 reply; 12+ messages in thread
From: H.J. Lu @ 2022-01-31 18:55 UTC (permalink / raw)
To: gcc-patches
Before MPX was removed, "%!" was mapped to
case '!':
if (ix86_bnd_prefixed_insn_p (current_output_insn))
fputs ("bnd ", file);
return;
After CET was added and MPX was removed, "%!" was mapped to
case '!':
if (ix86_notrack_prefixed_insn_p (current_output_insn))
fputs ("notrack ", file);
return;
ix86_notrack_prefixed_insn_p always returns false on ret since the
notrack prefix is only for indirect branches. Remove the unused "%!"
before ret.
PR target/103307
* config/i386/i386.c (ix86_code_end): Remove "%!" before ret.
(ix86_output_function_return): Likewise.
* config/i386/i386.md (simple_return_pop_internal): Likewise.
(cherry picked from commit 8e410de43ce039bbe08f1e0195e3b6ec24f68cae)
---
gcc/config/i386/i386.c | 4 ++--
gcc/config/i386/i386.md | 2 +-
2 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/gcc/config/i386/i386.c b/gcc/config/i386/i386.c
index 8e8c8beb366..4ba1a218ee6 100644
--- a/gcc/config/i386/i386.c
+++ b/gcc/config/i386/i386.c
@@ -6000,7 +6000,7 @@ ix86_code_end (void)
xops[0] = gen_rtx_REG (Pmode, regno);
xops[1] = gen_rtx_MEM (Pmode, stack_pointer_rtx);
output_asm_insn ("mov%z0\t{%1, %0|%0, %1}", xops);
- output_asm_insn ("%!ret", NULL);
+ fputs ("\tret\n", asm_out_file);
final_end_function ();
init_insn_lengths ();
free_after_compilation (cfun);
@@ -16027,7 +16027,7 @@ ix86_output_function_return (bool long_p)
}
if (!long_p)
- return "%!ret";
+ return "ret";
return "rep%; ret";
}
diff --git a/gcc/config/i386/i386.md b/gcc/config/i386/i386.md
index db9dbf384ad..1aff2ac2a82 100644
--- a/gcc/config/i386/i386.md
+++ b/gcc/config/i386/i386.md
@@ -13912,7 +13912,7 @@ (define_insn_and_split "simple_return_pop_internal"
[(simple_return)
(use (match_operand:SI 0 "const_int_operand"))]
"reload_completed"
- "%!ret\t%0"
+ "ret\t%0"
"&& cfun->machine->function_return_type != indirect_branch_keep"
[(const_int 0)]
"ix86_split_simple_return_pop_internal (operands[0]); DONE;"
--
2.34.1
^ permalink raw reply [flat|nested] 12+ messages in thread* Re: [GCC 11 PATCH 1/5] x86: Remove "%!" before ret
2022-01-31 18:55 ` [GCC 11 PATCH 1/5] x86: Remove "%!" before ret H.J. Lu
@ 2022-02-16 6:46 ` Hongtao Liu
0 siblings, 0 replies; 12+ messages in thread
From: Hongtao Liu @ 2022-02-16 6:46 UTC (permalink / raw)
To: H.J. Lu; +Cc: GCC Patches
On Tue, Feb 1, 2022 at 2:56 AM H.J. Lu via Gcc-patches
<gcc-patches@gcc.gnu.org> wrote:
>
> Before MPX was removed, "%!" was mapped to
>
> case '!':
> if (ix86_bnd_prefixed_insn_p (current_output_insn))
> fputs ("bnd ", file);
> return;
>
> After CET was added and MPX was removed, "%!" was mapped to
>
> case '!':
> if (ix86_notrack_prefixed_insn_p (current_output_insn))
> fputs ("notrack ", file);
> return;
>
> ix86_notrack_prefixed_insn_p always returns false on ret since the
> notrack prefix is only for indirect branches. Remove the unused "%!"
> before ret.
The patch LGTM.
BTW This patch seems to be independent of straight-line-speculation mitigation.
>
> PR target/103307
> * config/i386/i386.c (ix86_code_end): Remove "%!" before ret.
> (ix86_output_function_return): Likewise.
> * config/i386/i386.md (simple_return_pop_internal): Likewise.
>
> (cherry picked from commit 8e410de43ce039bbe08f1e0195e3b6ec24f68cae)
> ---
> gcc/config/i386/i386.c | 4 ++--
> gcc/config/i386/i386.md | 2 +-
> 2 files changed, 3 insertions(+), 3 deletions(-)
>
> diff --git a/gcc/config/i386/i386.c b/gcc/config/i386/i386.c
> index 8e8c8beb366..4ba1a218ee6 100644
> --- a/gcc/config/i386/i386.c
> +++ b/gcc/config/i386/i386.c
> @@ -6000,7 +6000,7 @@ ix86_code_end (void)
> xops[0] = gen_rtx_REG (Pmode, regno);
> xops[1] = gen_rtx_MEM (Pmode, stack_pointer_rtx);
> output_asm_insn ("mov%z0\t{%1, %0|%0, %1}", xops);
> - output_asm_insn ("%!ret", NULL);
> + fputs ("\tret\n", asm_out_file);
> final_end_function ();
> init_insn_lengths ();
> free_after_compilation (cfun);
> @@ -16027,7 +16027,7 @@ ix86_output_function_return (bool long_p)
> }
>
> if (!long_p)
> - return "%!ret";
> + return "ret";
>
> return "rep%; ret";
> }
> diff --git a/gcc/config/i386/i386.md b/gcc/config/i386/i386.md
> index db9dbf384ad..1aff2ac2a82 100644
> --- a/gcc/config/i386/i386.md
> +++ b/gcc/config/i386/i386.md
> @@ -13912,7 +13912,7 @@ (define_insn_and_split "simple_return_pop_internal"
> [(simple_return)
> (use (match_operand:SI 0 "const_int_operand"))]
> "reload_completed"
> - "%!ret\t%0"
> + "ret\t%0"
> "&& cfun->machine->function_return_type != indirect_branch_keep"
> [(const_int 0)]
> "ix86_split_simple_return_pop_internal (operands[0]); DONE;"
> --
> 2.34.1
>
--
BR,
Hongtao
^ permalink raw reply [flat|nested] 12+ messages in thread
* [GCC 11 PATCH 2/5] x86: Add -mharden-sls=[none|all|return|indirect-branch]
2022-01-31 18:55 [GCC 11 PATCH 0/5] x86: Backport straight-line-speculation mitigation H.J. Lu
2022-01-31 18:55 ` [GCC 11 PATCH 1/5] x86: Remove "%!" before ret H.J. Lu
@ 2022-01-31 18:55 ` H.J. Lu
2022-01-31 18:55 ` [GCC 11 PATCH 3/5] x86: Add -mindirect-branch-cs-prefix H.J. Lu
` (4 subsequent siblings)
6 siblings, 0 replies; 12+ messages in thread
From: H.J. Lu @ 2022-01-31 18:55 UTC (permalink / raw)
To: gcc-patches
Add -mharden-sls= to mitigate against straight line speculation (SLS)
for function return and indirect branch by adding an INT3 instruction
after function return and indirect branch.
gcc/
PR target/102952
* config/i386/i386-opts.h (harden_sls): New enum.
* config/i386/i386.c (output_indirect_thunk): Mitigate against
SLS for function return.
(ix86_output_function_return): Likewise.
(ix86_output_jmp_thunk_or_indirect): Mitigate against indirect
branch.
(ix86_output_indirect_jmp): Likewise.
(ix86_output_call_insn): Likewise.
* config/i386/i386.opt: Add -mharden-sls=.
* doc/invoke.texi: Document -mharden-sls=.
gcc/testsuite/
PR target/102952
* gcc.target/i386/harden-sls-1.c: New test.
* gcc.target/i386/harden-sls-2.c: Likewise.
* gcc.target/i386/harden-sls-3.c: Likewise.
