* [GCC 11 PATCH 0/5] x86: Backport straight-line-speculation mitigation
@ 2022-01-31 18:55 H.J. Lu
2022-01-31 18:55 ` [GCC 11 PATCH 1/5] x86: Remove "%!" before ret H.J. Lu
` (6 more replies)
0 siblings, 7 replies; 12+ messages in thread
From: H.J. Lu @ 2022-01-31 18:55 UTC (permalink / raw)
To: gcc-patches
Backport -mindirect-branch-cs-prefix:
commit 48a4ae26c225eb018ecb59f131e2c4fd4f3cf89a
Author: H.J. Lu <hjl.tools@gmail.com>
Date: Wed Oct 27 06:27:15 2021 -0700
x86: Add -mindirect-branch-cs-prefix
Add -mindirect-branch-cs-prefix to add CS prefix to call and jmp to
indirect thunk with branch target in r8-r15 registers so that the call
and jmp instruction length is 6 bytes to allow them to be replaced with
"lfence; call *%r8-r15" or "lfence; jmp *%r8-r15" at run-time.
commit 63738e176726d31953deb03f7e32cf8b760735ac
Author: H.J. Lu <hjl.tools@gmail.com>
Date: Wed Oct 27 07:48:54 2021 -0700
x86: Add -mharden-sls=[none|all|return|indirect-branch]
Add -mharden-sls= to mitigate against straight line speculation (SLS)
for function return and indirect branch by adding an INT3 instruction
after function return and indirect branch.
and followup commits to support Linux kernel commits:
commit e463a09af2f0677b9485a7e8e4e70b396b2ffb6f
Author: Peter Zijlstra <peterz@infradead.org>
Date: Sat Dec 4 14:43:44 2021 +0100
x86: Add straight-line-speculation mitigation
commit 68cf4f2a72ef8786e6b7af6fd9a89f27ac0f520d
Author: Peter Zijlstra <peterz@infradead.org>
Date: Fri Nov 19 17:50:25 2021 +0100
x86: Use -mindirect-branch-cs-prefix for RETPOLINE builds
H.J. Lu (5):
x86: Remove "%!" before ret
x86: Add -mharden-sls=[none|all|return|indirect-branch]
x86: Add -mindirect-branch-cs-prefix
x86: Rename -harden-sls=indirect-branch to -harden-sls=indirect-jmp
x86: Generate INT3 for __builtin_eh_return
gcc/config/i386/i386-opts.h | 7 ++++
gcc/config/i386/i386.c | 38 +++++++++++++------
gcc/config/i386/i386.md | 2 +-
gcc/config/i386/i386.opt | 24 ++++++++++++
gcc/doc/invoke.texi | 18 ++++++++-
gcc/testsuite/gcc.target/i386/harden-sls-1.c | 14 +++++++
gcc/testsuite/gcc.target/i386/harden-sls-2.c | 14 +++++++
gcc/testsuite/gcc.target/i386/harden-sls-3.c | 14 +++++++
gcc/testsuite/gcc.target/i386/harden-sls-4.c | 16 ++++++++
gcc/testsuite/gcc.target/i386/harden-sls-5.c | 17 +++++++++
gcc/testsuite/gcc.target/i386/harden-sls-6.c | 18 +++++++++
.../i386/indirect-thunk-cs-prefix-1.c | 14 +++++++
.../i386/indirect-thunk-cs-prefix-2.c | 15 ++++++++
13 files changed, 198 insertions(+), 13 deletions(-)
create mode 100644 gcc/testsuite/gcc.target/i386/harden-sls-1.c
create mode 100644 gcc/testsuite/gcc.target/i386/harden-sls-2.c
create mode 100644 gcc/testsuite/gcc.target/i386/harden-sls-3.c
create mode 100644 gcc/testsuite/gcc.target/i386/harden-sls-4.c
create mode 100644 gcc/testsuite/gcc.target/i386/harden-sls-5.c
create mode 100644 gcc/testsuite/gcc.target/i386/harden-sls-6.c
create mode 100644 gcc/testsuite/gcc.target/i386/indirect-thunk-cs-prefix-1.c
create mode 100644 gcc/testsuite/gcc.target/i386/indirect-thunk-cs-prefix-2.c
--
2.34.1
^ permalink raw reply [flat|nested] 12+ messages in thread
* [GCC 11 PATCH 1/5] x86: Remove "%!" before ret
2022-01-31 18:55 [GCC 11 PATCH 0/5] x86: Backport straight-line-speculation mitigation H.J. Lu
@ 2022-01-31 18:55 ` H.J. Lu
2022-02-16 6:46 ` Hongtao Liu
2022-01-31 18:55 ` [GCC 11 PATCH 2/5] x86: Add -mharden-sls=[none|all|return|indirect-branch] H.J. Lu
` (5 subsequent siblings)
6 siblings, 1 reply; 12+ messages in thread
From: H.J. Lu @ 2022-01-31 18:55 UTC (permalink / raw)
To: gcc-patches
Before MPX was removed, "%!" was mapped to
case '!':
if (ix86_bnd_prefixed_insn_p (current_output_insn))
fputs ("bnd ", file);
return;
After CET was added and MPX was removed, "%!" was mapped to
case '!':
if (ix86_notrack_prefixed_insn_p (current_output_insn))
fputs ("notrack ", file);
return;
ix86_notrack_prefixed_insn_p always returns false on ret since the
notrack prefix is only for indirect branches. Remove the unused "%!"
before ret.
PR target/103307
* config/i386/i386.c (ix86_code_end): Remove "%!" before ret.
(ix86_output_function_return): Likewise.
* config/i386/i386.md (simple_return_pop_internal): Likewise.