* gcc.target/i386/harden-sls-4.c: Likewise.
* gcc.target/i386/harden-sls-5.c: Likewise.
(cherry picked from commit 53a643f8568067d7700a9f2facc8ba39974973d3)
---
gcc/config/i386/i386-opts.h | 7 +++++++
gcc/config/i386/i386.c | 21 +++++++++++++-------
gcc/config/i386/i386.opt | 20 +++++++++++++++++++
gcc/doc/invoke.texi | 10 +++++++++-
gcc/testsuite/gcc.target/i386/harden-sls-1.c | 14 +++++++++++++
gcc/testsuite/gcc.target/i386/harden-sls-2.c | 14 +++++++++++++
gcc/testsuite/gcc.target/i386/harden-sls-3.c | 14 +++++++++++++
gcc/testsuite/gcc.target/i386/harden-sls-4.c | 16 +++++++++++++++
gcc/testsuite/gcc.target/i386/harden-sls-5.c | 17 ++++++++++++++++
9 files changed, 125 insertions(+), 8 deletions(-)
create mode 100644 gcc/testsuite/gcc.target/i386/harden-sls-1.c
create mode 100644 gcc/testsuite/gcc.target/i386/harden-sls-2.c
create mode 100644 gcc/testsuite/gcc.target/i386/harden-sls-3.c
create mode 100644 gcc/testsuite/gcc.target/i386/harden-sls-4.c
create mode 100644 gcc/testsuite/gcc.target/i386/harden-sls-5.c
diff --git a/gcc/config/i386/i386-opts.h b/gcc/config/i386/i386-opts.h
index de6e7e01661..e159019e904 100644
--- a/gcc/config/i386/i386-opts.h
+++ b/gcc/config/i386/i386-opts.h
@@ -125,4 +125,11 @@ enum instrument_return {
instrument_return_nop5
};
+enum harden_sls {
+ harden_sls_none = 0,
+ harden_sls_return = 1 << 0,
+ harden_sls_indirect_branch = 1 << 1,
+ harden_sls_all = harden_sls_return | harden_sls_indirect_branch
+};
+
#endif
diff --git a/gcc/config/i386/i386.c b/gcc/config/i386/i386.c
index 4ba1a218ee6..f3c4991317d 100644
--- a/gcc/config/i386/i386.c
+++ b/gcc/config/i386/i386.c
@@ -5798,6 +5798,8 @@ output_indirect_thunk (unsigned int regno)
}
fputs ("\tret\n", asm_out_file);
+ if ((ix86_harden_sls & harden_sls_return))
+ fputs ("\tint3\n", asm_out_file);
}
/* Output a funtion with a call and return thunk for indirect branch.
@@ -15733,6 +15735,8 @@ ix86_output_jmp_thunk_or_indirect (const char *thunk_name, const int regno)
fprintf (asm_out_file, "\tjmp\t");
assemble_name (asm_out_file, thunk_name);
putc ('\n', asm_out_file);
+ if ((ix86_harden_sls & harden_sls_indirect_branch))
+ fputs ("\tint3\n", asm_out_file);
}
else
output_indirect_thunk (regno);
@@ -15955,10 +15959,10 @@ ix86_output_indirect_jmp (rtx call_op)
gcc_unreachable ();
ix86_output_indirect_branch (call_op, "%0", true);
- return "";
}
else
- return "%!jmp\t%A0";
+ output_asm_insn ("%!jmp\t%A0", &call_op);
+ return (ix86_harden_sls & harden_sls_indirect_branch) ? "int3" : "";
}
/* Output return instrumentation for current function if needed. */
@@ -16026,10 +16030,8 @@ ix86_output_function_return (bool long_p)
return "";
}
- if (!long_p)
- return "ret";
-
- return "rep%; ret";
+ output_asm_insn (long_p ? "rep%; ret" : "ret", nullptr);
+ return (ix86_harden_sls & harden_sls_return) ? "int3" : "";
}
/* Output indirect function return. RET_OP is the function return
@@ -16124,7 +16126,12 @@ ix86_output_call_insn (rtx_insn *insn, rtx call_op)
if (output_indirect_p && !direct_p)
ix86_output_indirect_branch (call_op, xasm, true);
else
- output_asm_insn (xasm, &call_op);
+ {
+ output_asm_insn (xasm, &call_op);
+ if (!direct_p
+ && (ix86_harden_sls & harden_sls_indirect_branch))
+ return "int3";
+ }
return "";
}
diff --git a/gcc/config/i386/i386.opt b/gcc/config/i386/i386.opt
index 7b8547bb1c3..bc401c197b5 100644
--- a/gcc/config/i386/i386.opt
+++ b/gcc/config/i386/i386.opt
@@ -1113,6 +1113,26 @@ mrecord-return
Target Var(ix86_flag_record_return) Init(0)
Generate a __return_loc section pointing to all return instrumentation code.
+mharden-sls=
+Target RejectNegative Joined Enum(harden_sls) Var(ix86_harden_sls) Init(harden_sls_none)
+Generate code to mitigate against straight line speculation.
+
+Enum
+Name(harden_sls) Type(enum harden_sls)
+Known choices for mitigation against straight line speculation with -mharden-sls=:
+
+EnumValue
+Enum(harden_sls) String(none) Value(harden_sls_none)
+
+EnumValue
+Enum(harden_sls) String(return) Value(harden_sls_return)
+
+EnumValue
+Enum(harden_sls) String(indirect-branch) Value(harden_sls_indirect_branch)
+
+EnumValue
+Enum(harden_sls) String(all) Value(harden_sls_all)
+
mavx512bf16
Target Mask(ISA2_AVX512BF16) Var(ix86_isa_flags2) Save
Support MMX, SSE, SSE2, SSE3, SSSE3, SSE4.1, SSE4.2, AVX, AVX2, AVX512F and
diff --git a/gcc/doc/invoke.texi b/gcc/doc/invoke.texi
index 5a4b3c6c234..1fe19800bde 100644
--- a/gcc/doc/invoke.texi
+++ b/gcc/doc/invoke.texi
@@ -1409,7 +1409,7 @@ See RS/6000 and PowerPC Options.
-mstack-protector-guard-symbol=@var{symbol} @gol
-mgeneral-regs-only -mcall-ms2sysv-xlogues @gol
-mindirect-branch=@var{choice} -mfunction-return=@var{choice} @gol
--mindirect-branch-register -mneeded}
+-mindirect-branch-register -mharden-sls=@var{choice} -mneeded}
@emph{x86 Windows Options}
@gccoptlist{-mconsole -mcygwin -mno-cygwin -mdll @gol
@@ -31724,6 +31724,14 @@ not be reachable in the large code model.
@opindex mindirect-branch-register
Force indirect call and jump via register.
+@item -mharden-sls=@var{choice}
+@opindex mharden-sls
+Generate code to mitigate against straight line speculation (SLS) with
+@var{choice}. The default is @samp{none} which disables all SLS
+hardening. @samp{return} enables SLS hardening for function return.
+@samp{indirect-branch} enables SLS hardening for indirect branch.
+@samp{all} enables all SLS hardening.
+
@end table
These @samp{-m} switches are supported in addition to the above
diff --git a/gcc/testsuite/gcc.target/i386/harden-sls-1.c b/gcc/testsuite/gcc.target/i386/harden-sls-1.c
new file mode 100644
index 00000000000..6f70dc94a23
--- /dev/null
+++ b/gcc/testsuite/gcc.target/i386/harden-sls-1.c
@@ -0,0 +1,14 @@
+/* { dg-do compile } */
+/* { dg-options "-O2 -mindirect-branch=thunk-extern -mharden-sls=all" } */
+/* { dg-additional-options "-fno-pic" { target { ! *-*-darwin* } } } */
+
+extern void foo (void);
+
+void
+bar (void)
+{
+ foo ();
+}
+
+/* { dg-final { scan-assembler "jmp\[ \t\]+_?foo" } } */
+/* { dg-final { scan-assembler-not {int3} } } */
diff --git a/gcc/testsuite/gcc.target/i386/harden-sls-2.c b/gcc/testsuite/gcc.target/i386/harden-sls-2.c
new file mode 100644
index 00000000000..a7c59078d03
--- /dev/null
+++ b/gcc/testsuite/gcc.target/i386/harden-sls-2.c
@@ -0,0 +1,14 @@
+/* { dg-do compile } */
+/* { dg-options "-O2 -mindirect-branch=thunk-extern -mharden-sls=all" } */
+/* { dg-additional-options "-fno-pic" { target { ! *-*-darwin* } } } */
+
+extern void (*fptr) (void);
+
+void
+foo (void)
+{
+ fptr ();
+}
+
+/* { dg-final { scan-assembler "jmp\[ \t\]+_?__x86_indirect_thunk_(r|e)ax" } } */
+/* { dg-final { scan-assembler-times "int3" 1 } } */
diff --git a/gcc/testsuite/gcc.target/i386/harden-sls-3.c b/gcc/testsuite/gcc.target/i386/harden-sls-3.c
new file mode 100644
index 00000000000..1a6056b6d7b
--- /dev/null
+++ b/gcc/testsuite/gcc.target/i386/harden-sls-3.c
@@ -0,0 +1,14 @@
+/* { dg-do compile } */
+/* { dg-options "-O2 -mindirect-branch=thunk -mharden-sls=all" } */
+/* { dg-additional-options "-fno-pic" { target { ! *-*-darwin* } } } */
+
+extern void (*fptr) (void);
+
+void
+foo (void)
+{
+ fptr ();
+}
+
+/* { dg-final { scan-assembler "jmp\[ \t\]+_?__x86_indirect_thunk_(r|e)ax" } } */
+/* { dg-final { scan-assembler-times "int3" 2 } } */
diff --git a/gcc/testsuite/gcc.target/i386/harden-sls-4.c b/gcc/testsuite/gcc.target/i386/harden-sls-4.c
new file mode 100644
index 00000000000..f70dd1379d3
--- /dev/null
+++ b/gcc/testsuite/gcc.target/i386/harden-sls-4.c
@@ -0,0 +1,16 @@
+/* { dg-do compile } */
+/* { dg-options "-O2 -mindirect-branch=keep -mharden-sls=all" } */
+/* { dg-additional-options "-fno-pic" { target { ! *-*-darwin* } } } */
+
+extern void (*fptr) (void);
+
+void
+foo (void)
+{
+ fptr ();
+}
+
+/* { dg-final { scan-assembler "jmp\[ \t\]+\\*_?fptr" { target { ! x32 } } } } */
+/* { dg-final { scan-assembler "movl\[ \t\]+fptr\\(%rip\\), %eax" { target x32 } } } */
+/* { dg-final { scan-assembler "jmp\[ \t\]+\\*%rax" { target x32 } } } */
+/* { dg-final { scan-assembler-times "int3" 1 } } */
diff --git a/gcc/testsuite/gcc.target/i386/harden-sls-5.c b/gcc/testsuite/gcc.target/i386/harden-sls-5.c
new file mode 100644
index 00000000000..613c44c6f82
--- /dev/null
+++ b/gcc/testsuite/gcc.target/i386/harden-sls-5.c
@@ -0,0 +1,17 @@
+/* { dg-do compile } */
+/* { dg-options "-O2 -mno-indirect-branch-register -mfunction-return=keep -mindirect-branch=thunk-extern -mharden-sls=return" } */
+/* { dg-additional-options "-fno-pic" { target { ! *-*-darwin* } } } */
+
+typedef void (*dispatch_t)(long offset);
+
+dispatch_t dispatch;
+
+int
+male_indirect_jump (long offset)
+{
+ dispatch(offset);
+ return 0;
+}
+
+/* { dg-final { scan-assembler-times "ret" 1 } } */
+/* { dg-final { scan-assembler-times "int3" 1 } } */
--
2.34.1
^ permalink raw reply [flat|nested] 12+ messages in thread* [GCC 11 PATCH 3/5] x86: Add -mindirect-branch-cs-prefix
2022-01-31 18:55 [GCC 11 PATCH 0/5] x86: Backport straight-line-speculation mitigation H.J. Lu
2022-01-31 18:55 ` [GCC 11 PATCH 1/5] x86: Remove "%!" before ret H.J. Lu
2022-01-31 18:55 ` [GCC 11 PATCH 2/5] x86: Add -mharden-sls=[none|all|return|indirect-branch] H.J. Lu
@ 2022-01-31 18:55 ` H.J. Lu
2022-01-31 18:55 ` [GCC 11 PATCH 4/5] x86: Rename -harden-sls=indirect-branch to -harden-sls=indirect-jmp H.J. Lu
` (3 subsequent siblings)
6 siblings, 0 replies; 12+ messages in thread
From: H.J. Lu @ 2022-01-31 18:55 UTC (permalink / raw)
To: gcc-patches
Add -mindirect-branch-cs-prefix to add CS prefix to call and jmp to
indirect thunk with branch target in r8-r15 registers so that the call
and jmp instruction length is 6 bytes to allow them to be replaced with
"lfence; call *%r8-r15" or "lfence; jmp *%r8-r15" at run-time.
gcc/
PR target/102952
* config/i386/i386.c (ix86_output_jmp_thunk_or_indirect): Emit
CS prefix for -mindirect-branch-cs-prefix.
(ix86_output_indirect_branch_via_reg): Likewise.
* config/i386/i386.opt: Add -mindirect-branch-cs-prefix.
* doc/invoke.texi: Document -mindirect-branch-cs-prefix.
gcc/testsuite/
PR target/102952
* gcc.target/i386/indirect-thunk-cs-prefix-1.c: New test.
* gcc.target/i386/indirect-thunk-cs-prefix-2.c: Likewise.
(cherry picked from commit 2196a681d7810ad8b227bf983f38ba716620545e)
---
gcc/config/i386/i386.c | 6 ++++++
gcc/config/i386/i386.opt | 4 ++++
gcc/doc/invoke.texi | 10 +++++++++-
.../gcc.target/i386/indirect-thunk-cs-prefix-1.c | 14 ++++++++++++++
.../gcc.target/i386/indirect-thunk-cs-prefix-2.c | 15 +++++++++++++++
5 files changed, 48 insertions(+), 1 deletion(-)
create mode 100644 gcc/testsuite/gcc.target/i386/indirect-thunk-cs-prefix-1.c
create mode 100644 gcc/testsuite/gcc.target/i386/indirect-thunk-cs-prefix-2.c
diff --git a/gcc/config/i386/i386.c b/gcc/config/i386/i386.c
index f3c4991317d..2643aa9480f 100644
--- a/gcc/config/i386/i386.c
+++ b/gcc/config/i386/i386.c
@@ -15732,6 +15732,9 @@ ix86_output_jmp_thunk_or_indirect (const char *thunk_name, const int regno)
{
if (thunk_name != NULL)
{
+ if (REX_INT_REGNO_P (regno)
+ && ix86_indirect_branch_cs_prefix)
+ fprintf (asm_out_file, "\tcs\n");
fprintf (asm_out_file, "\tjmp\t");
assemble_name (asm_out_file, thunk_name);
putc ('\n', asm_out_file);
@@ -15785,6 +15788,9 @@ ix86_output_indirect_branch_via_reg (rtx call_op, bool sibcall_p)
{
if (thunk_name != NULL)
{
+ if (REX_INT_REGNO_P (regno)
+ && ix86_indirect_branch_cs_prefix)
+ fprintf (asm_out_file, "\tcs\n");
fprintf (asm_out_file, "\tcall\t");
assemble_name (asm_out_file, thunk_name);
putc ('\n', asm_out_file);
diff --git a/gcc/config/i386/i386.opt b/gcc/config/i386/i386.opt
index bc401c197b5..46010c2cc1d 100644
--- a/gcc/config/i386/i386.opt
+++ b/gcc/config/i386/i386.opt
@@ -1072,6 +1072,10 @@ Enum(indirect_branch) String(thunk-inline) Value(indirect_branch_thunk_inline)
EnumValue
Enum(indirect_branch) String(thunk-extern) Value(indirect_branch_thunk_extern)
+mindirect-branch-cs-prefix
+Target Var(ix86_indirect_branch_cs_prefix) Init(0)
+Add CS prefix to call and jmp to indirect thunk with branch target in r8-r15 registers.