(cherry picked from commit 8e410de43ce039bbe08f1e0195e3b6ec24f68cae)
---
gcc/config/i386/i386.c | 4 ++--
gcc/config/i386/i386.md | 2 +-
2 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/gcc/config/i386/i386.c b/gcc/config/i386/i386.c
index 8e8c8beb366..4ba1a218ee6 100644
--- a/gcc/config/i386/i386.c
+++ b/gcc/config/i386/i386.c
@@ -6000,7 +6000,7 @@ ix86_code_end (void)
xops[0] = gen_rtx_REG (Pmode, regno);
xops[1] = gen_rtx_MEM (Pmode, stack_pointer_rtx);
output_asm_insn ("mov%z0\t{%1, %0|%0, %1}", xops);
- output_asm_insn ("%!ret", NULL);
+ fputs ("\tret\n", asm_out_file);
final_end_function ();
init_insn_lengths ();
free_after_compilation (cfun);
@@ -16027,7 +16027,7 @@ ix86_output_function_return (bool long_p)
}
if (!long_p)
- return "%!ret";
+ return "ret";
return "rep%; ret";
}
diff --git a/gcc/config/i386/i386.md b/gcc/config/i386/i386.md
index db9dbf384ad..1aff2ac2a82 100644
--- a/gcc/config/i386/i386.md
+++ b/gcc/config/i386/i386.md
@@ -13912,7 +13912,7 @@ (define_insn_and_split "simple_return_pop_internal"
[(simple_return)
(use (match_operand:SI 0 "const_int_operand"))]
"reload_completed"
- "%!ret\t%0"
+ "ret\t%0"
"&& cfun->machine->function_return_type != indirect_branch_keep"
[(const_int 0)]
"ix86_split_simple_return_pop_internal (operands[0]); DONE;"
--
2.34.1
^ permalink raw reply [flat|nested] 12+ messages in thread
* [GCC 11 PATCH 2/5] x86: Add -mharden-sls=[none|all|return|indirect-branch]
2022-01-31 18:55 [GCC 11 PATCH 0/5] x86: Backport straight-line-speculation mitigation H.J. Lu
2022-01-31 18:55 ` [GCC 11 PATCH 1/5] x86: Remove "%!" before ret H.J. Lu
@ 2022-01-31 18:55 ` H.J. Lu
2022-01-31 18:55 ` [GCC 11 PATCH 3/5] x86: Add -mindirect-branch-cs-prefix H.J. Lu
` (4 subsequent siblings)
6 siblings, 0 replies; 12+ messages in thread
From: H.J. Lu @ 2022-01-31 18:55 UTC (permalink / raw)
To: gcc-patches
Add -mharden-sls= to mitigate against straight line speculation (SLS)
for function return and indirect branch by adding an INT3 instruction
after function return and indirect branch.
gcc/
PR target/102952
* config/i386/i386-opts.h (harden_sls): New enum.
* config/i386/i386.c (output_indirect_thunk): Mitigate against
SLS for function return.
(ix86_output_function_return): Likewise.
(ix86_output_jmp_thunk_or_indirect): Mitigate against indirect
branch.
(ix86_output_indirect_jmp): Likewise.
(ix86_output_call_insn): Likewise.
* config/i386/i386.opt: Add -mharden-sls=.
* doc/invoke.texi: Document -mharden-sls=.
gcc/testsuite/
PR target/102952
* gcc.target/i386/harden-sls-1.c: New test.
* gcc.target/i386/harden-sls-2.c: Likewise.
* gcc.target/i386/harden-sls-3.c: Likewise.
* gcc.target/i386/harden-sls-4.c: Likewise.
* gcc.target/i386/harden-sls-5.c: Likewise.
(cherry picked from commit 53a643f8568067d7700a9f2facc8ba39974973d3)
---
gcc/config/i386/i386-opts.h | 7 +++++++
gcc/config/i386/i386.c | 21 +++++++++++++-------
gcc/config/i386/i386.opt | 20 +++++++++++++++++++
gcc/doc/invoke.texi | 10 +++++++++-
gcc/testsuite/gcc.target/i386/harden-sls-1.c | 14 +++++++++++++
gcc/testsuite/gcc.target/i386/harden-sls-2.c | 14 +++++++++++++
gcc/testsuite/gcc.target/i386/harden-sls-3.c | 14 +++++++++++++
gcc/testsuite/gcc.target/i386/harden-sls-4.c | 16 +++++++++++++++
gcc/testsuite/gcc.target/i386/harden-sls-5.c | 17 ++++++++++++++++
9 files changed, 125 insertions(+), 8 deletions(-)
create mode 100644 gcc/testsuite/gcc.target/i386/harden-sls-1.c
create mode 100644 gcc/testsuite/gcc.target/i386/harden-sls-2.c
create mode 100644 gcc/testsuite/gcc.target/i386/harden-sls-3.c
create mode 100644 gcc/testsuite/gcc.target/i386/harden-sls-4.c
create mode 100644 gcc/testsuite/gcc.target/i386/harden-sls-5.c
diff --git a/gcc/config/i386/i386-opts.h b/gcc/config/i386/i386-opts.h
index de6e7e01661..e159019e904 100644
--- a/gcc/config/i386/i386-opts.h
+++ b/gcc/config/i386/i386-opts.h
@@ -125,4 +125,11 @@ enum instrument_return {
instrument_return_nop5
};
+enum harden_sls {
+ harden_sls_none = 0,
+ harden_sls_return = 1 << 0,
+ harden_sls_indirect_branch = 1 << 1,
+ harden_sls_all = harden_sls_return | harden_sls_indirect_branch
+};
+
#endif
diff --git a/gcc/config/i386/i386.c b/gcc/config/i386/i386.c
index 4ba1a218ee6..f3c4991317d 100644
--- a/gcc/config/i386/i386.c
+++ b/gcc/config/i386/i386.c
@@ -5798,6 +5798,8 @@ output_indirect_thunk (unsigned int regno)
}
fputs ("\tret\n", asm_out_file);
+ if ((ix86_harden_sls & harden_sls_return))
+ fputs ("\tint3\n", asm_out_file);
}
/* Output a funtion with a call and return thunk for indirect branch.