+
mindirect-branch-register
Target Var(ix86_indirect_branch_register) Init(0)
Force indirect call and jump via register.
diff --git a/gcc/doc/invoke.texi b/gcc/doc/invoke.texi
index 1fe19800bde..645189c2227 100644
--- a/gcc/doc/invoke.texi
+++ b/gcc/doc/invoke.texi
@@ -1409,7 +1409,8 @@ See RS/6000 and PowerPC Options.
-mstack-protector-guard-symbol=@var{symbol} @gol
-mgeneral-regs-only -mcall-ms2sysv-xlogues @gol
-mindirect-branch=@var{choice} -mfunction-return=@var{choice} @gol
--mindirect-branch-register -mharden-sls=@var{choice} -mneeded}
+-mindirect-branch-register -mharden-sls=@var{choice} @gol
+-mindirect-branch-cs-prefix -mneeded}
@emph{x86 Windows Options}
@gccoptlist{-mconsole -mcygwin -mno-cygwin -mdll @gol
@@ -31732,6 +31733,13 @@ hardening. @samp{return} enables SLS hardening for function return.
@samp{indirect-branch} enables SLS hardening for indirect branch.
@samp{all} enables all SLS hardening.
+@item -mindirect-branch-cs-prefix
+@opindex mindirect-branch-cs-prefix
+Add CS prefix to call and jmp to indirect thunk with branch target in
+r8-r15 registers so that the call and jmp instruction length is 6 bytes
+to allow them to be replaced with @samp{lfence; call *%r8-r15} or
+@samp{lfence; jmp *%r8-r15} at run-time.
+
@end table
These @samp{-m} switches are supported in addition to the above
diff --git a/gcc/testsuite/gcc.target/i386/indirect-thunk-cs-prefix-1.c b/gcc/testsuite/gcc.target/i386/indirect-thunk-cs-prefix-1.c
new file mode 100644
index 00000000000..db2f3416823
--- /dev/null
+++ b/gcc/testsuite/gcc.target/i386/indirect-thunk-cs-prefix-1.c
@@ -0,0 +1,14 @@
+/* { dg-do compile { target { ! ia32 } } } */
+/* { dg-options "-O2 -ffixed-rax -ffixed-rbx -ffixed-rcx -ffixed-rdx -ffixed-rdi -ffixed-rsi -mindirect-branch-cs-prefix -mindirect-branch=thunk-extern" } */
+/* { dg-additional-options "-fno-pic" { target { ! *-*-darwin* } } } */
+
+extern void (*fptr) (void);
+
+void
+foo (void)
+{
+ fptr ();
+}
+
+/* { dg-final { scan-assembler-times "jmp\[ \t\]+_?__x86_indirect_thunk_r\[0-9\]+" 1 } } */
+/* { dg-final { scan-assembler-times "\tcs" 1 } } */
diff --git a/gcc/testsuite/gcc.target/i386/indirect-thunk-cs-prefix-2.c b/gcc/testsuite/gcc.target/i386/indirect-thunk-cs-prefix-2.c
new file mode 100644
index 00000000000..adfc39a49d4
--- /dev/null
+++ b/gcc/testsuite/gcc.target/i386/indirect-thunk-cs-prefix-2.c
@@ -0,0 +1,15 @@
+/* { dg-do compile { target { ! ia32 } } } */
+/* { dg-options "-O2 -ffixed-rax -ffixed-rbx -ffixed-rcx -ffixed-rdx -ffixed-rdi -ffixed-rsi -mindirect-branch-cs-prefix -mindirect-branch=thunk-extern" } */
+/* { dg-additional-options "-fno-pic" { target { ! *-*-darwin* } } } */
+
+extern void (*bar) (void);
+
+int
+foo (void)
+{
+ bar ();
+ return 0;
+}
+
+/* { dg-final { scan-assembler-times "call\[ \t\]+_?__x86_indirect_thunk_r\[0-9\]+" 1 } } */
+/* { dg-final { scan-assembler-times "\tcs" 1 } } */
--
2.34.1
^ permalink raw reply [flat|nested] 12+ messages in thread* [GCC 11 PATCH 4/5] x86: Rename -harden-sls=indirect-branch to -harden-sls=indirect-jmp
2022-01-31 18:55 [GCC 11 PATCH 0/5] x86: Backport straight-line-speculation mitigation H.J. Lu
` (2 preceding siblings ...)
2022-01-31 18:55 ` [GCC 11 PATCH 3/5] x86: Add -mindirect-branch-cs-prefix H.J. Lu
@ 2022-01-31 18:55 ` H.J. Lu
2022-01-31 18:55 ` [GCC 11 PATCH 5/5] x86: Generate INT3 for __builtin_eh_return H.J. Lu
` (2 subsequent siblings)
6 siblings, 0 replies; 12+ messages in thread
From: H.J. Lu @ 2022-01-31 18:55 UTC (permalink / raw)
To: gcc-patches
Indirect branch also includes indirect call instructions. Rename
-harden-sls=indirect-branch to -harden-sls=indirect-jmp to match its
intended behavior.
PR target/102952
* config/i386/i386-opts.h (harden_sls): Replace
harden_sls_indirect_branch with harden_sls_indirect_jmp.
* config/i386/i386.c (ix86_output_jmp_thunk_or_indirect):
Likewise.
(ix86_output_indirect_jmp): Likewise.
(ix86_output_call_insn): Likewise.
* config/i386/i386.opt: Replace indirect-branch with
indirect-jmp. Replace harden_sls_indirect_branch with
harden_sls_indirect_jmp.
* doc/invoke.texi (-harden-sls=): Replace indirect-branch with
indirect-jmp.
(cherry picked from commit ed8060950c64f2e449aaf90e438aa26d0d9d0b31)
---
gcc/config/i386/i386-opts.h | 4 ++--
gcc/config/i386/i386.c | 6 +++---
gcc/config/i386/i386.opt | 2 +-
gcc/doc/invoke.texi | 4 ++--
4 files changed, 8 insertions(+), 8 deletions(-)
diff --git a/gcc/config/i386/i386-opts.h b/gcc/config/i386/i386-opts.h
index e159019e904..ab1f658dab9 100644
--- a/gcc/config/i386/i386-opts.h
+++ b/gcc/config/i386/i386-opts.h
@@ -128,8 +128,8 @@ enum instrument_return {
enum harden_sls {
harden_sls_none = 0,
harden_sls_return = 1 << 0,
- harden_sls_indirect_branch = 1 << 1,
- harden_sls_all = harden_sls_return | harden_sls_indirect_branch
+ harden_sls_indirect_jmp = 1 << 1,
+ harden_sls_all = harden_sls_return | harden_sls_indirect_jmp
};
#endif
diff --git a/gcc/config/i386/i386.c b/gcc/config/i386/i386.c
index 2643aa9480f..35dbe05aecd 100644
--- a/gcc/config/i386/i386.c
+++ b/gcc/config/i386/i386.c
@@ -15738,7 +15738,7 @@ ix86_output_jmp_thunk_or_indirect (const char *thunk_name, const int regno)
fprintf (asm_out_file, "\tjmp\t");
assemble_name (asm_out_file, thunk_name);
putc ('\n', asm_out_file);
- if ((ix86_harden_sls & harden_sls_indirect_branch))
+ if ((ix86_harden_sls & harden_sls_indirect_jmp))
fputs ("\tint3\n", asm_out_file);
}
else
@@ -15968,7 +15968,7 @@ ix86_output_indirect_jmp (rtx call_op)
}
else
output_asm_insn ("%!jmp\t%A0", &call_op);
- return (ix86_harden_sls & harden_sls_indirect_branch) ? "int3" : "";
+ return (ix86_harden_sls & harden_sls_indirect_jmp) ? "int3" : "";
}
/* Output return instrumentation for current function if needed. */
@@ -16135,7 +16135,7 @@ ix86_output_call_insn (rtx_insn *insn, rtx call_op)
{
output_asm_insn (xasm, &call_op);
if (!direct_p
- && (ix86_harden_sls & harden_sls_indirect_branch))
+ && (ix86_harden_sls & harden_sls_indirect_jmp))
return "int3";
}
return "";
diff --git a/gcc/config/i386/i386.opt b/gcc/config/i386/i386.opt
index 46010c2cc1d..f62b0ebd3b4 100644
--- a/gcc/config/i386/i386.opt
+++ b/gcc/config/i386/i386.opt
@@ -1132,7 +1132,7 @@ EnumValue
Enum(harden_sls) String(return) Value(harden_sls_return)
EnumValue
-Enum(harden_sls) String(indirect-branch) Value(harden_sls_indirect_branch)
+Enum(harden_sls) String(indirect-jmp) Value(harden_sls_indirect_jmp)
EnumValue
Enum(harden_sls) String(all) Value(harden_sls_all)
diff --git a/gcc/doc/invoke.texi b/gcc/doc/invoke.texi
index 645189c2227..cf536a15116 100644
--- a/gcc/doc/invoke.texi
+++ b/gcc/doc/invoke.texi
@@ -31729,8 +31729,8 @@ Force indirect call and jump via register.