@@ -15733,6 +15735,8 @@ ix86_output_jmp_thunk_or_indirect (const char *thunk_name, const int regno)
fprintf (asm_out_file, "\tjmp\t");
assemble_name (asm_out_file, thunk_name);
putc ('\n', asm_out_file);
+ if ((ix86_harden_sls & harden_sls_indirect_branch))
+ fputs ("\tint3\n", asm_out_file);
}
else
output_indirect_thunk (regno);
@@ -15955,10 +15959,10 @@ ix86_output_indirect_jmp (rtx call_op)
gcc_unreachable ();
ix86_output_indirect_branch (call_op, "%0", true);
- return "";
}
else
- return "%!jmp\t%A0";
+ output_asm_insn ("%!jmp\t%A0", &call_op);
+ return (ix86_harden_sls & harden_sls_indirect_branch) ? "int3" : "";
}
/* Output return instrumentation for current function if needed. */
@@ -16026,10 +16030,8 @@ ix86_output_function_return (bool long_p)
return "";
}
- if (!long_p)
- return "ret";
-
- return "rep%; ret";
+ output_asm_insn (long_p ? "rep%; ret" : "ret", nullptr);
+ return (ix86_harden_sls & harden_sls_return) ? "int3" : "";
}
/* Output indirect function return. RET_OP is the function return
@@ -16124,7 +16126,12 @@ ix86_output_call_insn (rtx_insn *insn, rtx call_op)
if (output_indirect_p && !direct_p)
ix86_output_indirect_branch (call_op, xasm, true);
else
- output_asm_insn (xasm, &call_op);
+ {
+ output_asm_insn (xasm, &call_op);
+ if (!direct_p
+ && (ix86_harden_sls & harden_sls_indirect_branch))
+ return "int3";
+ }
return "";
}
diff --git a/gcc/config/i386/i386.opt b/gcc/config/i386/i386.opt
index 7b8547bb1c3..bc401c197b5 100644
--- a/gcc/config/i386/i386.opt
+++ b/gcc/config/i386/i386.opt
@@ -1113,6 +1113,26 @@ mrecord-return
Target Var(ix86_flag_record_return) Init(0)
Generate a __return_loc section pointing to all return instrumentation code.
+mharden-sls=
+Target RejectNegative Joined Enum(harden_sls) Var(ix86_harden_sls) Init(harden_sls_none)
+Generate code to mitigate against straight line speculation.
+
+Enum
+Name(harden_sls) Type(enum harden_sls)
+Known choices for mitigation against straight line speculation with -mharden-sls=:
+
+EnumValue
+Enum(harden_sls) String(none) Value(harden_sls_none)
+
+EnumValue
+Enum(harden_sls) String(return) Value(harden_sls_return)
+
+EnumValue
+Enum(harden_sls) String(indirect-branch) Value(harden_sls_indirect_branch)
+
+EnumValue
+Enum(harden_sls) String(all) Value(harden_sls_all)
+
mavx512bf16
Target Mask(ISA2_AVX512BF16) Var(ix86_isa_flags2) Save
Support MMX, SSE, SSE2, SSE3, SSSE3, SSE4.1, SSE4.2, AVX, AVX2, AVX512F and
diff --git a/gcc/doc/invoke.texi b/gcc/doc/invoke.texi
index 5a4b3c6c234..1fe19800bde 100644
--- a/gcc/doc/invoke.texi
+++ b/gcc/doc/invoke.texi
@@ -1409,7 +1409,7 @@ See RS/6000 and PowerPC Options.
-mstack-protector-guard-symbol=@var{symbol} @gol
-mgeneral-regs-only -mcall-ms2sysv-xlogues @gol
-mindirect-branch=@var{choice} -mfunction-return=@var{choice} @gol
--mindirect-branch-register -mneeded}
+-mindirect-branch-register -mharden-sls=@var{choice} -mneeded}
@emph{x86 Windows Options}
@gccoptlist{-mconsole -mcygwin -mno-cygwin -mdll @gol
@@ -31724,6 +31724,14 @@ not be reachable in the large code model.
@opindex mindirect-branch-register
Force indirect call and jump via register.
+@item -mharden-sls=@var{choice}
+@opindex mharden-sls
+Generate code to mitigate against straight line speculation (SLS) with
+@var{choice}. The default is @samp{none} which disables all SLS
+hardening. @samp{return} enables SLS hardening for function return.
+@samp{indirect-branch} enables SLS hardening for indirect branch.
+@samp{all} enables all SLS hardening.