@opindex mharden-sls
Generate code to mitigate against straight line speculation (SLS) with
@var{choice}. The default is @samp{none} which disables all SLS
-hardening. @samp{return} enables SLS hardening for function return.
-@samp{indirect-branch} enables SLS hardening for indirect branch.
+hardening. @samp{return} enables SLS hardening for function returns.
+@samp{indirect-jmp} enables SLS hardening for indirect jumps.
@samp{all} enables all SLS hardening.
@item -mindirect-branch-cs-prefix
--
2.34.1
^ permalink raw reply [flat|nested] 12+ messages in thread* [GCC 11 PATCH 5/5] x86: Generate INT3 for __builtin_eh_return
2022-01-31 18:55 [GCC 11 PATCH 0/5] x86: Backport straight-line-speculation mitigation H.J. Lu
` (3 preceding siblings ...)
2022-01-31 18:55 ` [GCC 11 PATCH 4/5] x86: Rename -harden-sls=indirect-branch to -harden-sls=indirect-jmp H.J. Lu
@ 2022-01-31 18:55 ` H.J. Lu
2022-02-01 7:21 ` [GCC 11 PATCH 0/5] x86: Backport straight-line-speculation mitigation Richard Biener
2022-02-16 7:01 ` Hongtao Liu
6 siblings, 0 replies; 12+ messages in thread
From: H.J. Lu @ 2022-01-31 18:55 UTC (permalink / raw)
To: gcc-patches
Generate INT3 after indirect jmp in exception return for -fcf-protection
with -mharden-sls=indirect-jmp.
gcc/
PR target/103925
* config/i386/i386.c (ix86_output_indirect_function_return):
Generate INT3 after indirect jmp for -mharden-sls=indirect-jmp.
gcc/testsuite/
PR target/103925
* gcc.target/i386/harden-sls-6.c: New test.
(cherry picked from commit c2e5c4feed32c808591b5278f680bbabe63eb225)
---
gcc/config/i386/i386.c | 9 ++++++---
gcc/testsuite/gcc.target/i386/harden-sls-6.c | 18 ++++++++++++++++++
2 files changed, 24 insertions(+), 3 deletions(-)
create mode 100644 gcc/testsuite/gcc.target/i386/harden-sls-6.c
diff --git a/gcc/config/i386/i386.c b/gcc/config/i386/i386.c
index 35dbe05aecd..e6261452365 100644
--- a/gcc/config/i386/i386.c
+++ b/gcc/config/i386/i386.c
@@ -16072,11 +16072,14 @@ ix86_output_indirect_function_return (rtx ret_op)
}
else
output_indirect_thunk (regno);
-
- return "";
}
else
- return "%!jmp\t%A0";
+ {
+ output_asm_insn ("%!jmp\t%A0", &ret_op);
+ if (ix86_harden_sls & harden_sls_indirect_jmp)
+ fputs ("\tint3\n", asm_out_file);
+ }
+ return "";
}
/* Output the assembly for a call instruction. */
diff --git a/gcc/testsuite/gcc.target/i386/harden-sls-6.c b/gcc/testsuite/gcc.target/i386/harden-sls-6.c
new file mode 100644
index 00000000000..9068eb64008
--- /dev/null
+++ b/gcc/testsuite/gcc.target/i386/harden-sls-6.c
@@ -0,0 +1,18 @@
+/* { dg-do compile { target { ! ia32 } } } */
+/* { dg-options "-O2 -fcf-protection -mharden-sls=indirect-jmp" } */
+
+struct _Unwind_Context _Unwind_Resume_or_Rethrow_this_context;
+
+void offset (int);
+
+struct _Unwind_Context {
+ void *reg[7];
+} _Unwind_Resume_or_Rethrow() {
+ struct _Unwind_Context cur_contextcur_context =
+ _Unwind_Resume_or_Rethrow_this_context;
+ offset(0);
+ __builtin_eh_return ((long) offset, 0);
+}
+
+/* { dg-final { scan-assembler "jmp\[ \t\]+\\*%rcx" } } */
+/* { dg-final { scan-assembler-times "int3" 1 } } */
--
2.34.1
^ permalink raw reply [flat|nested] 12+ messages in thread* Re: [GCC 11 PATCH 0/5] x86: Backport straight-line-speculation mitigation
2022-01-31 18:55 [GCC 11 PATCH 0/5] x86: Backport straight-line-speculation mitigation H.J. Lu
` (4 preceding siblings ...)
2022-01-31 18:55 ` [GCC 11 PATCH 5/5] x86: Generate INT3 for __builtin_eh_return H.J. Lu
@ 2022-02-01 7:21 ` Richard Biener
2022-02-01 16:59 ` H.J. Lu
2022-02-16 7:01 ` Hongtao Liu
6 siblings, 1 reply; 12+ messages in thread
From: Richard Biener @ 2022-02-01 7:21 UTC (permalink / raw)
To: H.J. Lu; +Cc: GCC Patches, Uros Bizjak
On Mon, Jan 31, 2022 at 7:56 PM H.J. Lu via Gcc-patches
<gcc-patches@gcc.gnu.org> wrote:
>
> Backport -mindirect-branch-cs-prefix:
LGTM in case a x86 maintainer also acks this. Can you amend
the 10.3 release gcc-11/changes.html notes accordingly?
Thanks,
Richard.
> commit 48a4ae26c225eb018ecb59f131e2c4fd4f3cf89a
> Author: H.J. Lu <hjl.tools@gmail.com>
> Date: Wed Oct 27 06:27:15 2021 -0700
>
> x86: Add -mindirect-branch-cs-prefix
>
> Add -mindirect-branch-cs-prefix to add CS prefix to call and jmp to
> indirect thunk with branch target in r8-r15 registers so that the call
> and jmp instruction length is 6 bytes to allow them to be replaced with
> "lfence; call *%r8-r15" or "lfence; jmp *%r8-r15" at run-time.
>
> commit 63738e176726d31953deb03f7e32cf8b760735ac
> Author: H.J. Lu <hjl.tools@gmail.com>
> Date: Wed Oct 27 07:48:54 2021 -0700
>
> x86: Add -mharden-sls=[none|all|return|indirect-branch]
>
> Add -mharden-sls= to mitigate against straight line speculation (SLS)
> for function return and indirect branch by adding an INT3 instruction
> after function return and indirect branch.