+
@end table
These @samp{-m} switches are supported in addition to the above
diff --git a/gcc/testsuite/gcc.target/i386/harden-sls-1.c b/gcc/testsuite/gcc.target/i386/harden-sls-1.c
new file mode 100644
index 00000000000..6f70dc94a23
--- /dev/null
+++ b/gcc/testsuite/gcc.target/i386/harden-sls-1.c
@@ -0,0 +1,14 @@
+/* { dg-do compile } */
+/* { dg-options "-O2 -mindirect-branch=thunk-extern -mharden-sls=all" } */
+/* { dg-additional-options "-fno-pic" { target { ! *-*-darwin* } } } */
+
+extern void foo (void);
+
+void
+bar (void)
+{
+ foo ();
+}
+
+/* { dg-final { scan-assembler "jmp\[ \t\]+_?foo" } } */
+/* { dg-final { scan-assembler-not {int3} } } */
diff --git a/gcc/testsuite/gcc.target/i386/harden-sls-2.c b/gcc/testsuite/gcc.target/i386/harden-sls-2.c
new file mode 100644
index 00000000000..a7c59078d03
--- /dev/null
+++ b/gcc/testsuite/gcc.target/i386/harden-sls-2.c
@@ -0,0 +1,14 @@
+/* { dg-do compile } */
+/* { dg-options "-O2 -mindirect-branch=thunk-extern -mharden-sls=all" } */
+/* { dg-additional-options "-fno-pic" { target { ! *-*-darwin* } } } */
+
+extern void (*fptr) (void);
+
+void
+foo (void)
+{
+ fptr ();
+}
+
+/* { dg-final { scan-assembler "jmp\[ \t\]+_?__x86_indirect_thunk_(r|e)ax" } } */
+/* { dg-final { scan-assembler-times "int3" 1 } } */
diff --git a/gcc/testsuite/gcc.target/i386/harden-sls-3.c b/gcc/testsuite/gcc.target/i386/harden-sls-3.c
new file mode 100644
index 00000000000..1a6056b6d7b
--- /dev/null
+++ b/gcc/testsuite/gcc.target/i386/harden-sls-3.c
@@ -0,0 +1,14 @@
+/* { dg-do compile } */
+/* { dg-options "-O2 -mindirect-branch=thunk -mharden-sls=all" } */
+/* { dg-additional-options "-fno-pic" { target { ! *-*-darwin* } } } */
+
+extern void (*fptr) (void);
+
+void
+foo (void)
+{
+ fptr ();
+}
+
+/* { dg-final { scan-assembler "jmp\[ \t\]+_?__x86_indirect_thunk_(r|e)ax" } } */
+/* { dg-final { scan-assembler-times "int3" 2 } } */
diff --git a/gcc/testsuite/gcc.target/i386/harden-sls-4.c b/gcc/testsuite/gcc.target/i386/harden-sls-4.c
new file mode 100644
index 00000000000..f70dd1379d3
--- /dev/null
+++ b/gcc/testsuite/gcc.target/i386/harden-sls-4.c
@@ -0,0 +1,16 @@
+/* { dg-do compile } */
+/* { dg-options "-O2 -mindirect-branch=keep -mharden-sls=all" } */
+/* { dg-additional-options "-fno-pic" { target { ! *-*-darwin* } } } */
+
+extern void (*fptr) (void);
+
+void
+foo (void)
+{
+ fptr ();
+}
+
+/* { dg-final { scan-assembler "jmp\[ \t\]+\\*_?fptr" { target { ! x32 } } } } */
+/* { dg-final { scan-assembler "movl\[ \t\]+fptr\\(%rip\\), %eax" { target x32 } } } */
+/* { dg-final { scan-assembler "jmp\[ \t\]+\\*%rax" { target x32 } } } */
+/* { dg-final { scan-assembler-times "int3" 1 } } */
diff --git a/gcc/testsuite/gcc.target/i386/harden-sls-5.c b/gcc/testsuite/gcc.target/i386/harden-sls-5.c
new file mode 100644
index 00000000000..613c44c6f82
--- /dev/null
+++ b/gcc/testsuite/gcc.target/i386/harden-sls-5.c
@@ -0,0 +1,17 @@
+/* { dg-do compile } */
+/* { dg-options "-O2 -mno-indirect-branch-register -mfunction-return=keep -mindirect-branch=thunk-extern -mharden-sls=return" } */
+/* { dg-additional-options "-fno-pic" { target { ! *-*-darwin* } } } */
+
+typedef void (*dispatch_t)(long offset);
+
+dispatch_t dispatch;
+
+int
+male_indirect_jump (long offset)
+{
+ dispatch(offset);
+ return 0;
+}
+
+/* { dg-final { scan-assembler-times "ret" 1 } } */
+/* { dg-final { scan-assembler-times "int3" 1 } } */
--
2.34.1
^ permalink raw reply [flat|nested] 12+ messages in thread
* [GCC 11 PATCH 3/5] x86: Add -mindirect-branch-cs-prefix
2022-01-31 18:55 [GCC 11 PATCH 0/5] x86: Backport straight-line-speculation mitigation H.J. Lu
2022-01-31 18:55 ` [GCC 11 PATCH 1/5] x86: Remove "%!" before ret H.J. Lu
2022-01-31 18:55 ` [GCC 11 PATCH 2/5] x86: Add -mharden-sls=[none|all|return|indirect-branch] H.J. Lu
@ 2022-01-31 18:55 ` H.J. Lu
2022-01-31 18:55 ` [GCC 11 PATCH 4/5] x86: Rename -harden-sls=indirect-branch to -harden-sls=indirect-jmp H.J. Lu
` (3 subsequent siblings)
6 siblings, 0 replies; 12+ messages in thread
From: H.J. Lu @ 2022-01-31 18:55 UTC (permalink / raw)
To: gcc-patches
Add -mindirect-branch-cs-prefix to add CS prefix to call and jmp to
indirect thunk with branch target in r8-r15 registers so that the call
and jmp instruction length is 6 bytes to allow them to be replaced with
"lfence; call *%r8-r15" or "lfence; jmp *%r8-r15" at run-time.
gcc/
PR target/102952
* config/i386/i386.c (ix86_output_jmp_thunk_or_indirect): Emit
CS prefix for -mindirect-branch-cs-prefix.
(ix86_output_indirect_branch_via_reg): Likewise.
* config/i386/i386.opt: Add -mindirect-branch-cs-prefix.
* doc/invoke.texi: Document -mindirect-branch-cs-prefix.
gcc/testsuite/
PR target/102952
* gcc.target/i386/indirect-thunk-cs-prefix-1.c: New test.
* gcc.target/i386/indirect-thunk-cs-prefix-2.c: Likewise.
(cherry picked from commit 2196a681d7810ad8b227bf983f38ba716620545e)
---
gcc/config/i386/i386.c | 6 ++++++
gcc/config/i386/i386.opt | 4 ++++
gcc/doc/invoke.texi | 10 +++++++++-
.../gcc.target/i386/indirect-thunk-cs-prefix-1.c | 14 ++++++++++++++
.../gcc.target/i386/indirect-thunk-cs-prefix-2.c | 15 +++++++++++++++
5 files changed, 48 insertions(+), 1 deletion(-)
create mode 100644 gcc/testsuite/gcc.target/i386/indirect-thunk-cs-prefix-1.c
create mode 100644 gcc/testsuite/gcc.target/i386/indirect-thunk-cs-prefix-2.c
diff --git a/gcc/config/i386/i386.c b/gcc/config/i386/i386.c
index f3c4991317d..2643aa9480f 100644
--- a/gcc/config/i386/i386.c
+++ b/gcc/config/i386/i386.c
@@ -15732,6 +15732,9 @@ ix86_output_jmp_thunk_or_indirect (const char *thunk_name, const int regno)
{
if (thunk_name != NULL)
{
+ if (REX_INT_REGNO_P (regno)
+ && ix86_indirect_branch_cs_prefix)
+ fprintf (asm_out_file, "\tcs\n");
fprintf (asm_out_file, "\tjmp\t");
assemble_name (asm_out_file, thunk_name);
putc ('\n', asm_out_file);
@@ -15785,6 +15788,9 @@ ix86_output_indirect_branch_via_reg (rtx call_op, bool sibcall_p)
{
if (thunk_name != NULL)
{
+ if (REX_INT_REGNO_P (regno)
+ && ix86_indirect_branch_cs_prefix)
+ fprintf (asm_out_file, "\tcs\n");
fprintf (asm_out_file, "\tcall\t");
assemble_name (asm_out_file, thunk_name);
putc ('\n', asm_out_file);
diff --git a/gcc/config/i386/i386.opt b/gcc/config/i386/i386.opt
index bc401c197b5..46010c2cc1d 100644
--- a/gcc/config/i386/i386.opt
+++ b/gcc/config/i386/i386.opt
@@ -1072,6 +1072,10 @@ Enum(indirect_branch) String(thunk-inline) Value(indirect_branch_thunk_inline)
EnumValue
Enum(indirect_branch) String(thunk-extern) Value(indirect_branch_thunk_extern)
+mindirect-branch-cs-prefix
+Target Var(ix86_indirect_branch_cs_prefix) Init(0)
+Add CS prefix to call and jmp to indirect thunk with branch target in r8-r15 registers.
+
mindirect-branch-register
Target Var(ix86_indirect_branch_register) Init(0)
Force indirect call and jump via register.
diff --git a/gcc/doc/invoke.texi b/gcc/doc/invoke.texi
index 1fe19800bde..645189c2227 100644
--- a/gcc/doc/invoke.texi
+++ b/gcc/doc/invoke.texi
@@ -1409,7 +1409,8 @@ See RS/6000 and PowerPC Options.
-mstack-protector-guard-symbol=@var{symbol} @gol
-mgeneral-regs-only -mcall-ms2sysv-xlogues @gol
-mindirect-branch=@var{choice} -mfunction-return=@var{choice} @gol
--mindirect-branch-register -mharden-sls=@var{choice} -mneeded}
+-mindirect-branch-register -mharden-sls=@var{choice} @gol
+-mindirect-branch-cs-prefix -mneeded}
@emph{x86 Windows Options}
@gccoptlist{-mconsole -mcygwin -mno-cygwin -mdll @gol
@@ -31732,6 +31733,13 @@ hardening. @samp{return} enables SLS hardening for function return.
@samp{indirect-branch} enables SLS hardening for indirect branch.
@samp{all} enables all SLS hardening.
+@item -mindirect-branch-cs-prefix
+@opindex mindirect-branch-cs-prefix
+Add CS prefix to call and jmp to indirect thunk with branch target in
+r8-r15 registers so that the call and jmp instruction length is 6 bytes
+to allow them to be replaced with @samp{lfence; call *%r8-r15} or
+@samp{lfence; jmp *%r8-r15} at run-time.
+
@end table
These @samp{-m} switches are supported in addition to the above
diff --git a/gcc/testsuite/gcc.target/i386/indirect-thunk-cs-prefix-1.c b/gcc/testsuite/gcc.target/i386/indirect-thunk-cs-prefix-1.c
new file mode 100644
index 00000000000..db2f3416823
--- /dev/null
+++ b/gcc/testsuite/gcc.target/i386/indirect-thunk-cs-prefix-1.c
@@ -0,0 +1,14 @@
+/* { dg-do compile { target { ! ia32 } } } */
+/* { dg-options "-O2 -ffixed-rax -ffixed-rbx -ffixed-rcx -ffixed-rdx -ffixed-rdi -ffixed-rsi -mindirect-branch-cs-prefix -mindirect-branch=thunk-extern" } */
+/* { dg-additional-options "-fno-pic" { target { ! *-*-darwin* } } } */
+
+extern void (*fptr) (void);
+
+void
+foo (void)
+{
+ fptr ();
+}
+
+/* { dg-final { scan-assembler-times "jmp\[ \t\]+_?__x86_indirect_thunk_r\[0-9\]+" 1 } } */
+/* { dg-final { scan-assembler-times "\tcs" 1 } } */
diff --git a/gcc/testsuite/gcc.target/i386/indirect-thunk-cs-prefix-2.c b/gcc/testsuite/gcc.target/i386/indirect-thunk-cs-prefix-2.c
new file mode 100644
index 00000000000..adfc39a49d4
--- /dev/null
+++ b/gcc/testsuite/gcc.target/i386/indirect-thunk-cs-prefix-2.c
@@ -0,0 +1,15 @@
+/* { dg-do compile { target { ! ia32 } } } */
+/* { dg-options "-O2 -ffixed-rax -ffixed-rbx -ffixed-rcx -ffixed-rdx -ffixed-rdi -ffixed-rsi -mindirect-branch-cs-prefix -mindirect-branch=thunk-extern" } */
+/* { dg-additional-options "-fno-pic" { target { ! *-*-darwin* } } } */
+
+extern void (*bar) (void);
+
+int
+foo (void)
+{
+ bar ();
+ return 0;
+}
+
+/* { dg-final { scan-assembler-times "call\[ \t\]+_?__x86_indirect_thunk_r\[0-9\]+" 1 } } */
+/* { dg-final { scan-assembler-times "\tcs" 1 } } */
--
2.34.1
^ permalink raw reply [flat|nested] 12+ messages in thread
* [GCC 11 PATCH 4/5] x86: Rename -harden-sls=indirect-branch to -harden-sls=indirect-jmp
2022-01-31 18:55 [GCC 11 PATCH 0/5] x86: Backport straight-line-speculation mitigation H.J. Lu
` (2 preceding siblings ...)