>
> and followup commits to support Linux kernel commits:
>
> commit e463a09af2f0677b9485a7e8e4e70b396b2ffb6f
> Author: Peter Zijlstra <peterz@infradead.org>
> Date: Sat Dec 4 14:43:44 2021 +0100
>
> x86: Add straight-line-speculation mitigation
>
> commit 68cf4f2a72ef8786e6b7af6fd9a89f27ac0f520d
> Author: Peter Zijlstra <peterz@infradead.org>
> Date: Fri Nov 19 17:50:25 2021 +0100
>
> x86: Use -mindirect-branch-cs-prefix for RETPOLINE builds
>
> H.J. Lu (5):
> x86: Remove "%!" before ret
> x86: Add -mharden-sls=[none|all|return|indirect-branch]
> x86: Add -mindirect-branch-cs-prefix
> x86: Rename -harden-sls=indirect-branch to -harden-sls=indirect-jmp
> x86: Generate INT3 for __builtin_eh_return
>
> gcc/config/i386/i386-opts.h | 7 ++++
> gcc/config/i386/i386.c | 38 +++++++++++++------
> gcc/config/i386/i386.md | 2 +-
> gcc/config/i386/i386.opt | 24 ++++++++++++
> gcc/doc/invoke.texi | 18 ++++++++-
> gcc/testsuite/gcc.target/i386/harden-sls-1.c | 14 +++++++
> gcc/testsuite/gcc.target/i386/harden-sls-2.c | 14 +++++++
> gcc/testsuite/gcc.target/i386/harden-sls-3.c | 14 +++++++
> gcc/testsuite/gcc.target/i386/harden-sls-4.c | 16 ++++++++
> gcc/testsuite/gcc.target/i386/harden-sls-5.c | 17 +++++++++
> gcc/testsuite/gcc.target/i386/harden-sls-6.c | 18 +++++++++
> .../i386/indirect-thunk-cs-prefix-1.c | 14 +++++++
> .../i386/indirect-thunk-cs-prefix-2.c | 15 ++++++++
> 13 files changed, 198 insertions(+), 13 deletions(-)
> create mode 100644 gcc/testsuite/gcc.target/i386/harden-sls-1.c
> create mode 100644 gcc/testsuite/gcc.target/i386/harden-sls-2.c
> create mode 100644 gcc/testsuite/gcc.target/i386/harden-sls-3.c
> create mode 100644 gcc/testsuite/gcc.target/i386/harden-sls-4.c
> create mode 100644 gcc/testsuite/gcc.target/i386/harden-sls-5.c
> create mode 100644 gcc/testsuite/gcc.target/i386/harden-sls-6.c
> create mode 100644 gcc/testsuite/gcc.target/i386/indirect-thunk-cs-prefix-1.c
> create mode 100644 gcc/testsuite/gcc.target/i386/indirect-thunk-cs-prefix-2.c
>
> --
> 2.34.1
>
^ permalink raw reply [flat|nested] 12+ messages in thread* Re: [GCC 11 PATCH 0/5] x86: Backport straight-line-speculation mitigation
2022-02-01 7:21 ` [GCC 11 PATCH 0/5] x86: Backport straight-line-speculation mitigation Richard Biener
@ 2022-02-01 16:59 ` H.J. Lu
2022-02-02 9:22 ` Richard Biener
0 siblings, 1 reply; 12+ messages in thread
From: H.J. Lu @ 2022-02-01 16:59 UTC (permalink / raw)
To: Richard Biener; +Cc: GCC Patches, Uros Bizjak
On Mon, Jan 31, 2022 at 11:21 PM Richard Biener
<richard.guenther@gmail.com> wrote:
>
> On Mon, Jan 31, 2022 at 7:56 PM H.J. Lu via Gcc-patches
> <gcc-patches@gcc.gnu.org> wrote:
> >
> > Backport -mindirect-branch-cs-prefix:
>
> LGTM in case a x86 maintainer also acks this. Can you amend
> the 10.3 release gcc-11/changes.html notes accordingly?
Did you mean 11.3?
Here is the patch for gcc-12/changes.html:
https://gcc.gnu.org/pipermail/gcc-patches/2022-February/589600.html
> Thanks,
> Richard.
>
> > commit 48a4ae26c225eb018ecb59f131e2c4fd4f3cf89a
> > Author: H.J. Lu <hjl.tools@gmail.com>
> > Date: Wed Oct 27 06:27:15 2021 -0700
> >
> > x86: Add -mindirect-branch-cs-prefix
> >
> > Add -mindirect-branch-cs-prefix to add CS prefix to call and jmp to
> > indirect thunk with branch target in r8-r15 registers so that the call
> > and jmp instruction length is 6 bytes to allow them to be replaced with
> > "lfence; call *%r8-r15" or "lfence; jmp *%r8-r15" at run-time.
> >
> > commit 63738e176726d31953deb03f7e32cf8b760735ac
> > Author: H.J. Lu <hjl.tools@gmail.com>
> > Date: Wed Oct 27 07:48:54 2021 -0700
> >
> > x86: Add -mharden-sls=[none|all|return|indirect-branch]
> >
> > Add -mharden-sls= to mitigate against straight line speculation (SLS)
> > for function return and indirect branch by adding an INT3 instruction
> > after function return and indirect branch.
> >
> > and followup commits to support Linux kernel commits:
> >
> > commit e463a09af2f0677b9485a7e8e4e70b396b2ffb6f
> > Author: Peter Zijlstra <peterz@infradead.org>
> > Date: Sat Dec 4 14:43:44 2021 +0100
> >
> > x86: Add straight-line-speculation mitigation
> >
> > commit 68cf4f2a72ef8786e6b7af6fd9a89f27ac0f520d
> > Author: Peter Zijlstra <peterz@infradead.org>
> > Date: Fri Nov 19 17:50:25 2021 +0100
> >
> > x86: Use -mindirect-branch-cs-prefix for RETPOLINE builds
> >
> > H.J. Lu (5):
> > x86: Remove "%!" before ret
> > x86: Add -mharden-sls=[none|all|return|indirect-branch]
> > x86: Add -mindirect-branch-cs-prefix
> > x86: Rename -harden-sls=indirect-branch to -harden-sls=indirect-jmp
> > x86: Generate INT3 for __builtin_eh_return
> >
> > gcc/config/i386/i386-opts.h | 7 ++++
> > gcc/config/i386/i386.c | 38 +++++++++++++------
> > gcc/config/i386/i386.md | 2 +-
> > gcc/config/i386/i386.opt | 24 ++++++++++++
> > gcc/doc/invoke.texi | 18 ++++++++-
> > gcc/testsuite/gcc.target/i386/harden-sls-1.c | 14 +++++++
> > gcc/testsuite/gcc.target/i386/harden-sls-2.c | 14 +++++++
> > gcc/testsuite/gcc.target/i386/harden-sls-3.c | 14 +++++++
> > gcc/testsuite/gcc.target/i386/harden-sls-4.c | 16 ++++++++
> > gcc/testsuite/gcc.target/i386/harden-sls-5.c | 17 +++++++++
> > gcc/testsuite/gcc.target/i386/harden-sls-6.c | 18 +++++++++
> > .../i386/indirect-thunk-cs-prefix-1.c | 14 +++++++
> > .../i386/indirect-thunk-cs-prefix-2.c | 15 ++++++++
> > 13 files changed, 198 insertions(+), 13 deletions(-)
> > create mode 100644 gcc/testsuite/gcc.target/i386/harden-sls-1.c
> > create mode 100644 gcc/testsuite/gcc.target/i386/harden-sls-2.c
> > create mode 100644 gcc/testsuite/gcc.target/i386/harden-sls-3.c
> > create mode 100644 gcc/testsuite/gcc.target/i386/harden-sls-4.c
> > create mode 100644 gcc/testsuite/gcc.target/i386/harden-sls-5.c
> > create mode 100644 gcc/testsuite/gcc.target/i386/harden-sls-6.c
> > create mode 100644 gcc/testsuite/gcc.target/i386/indirect-thunk-cs-prefix-1.c
> > create mode 100644 gcc/testsuite/gcc.target/i386/indirect-thunk-cs-prefix-2.c
> >
> > --
> > 2.34.1
> >
--
H.J.