2022-01-31 18:55 ` [GCC 11 PATCH 3/5] x86: Add -mindirect-branch-cs-prefix H.J. Lu
@ 2022-01-31 18:55 ` H.J. Lu
2022-01-31 18:55 ` [GCC 11 PATCH 5/5] x86: Generate INT3 for __builtin_eh_return H.J. Lu
` (2 subsequent siblings)
6 siblings, 0 replies; 12+ messages in thread
From: H.J. Lu @ 2022-01-31 18:55 UTC (permalink / raw)
To: gcc-patches
Indirect branch also includes indirect call instructions. Rename
-harden-sls=indirect-branch to -harden-sls=indirect-jmp to match its
intended behavior.
PR target/102952
* config/i386/i386-opts.h (harden_sls): Replace
harden_sls_indirect_branch with harden_sls_indirect_jmp.
* config/i386/i386.c (ix86_output_jmp_thunk_or_indirect):
Likewise.
(ix86_output_indirect_jmp): Likewise.
(ix86_output_call_insn): Likewise.
* config/i386/i386.opt: Replace indirect-branch with
indirect-jmp. Replace harden_sls_indirect_branch with
harden_sls_indirect_jmp.
* doc/invoke.texi (-harden-sls=): Replace indirect-branch with
indirect-jmp.
(cherry picked from commit ed8060950c64f2e449aaf90e438aa26d0d9d0b31)
---
gcc/config/i386/i386-opts.h | 4 ++--
gcc/config/i386/i386.c | 6 +++---
gcc/config/i386/i386.opt | 2 +-
gcc/doc/invoke.texi | 4 ++--
4 files changed, 8 insertions(+), 8 deletions(-)
diff --git a/gcc/config/i386/i386-opts.h b/gcc/config/i386/i386-opts.h
index e159019e904..ab1f658dab9 100644
--- a/gcc/config/i386/i386-opts.h
+++ b/gcc/config/i386/i386-opts.h
@@ -128,8 +128,8 @@ enum instrument_return {
enum harden_sls {
harden_sls_none = 0,
harden_sls_return = 1 << 0,
- harden_sls_indirect_branch = 1 << 1,
- harden_sls_all = harden_sls_return | harden_sls_indirect_branch
+ harden_sls_indirect_jmp = 1 << 1,
+ harden_sls_all = harden_sls_return | harden_sls_indirect_jmp
};
#endif
diff --git a/gcc/config/i386/i386.c b/gcc/config/i386/i386.c
index 2643aa9480f..35dbe05aecd 100644
--- a/gcc/config/i386/i386.c
+++ b/gcc/config/i386/i386.c
@@ -15738,7 +15738,7 @@ ix86_output_jmp_thunk_or_indirect (const char *thunk_name, const int regno)
fprintf (asm_out_file, "\tjmp\t");
assemble_name (asm_out_file, thunk_name);
putc ('\n', asm_out_file);
- if ((ix86_harden_sls & harden_sls_indirect_branch))
+ if ((ix86_harden_sls & harden_sls_indirect_jmp))
fputs ("\tint3\n", asm_out_file);
}
else
@@ -15968,7 +15968,7 @@ ix86_output_indirect_jmp (rtx call_op)
}
else
output_asm_insn ("%!jmp\t%A0", &call_op);
- return (ix86_harden_sls & harden_sls_indirect_branch) ? "int3" : "";
+ return (ix86_harden_sls & harden_sls_indirect_jmp) ? "int3" : "";
}
/* Output return instrumentation for current function if needed. */
@@ -16135,7 +16135,7 @@ ix86_output_call_insn (rtx_insn *insn, rtx call_op)
{
output_asm_insn (xasm, &call_op);
if (!direct_p
- && (ix86_harden_sls & harden_sls_indirect_branch))
+ && (ix86_harden_sls & harden_sls_indirect_jmp))
return "int3";
}
return "";
diff --git a/gcc/config/i386/i386.opt b/gcc/config/i386/i386.opt
index 46010c2cc1d..f62b0ebd3b4 100644
--- a/gcc/config/i386/i386.opt
+++ b/gcc/config/i386/i386.opt
@@ -1132,7 +1132,7 @@ EnumValue
Enum(harden_sls) String(return) Value(harden_sls_return)
EnumValue
-Enum(harden_sls) String(indirect-branch) Value(harden_sls_indirect_branch)
+Enum(harden_sls) String(indirect-jmp) Value(harden_sls_indirect_jmp)
EnumValue
Enum(harden_sls) String(all) Value(harden_sls_all)
diff --git a/gcc/doc/invoke.texi b/gcc/doc/invoke.texi
index 645189c2227..cf536a15116 100644
--- a/gcc/doc/invoke.texi
+++ b/gcc/doc/invoke.texi
@@ -31729,8 +31729,8 @@ Force indirect call and jump via register.
@opindex mharden-sls
Generate code to mitigate against straight line speculation (SLS) with
@var{choice}. The default is @samp{none} which disables all SLS
-hardening. @samp{return} enables SLS hardening for function return.
-@samp{indirect-branch} enables SLS hardening for indirect branch.
+hardening. @samp{return} enables SLS hardening for function returns.
+@samp{indirect-jmp} enables SLS hardening for indirect jumps.
@samp{all} enables all SLS hardening.
@item -mindirect-branch-cs-prefix
--
2.34.1
^ permalink raw reply [flat|nested] 12+ messages in thread
* [GCC 11 PATCH 5/5] x86: Generate INT3 for __builtin_eh_return
2022-01-31 18:55 [GCC 11 PATCH 0/5] x86: Backport straight-line-speculation mitigation H.J. Lu
` (3 preceding siblings ...)
2022-01-31 18:55 ` [GCC 11 PATCH 4/5] x86: Rename -harden-sls=indirect-branch to -harden-sls=indirect-jmp H.J. Lu
@ 2022-01-31 18:55 ` H.J. Lu
2022-02-01 7:21 ` [GCC 11 PATCH 0/5] x86: Backport straight-line-speculation mitigation Richard Biener
2022-02-16 7:01 ` Hongtao Liu
6 siblings, 0 replies; 12+ messages in thread
From: H.J. Lu @ 2022-01-31 18:55 UTC (permalink / raw)
To: gcc-patches
Generate INT3 after indirect jmp in exception return for -fcf-protection
with -mharden-sls=indirect-jmp.
gcc/
PR target/103925
* config/i386/i386.c (ix86_output_indirect_function_return):
Generate INT3 after indirect jmp for -mharden-sls=indirect-jmp.
gcc/testsuite/
PR target/103925
* gcc.target/i386/harden-sls-6.c: New test.
(cherry picked from commit c2e5c4feed32c808591b5278f680bbabe63eb225)
---
gcc/config/i386/i386.c | 9 ++++++---
gcc/testsuite/gcc.target/i386/harden-sls-6.c | 18 ++++++++++++++++++
2 files changed, 24 insertions(+), 3 deletions(-)
create mode 100644 gcc/testsuite/gcc.target/i386/harden-sls-6.c
diff --git a/gcc/config/i386/i386.c b/gcc/config/i386/i386.c
index 35dbe05aecd..e6261452365 100644
--- a/gcc/config/i386/i386.c
+++ b/gcc/config/i386/i386.c
@@ -16072,11 +16072,14 @@ ix86_output_indirect_function_return (rtx ret_op)
}
else
output_indirect_thunk (regno);
-
- return "";
}
else
- return "%!jmp\t%A0";
+ {
+ output_asm_insn ("%!jmp\t%A0", &ret_op);
+ if (ix86_harden_sls & harden_sls_indirect_jmp)
+ fputs ("\tint3\n", asm_out_file);
+ }
+ return "";
}
/* Output the assembly for a call instruction. */
diff --git a/gcc/testsuite/gcc.target/i386/harden-sls-6.c b/gcc/testsuite/gcc.target/i386/harden-sls-6.c
new file mode 100644
index 00000000000..9068eb64008
--- /dev/null
+++ b/gcc/testsuite/gcc.target/i386/harden-sls-6.c
@@ -0,0 +1,18 @@
+/* { dg-do compile { target { ! ia32 } } } */
+/* { dg-options "-O2 -fcf-protection -mharden-sls=indirect-jmp" } */
+
+struct _Unwind_Context _Unwind_Resume_or_Rethrow_this_context;
+
+void offset (int);
+
+struct _Unwind_Context {
+ void *reg[7];
+} _Unwind_Resume_or_Rethrow() {
+ struct _Unwind_Context cur_contextcur_context =
+ _Unwind_Resume_or_Rethrow_this_context;
+ offset(0);
+ __builtin_eh_return ((long) offset, 0);
+}
+
+/* { dg-final { scan-assembler "jmp\[ \t\]+\\*%rcx" } } */
+/* { dg-final { scan-assembler-times "int3" 1 } } */
--
2.34.1
^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: [GCC 11 PATCH 0/5] x86: Backport straight-line-speculation mitigation
2022-01-31 18:55 [GCC 11 PATCH 0/5] x86: Backport straight-line-speculation mitigation H.J. Lu
` (4 preceding siblings ...)
2022-01-31 18:55 ` [GCC 11 PATCH 5/5] x86: Generate INT3 for __builtin_eh_return H.J. Lu
@ 2022-02-01 7:21 ` Richard Biener
2022-02-01 16:59 ` H.J. Lu
2022-02-16 7:01 ` Hongtao Liu
6 siblings, 1 reply; 12+ messages in thread
From: Richard Biener @ 2022-02-01 7:21 UTC (permalink / raw)
To: H.J. Lu; +Cc: GCC Patches, Uros Bizjak
On Mon, Jan 31, 2022 at 7:56 PM H.J. Lu via Gcc-patches
<gcc-patches@gcc.gnu.org> wrote:
>
> Backport -mindirect-branch-cs-prefix:
LGTM in case a x86 maintainer also acks this. Can you amend
the 10.3 release gcc-11/changes.html notes accordingly?
Thanks,
Richard.
> commit 48a4ae26c225eb018ecb59f131e2c4fd4f3cf89a
> Author: H.J. Lu <hjl.tools@gmail.com>
> Date: Wed Oct 27 06:27:15 2021 -0700
>
> x86: Add -mindirect-branch-cs-prefix
>
> Add -mindirect-branch-cs-prefix to add CS prefix to call and jmp to
> indirect thunk with branch target in r8-r15 registers so that the call
> and jmp instruction length is 6 bytes to allow them to be replaced with
> "lfence; call *%r8-r15" or "lfence; jmp *%r8-r15" at run-time.
>
> commit 63738e176726d31953deb03f7e32cf8b760735ac
> Author: H.J. Lu <hjl.tools@gmail.com>
> Date: Wed Oct 27 07:48:54 2021 -0700
>
> x86: Add -mharden-sls=[none|all|return|indirect-branch]
>
> Add -mharden-sls= to mitigate against straight line speculation (SLS)
> for function return and indirect branch by adding an INT3 instruction
> after function return and indirect branch.