^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: [GCC 11 PATCH 0/5] x86: Backport straight-line-speculation mitigation
2022-02-01 16:59 ` H.J. Lu
@ 2022-02-02 9:22 ` Richard Biener
0 siblings, 0 replies; 12+ messages in thread
From: Richard Biener @ 2022-02-02 9:22 UTC (permalink / raw)
To: H.J. Lu; +Cc: GCC Patches, Uros Bizjak
On Tue, Feb 1, 2022 at 5:59 PM H.J. Lu <hjl.tools@gmail.com> wrote:
>
> On Mon, Jan 31, 2022 at 11:21 PM Richard Biener
> <richard.guenther@gmail.com> wrote:
> >
> > On Mon, Jan 31, 2022 at 7:56 PM H.J. Lu via Gcc-patches
> > <gcc-patches@gcc.gnu.org> wrote:
> > >
> > > Backport -mindirect-branch-cs-prefix:
> >
> > LGTM in case a x86 maintainer also acks this. Can you amend
> > the 10.3 release gcc-11/changes.html notes accordingly?
>
> Did you mean 11.3?
Yes, of course.
> Here is the patch for gcc-12/changes.html:
>
> https://gcc.gnu.org/pipermail/gcc-patches/2022-February/589600.html
>
> > Thanks,
> > Richard.
> >
> > > commit 48a4ae26c225eb018ecb59f131e2c4fd4f3cf89a
> > > Author: H.J. Lu <hjl.tools@gmail.com>
> > > Date: Wed Oct 27 06:27:15 2021 -0700
> > >
> > > x86: Add -mindirect-branch-cs-prefix
> > >
> > > Add -mindirect-branch-cs-prefix to add CS prefix to call and jmp to
> > > indirect thunk with branch target in r8-r15 registers so that the call
> > > and jmp instruction length is 6 bytes to allow them to be replaced with
> > > "lfence; call *%r8-r15" or "lfence; jmp *%r8-r15" at run-time.
> > >
> > > commit 63738e176726d31953deb03f7e32cf8b760735ac
> > > Author: H.J. Lu <hjl.tools@gmail.com>
> > > Date: Wed Oct 27 07:48:54 2021 -0700
> > >
> > > x86: Add -mharden-sls=[none|all|return|indirect-branch]
> > >
> > > Add -mharden-sls= to mitigate against straight line speculation (SLS)
> > > for function return and indirect branch by adding an INT3 instruction
> > > after function return and indirect branch.
> > >
> > > and followup commits to support Linux kernel commits:
> > >
> > > commit e463a09af2f0677b9485a7e8e4e70b396b2ffb6f
> > > Author: Peter Zijlstra <peterz@infradead.org>
> > > Date: Sat Dec 4 14:43:44 2021 +0100
> > >
> > > x86: Add straight-line-speculation mitigation
> > >
> > > commit 68cf4f2a72ef8786e6b7af6fd9a89f27ac0f520d
> > > Author: Peter Zijlstra <peterz@infradead.org>
> > > Date: Fri Nov 19 17:50:25 2021 +0100
> > >
> > > x86: Use -mindirect-branch-cs-prefix for RETPOLINE builds
> > >
> > > H.J. Lu (5):
> > > x86: Remove "%!" before ret
> > > x86: Add -mharden-sls=[none|all|return|indirect-branch]
> > > x86: Add -mindirect-branch-cs-prefix
> > > x86: Rename -harden-sls=indirect-branch to -harden-sls=indirect-jmp
> > > x86: Generate INT3 for __builtin_eh_return
> > >
> > > gcc/config/i386/i386-opts.h | 7 ++++
> > > gcc/config/i386/i386.c | 38 +++++++++++++------
> > > gcc/config/i386/i386.md | 2 +-
> > > gcc/config/i386/i386.opt | 24 ++++++++++++
> > > gcc/doc/invoke.texi | 18 ++++++++-
> > > gcc/testsuite/gcc.target/i386/harden-sls-1.c | 14 +++++++
> > > gcc/testsuite/gcc.target/i386/harden-sls-2.c | 14 +++++++
> > > gcc/testsuite/gcc.target/i386/harden-sls-3.c | 14 +++++++
> > > gcc/testsuite/gcc.target/i386/harden-sls-4.c | 16 ++++++++
> > > gcc/testsuite/gcc.target/i386/harden-sls-5.c | 17 +++++++++
> > > gcc/testsuite/gcc.target/i386/harden-sls-6.c | 18 +++++++++
> > > .../i386/indirect-thunk-cs-prefix-1.c | 14 +++++++
> > > .../i386/indirect-thunk-cs-prefix-2.c | 15 ++++++++
> > > 13 files changed, 198 insertions(+), 13 deletions(-)
> > > create mode 100644 gcc/testsuite/gcc.target/i386/harden-sls-1.c
> > > create mode 100644 gcc/testsuite/gcc.target/i386/harden-sls-2.c
> > > create mode 100644 gcc/testsuite/gcc.target/i386/harden-sls-3.c
> > > create mode 100644 gcc/testsuite/gcc.target/i386/harden-sls-4.c
> > > create mode 100644 gcc/testsuite/gcc.target/i386/harden-sls-5.c
> > > create mode 100644 gcc/testsuite/gcc.target/i386/harden-sls-6.c
> > > create mode 100644 gcc/testsuite/gcc.target/i386/indirect-thunk-cs-prefix-1.c
> > > create mode 100644 gcc/testsuite/gcc.target/i386/indirect-thunk-cs-prefix-2.c
> > >
> > > --
> > > 2.34.1
> > >
>
>
>
> --
> H.J.
^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: [GCC 11 PATCH 0/5] x86: Backport straight-line-speculation mitigation
2022-01-31 18:55 [GCC 11 PATCH 0/5] x86: Backport straight-line-speculation mitigation H.J. Lu
` (5 preceding siblings ...)
2022-02-01 7:21 ` [GCC 11 PATCH 0/5] x86: Backport straight-line-speculation mitigation Richard Biener
@ 2022-02-16 7:01 ` Hongtao Liu
2022-02-16 13:30 ` H.J. Lu
6 siblings, 1 reply; 12+ messages in thread
From: Hongtao Liu @ 2022-02-16 7:01 UTC (permalink / raw)
To: H.J. Lu; +Cc: GCC Patches
On Tue, Feb 1, 2022 at 2:55 AM H.J. Lu via Gcc-patches
<gcc-patches@gcc.gnu.org> wrote:
>
> Backport -mindirect-branch-cs-prefix:
>
> commit 48a4ae26c225eb018ecb59f131e2c4fd4f3cf89a
> Author: H.J. Lu <hjl.tools@gmail.com>
> Date: Wed Oct 27 06:27:15 2021 -0700
>
> x86: Add -mindirect-branch-cs-prefix
>
> Add -mindirect-branch-cs-prefix to add CS prefix to call and jmp to
> indirect thunk with branch target in r8-r15 registers so that the call
> and jmp instruction length is 6 bytes to allow them to be replaced with
> "lfence; call *%r8-r15" or "lfence; jmp *%r8-r15" at run-time.
>
> commit 63738e176726d31953deb03f7e32cf8b760735ac
> Author: H.J. Lu <hjl.tools@gmail.com>
> Date: Wed Oct 27 07:48:54 2021 -0700
>
> x86: Add -mharden-sls=[none|all|return|indirect-branch]
>
> Add -mharden-sls= to mitigate against straight line speculation (SLS)
> for function return and indirect branch by adding an INT3 instruction
> after function return and indirect branch.
>
> and followup commits to support Linux kernel commits:
>
> commit e463a09af2f0677b9485a7e8e4e70b396b2ffb6f
> Author: Peter Zijlstra <peterz@infradead.org>
> Date: Sat Dec 4 14:43:44 2021 +0100
>
> x86: Add straight-line-speculation mitigation
>
> commit 68cf4f2a72ef8786e6b7af6fd9a89f27ac0f520d
> Author: Peter Zijlstra <peterz@infradead.org>
> Date: Fri Nov 19 17:50:25 2021 +0100
>
> x86: Use -mindirect-branch-cs-prefix for RETPOLINE builds
>
> H.J. Lu (5):
> x86: Remove "%!" before ret
> x86: Add -mharden-sls=[none|all|return|indirect-branch]
> x86: Add -mindirect-branch-cs-prefix
> x86: Rename -harden-sls=indirect-branch to -harden-sls=indirect-jmp
> x86: Generate INT3 for __builtin_eh_return
The patch LGTM.
>
> gcc/config/i386/i386-opts.h | 7 ++++
> gcc/config/i386/i386.c | 38 +++++++++++++------
> gcc/config/i386/i386.md | 2 +-
> gcc/config/i386/i386.opt | 24 ++++++++++++
> gcc/doc/invoke.texi | 18 ++++++++-
> gcc/testsuite/gcc.target/i386/harden-sls-1.c | 14 +++++++
> gcc/testsuite/gcc.target/i386/harden-sls-2.c | 14 +++++++
> gcc/testsuite/gcc.target/i386/harden-sls-3.c | 14 +++++++
> gcc/testsuite/gcc.target/i386/harden-sls-4.c | 16 ++++++++
> gcc/testsuite/gcc.target/i386/harden-sls-5.c | 17 +++++++++
> gcc/testsuite/gcc.target/i386/harden-sls-6.c | 18 +++++++++
> .../i386/indirect-thunk-cs-prefix-1.c | 14 +++++++
> .../i386/indirect-thunk-cs-prefix-2.c | 15 ++++++++
> 13 files changed, 198 insertions(+), 13 deletions(-)
> create mode 100644 gcc/testsuite/gcc.target/i386/harden-sls-1.c
> create mode 100644 gcc/testsuite/gcc.target/i386/harden-sls-2.c
> create mode 100644 gcc/testsuite/gcc.target/i386/harden-sls-3.c
> create mode 100644 gcc/testsuite/gcc.target/i386/harden-sls-4.c
> create mode 100644 gcc/testsuite/gcc.target/i386/harden-sls-5.c
> create mode 100644 gcc/testsuite/gcc.target/i386/harden-sls-6.c
> create mode 100644 gcc/testsuite/gcc.target/i386/indirect-thunk-cs-prefix-1.c
> create mode 100644 gcc/testsuite/gcc.target/i386/indirect-thunk-cs-prefix-2.c
>
> --
> 2.34.1
>
--
BR,
Hongtao
^ permalink raw reply [flat|nested] 12+ messages in thread* Re: [GCC 11 PATCH 0/5] x86: Backport straight-line-speculation mitigation
2022-02-16 7:01 ` Hongtao Liu
@ 2022-02-16 13:30 ` H.J. Lu
0 siblings, 0 replies; 12+ messages in thread
From: H.J. Lu @ 2022-02-16 13:30 UTC (permalink / raw)
To: Hongtao Liu; +Cc: GCC Patches
On Tue, Feb 15, 2022 at 10:52 PM Hongtao Liu <crazylht@gmail.com> wrote:
>
> On Tue, Feb 1, 2022 at 2:55 AM H.J. Lu via Gcc-patches
> <gcc-patches@gcc.gnu.org> wrote:
> >
> > Backport -mindirect-branch-cs-prefix:
> >
> > commit 48a4ae26c225eb018ecb59f131e2c4fd4f3cf89a
> > Author: H.J. Lu <hjl.tools@gmail.com>
> > Date: Wed Oct 27 06:27:15 2021 -0700
> >
> > x86: Add -mindirect-branch-cs-prefix
> >
> > Add -mindirect-branch-cs-prefix to add CS prefix to call and jmp to
> > indirect thunk with branch target in r8-r15 registers so that the call
> > and jmp instruction length is 6 bytes to allow them to be replaced with
> > "lfence; call *%r8-r15" or "lfence; jmp *%r8-r15" at run-time.
> >
> > commit 63738e176726d31953deb03f7e32cf8b760735ac
> > Author: H.J. Lu <hjl.tools@gmail.com>
> > Date: Wed Oct 27 07:48:54 2021 -0700
> >
> > x86: Add -mharden-sls=[none|all|return|indirect-branch]
> >
> > Add -mharden-sls= to mitigate against straight line speculation (SLS)
> > for function return and indirect branch by adding an INT3 instruction
> > after function return and indirect branch.
> >
> > and followup commits to support Linux kernel commits:
> >
> > commit e463a09af2f0677b9485a7e8e4e70b396b2ffb6f
> > Author: Peter Zijlstra <peterz@infradead.org>
> > Date: Sat Dec 4 14:43:44 2021 +0100
> >
> > x86: Add straight-line-speculation mitigation
> >
> > commit 68cf4f2a72ef8786e6b7af6fd9a89f27ac0f520d
> > Author: Peter Zijlstra <peterz@infradead.org>
> > Date: Fri Nov 19 17:50:25 2021 +0100
> >
> > x86: Use -mindirect-branch-cs-prefix for RETPOLINE builds
> >
> > H.J. Lu (5):
> > x86: Remove "%!" before ret
> > x86: Add -mharden-sls=[none|all|return|indirect-branch]
> > x86: Add -mindirect-branch-cs-prefix
> > x86: Rename -harden-sls=indirect-branch to -harden-sls=indirect-jmp
> > x86: Generate INT3 for __builtin_eh_return
> The patch LGTM.
I am pushing this patch set into GCC 11 branch.
Thanks.
> >
> > gcc/config/i386/i386-opts.h | 7 ++++
> > gcc/config/i386/i386.c | 38 +++++++++++++------
> > gcc/config/i386/i386.md | 2 +-
> > gcc/config/i386/i386.opt | 24 ++++++++++++
> > gcc/doc/invoke.texi | 18 ++++++++-
> > gcc/testsuite/gcc.target/i386/harden-sls-1.c | 14 +++++++
> > gcc/testsuite/gcc.target/i386/harden-sls-2.c | 14 +++++++
> > gcc/testsuite/gcc.target/i386/harden-sls-3.c | 14 +++++++
> > gcc/testsuite/gcc.target/i386/harden-sls-4.c | 16 ++++++++
> > gcc/testsuite/gcc.target/i386/harden-sls-5.c | 17 +++++++++
> > gcc/testsuite/gcc.target/i386/harden-sls-6.c | 18 +++++++++
> > .../i386/indirect-thunk-cs-prefix-1.c | 14 +++++++
> > .../i386/indirect-thunk-cs-prefix-2.c | 15 ++++++++
> > 13 files changed, 198 insertions(+), 13 deletions(-)
> > create mode 100644 gcc/testsuite/gcc.target/i386/harden-sls-1.c
> > create mode 100644 gcc/testsuite/gcc.target/i386/harden-sls-2.c
> > create mode 100644 gcc/testsuite/gcc.target/i386/harden-sls-3.c
> > create mode 100644 gcc/testsuite/gcc.target/i386/harden-sls-4.c
> > create mode 100644 gcc/testsuite/gcc.target/i386/harden-sls-5.c
> > create mode 100644 gcc/testsuite/gcc.target/i386/harden-sls-6.c
> > create mode 100644 gcc/testsuite/gcc.target/i386/indirect-thunk-cs-prefix-1.c
> > create mode 100644 gcc/testsuite/gcc.target/i386/indirect-thunk-cs-prefix-2.c
> >
> > --
> > 2.34.1
> >
>
>
> --
> BR,
> Hongtao
--
H.J.
^ permalink raw reply [flat|nested] 12+ messages in thread