>
> and followup commits to support Linux kernel commits:
>
> commit e463a09af2f0677b9485a7e8e4e70b396b2ffb6f
> Author: Peter Zijlstra <peterz@infradead.org>
> Date: Sat Dec 4 14:43:44 2021 +0100
>
> x86: Add straight-line-speculation mitigation
>
> commit 68cf4f2a72ef8786e6b7af6fd9a89f27ac0f520d
> Author: Peter Zijlstra <peterz@infradead.org>
> Date: Fri Nov 19 17:50:25 2021 +0100
>
> x86: Use -mindirect-branch-cs-prefix for RETPOLINE builds
>
> H.J. Lu (5):
> x86: Remove "%!" before ret
> x86: Add -mharden-sls=[none|all|return|indirect-branch]
> x86: Add -mindirect-branch-cs-prefix
> x86: Rename -harden-sls=indirect-branch to -harden-sls=indirect-jmp
> x86: Generate INT3 for __builtin_eh_return
>
> gcc/config/i386/i386-opts.h | 7 ++++
> gcc/config/i386/i386.c | 38 +++++++++++++------
> gcc/config/i386/i386.md | 2 +-
> gcc/config/i386/i386.opt | 24 ++++++++++++
> gcc/doc/invoke.texi | 18 ++++++++-
> gcc/testsuite/gcc.target/i386/harden-sls-1.c | 14 +++++++
> gcc/testsuite/gcc.target/i386/harden-sls-2.c | 14 +++++++
> gcc/testsuite/gcc.target/i386/harden-sls-3.c | 14 +++++++
> gcc/testsuite/gcc.target/i386/harden-sls-4.c | 16 ++++++++
> gcc/testsuite/gcc.target/i386/harden-sls-5.c | 17 +++++++++
> gcc/testsuite/gcc.target/i386/harden-sls-6.c | 18 +++++++++
> .../i386/indirect-thunk-cs-prefix-1.c | 14 +++++++
> .../i386/indirect-thunk-cs-prefix-2.c | 15 ++++++++
> 13 files changed, 198 insertions(+), 13 deletions(-)
> create mode 100644 gcc/testsuite/gcc.target/i386/harden-sls-1.c
> create mode 100644 gcc/testsuite/gcc.target/i386/harden-sls-2.c
> create mode 100644 gcc/testsuite/gcc.target/i386/harden-sls-3.c
> create mode 100644 gcc/testsuite/gcc.target/i386/harden-sls-4.c
> create mode 100644 gcc/testsuite/gcc.target/i386/harden-sls-5.c
> create mode 100644 gcc/testsuite/gcc.target/i386/harden-sls-6.c
> create mode 100644 gcc/testsuite/gcc.target/i386/indirect-thunk-cs-prefix-1.c
> create mode 100644 gcc/testsuite/gcc.target/i386/indirect-thunk-cs-prefix-2.c
>
> --
> 2.34.1
>
^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: [GCC 11 PATCH 0/5] x86: Backport straight-line-speculation mitigation
2022-02-01 7:21 ` [GCC 11 PATCH 0/5] x86: Backport straight-line-speculation mitigation Richard Biener
@ 2022-02-01 16:59 ` H.J. Lu
2022-02-02 9:22 ` Richard Biener
0 siblings, 1 reply; 12+ messages in thread
From: H.J. Lu @ 2022-02-01 16:59 UTC (permalink / raw)
To: Richard Biener; +Cc: GCC Patches, Uros Bizjak
On Mon, Jan 31, 2022 at 11:21 PM Richard Biener
<richard.guenther@gmail.com> wrote:
>
> On Mon, Jan 31, 2022 at 7:56 PM H.J. Lu via Gcc-patches
> <gcc-patches@gcc.gnu.org> wrote:
> >
> > Backport -mindirect-branch-cs-prefix:
>
> LGTM in case a x86 maintainer also acks this. Can you amend
> the 10.3 release gcc-11/changes.html notes accordingly?
Did you mean 11.3?
Here is the patch for gcc-12/changes.html:
https://gcc.gnu.org/pipermail/gcc-patches/2022-February/589600.html
> Thanks,
> Richard.
>
> > commit 48a4ae26c225eb018ecb59f131e2c4fd4f3cf89a
> > Author: H.J. Lu <hjl.tools@gmail.com>
> > Date: Wed Oct 27 06:27:15 2021 -0700
> >
> > x86: Add -mindirect-branch-cs-prefix
> >
> > Add -mindirect-branch-cs-prefix to add CS prefix to call and jmp to
> > indirect thunk with branch target in r8-r15 registers so that the call
> > and jmp instruction length is 6 bytes to allow them to be replaced with
> > "lfence; call *%r8-r15" or "lfence; jmp *%r8-r15" at run-time.
> >
> > commit 63738e176726d31953deb03f7e32cf8b760735ac
> > Author: H.J. Lu <hjl.tools@gmail.com>
> > Date: Wed Oct 27 07:48:54 2021 -0700
> >
> > x86: Add -mharden-sls=[none|all|return|indirect-branch]
> >
> > Add -mharden-sls= to mitigate against straight line speculation (SLS)
> > for function return and indirect branch by adding an INT3 instruction
> > after function return and indirect branch.
> >
> > and followup commits to support Linux kernel commits:
> >
> > commit e463a09af2f0677b9485a7e8e4e70b396b2ffb6f
> > Author: Peter Zijlstra <peterz@infradead.org>
> > Date: Sat Dec 4 14:43:44 2021 +0100
> >
> > x86: Add straight-line-speculation mitigation
> >
> > commit 68cf4f2a72ef8786e6b7af6fd9a89f27ac0f520d
> > Author: Peter Zijlstra <peterz@infradead.org>
> > Date: Fri Nov 19 17:50:25 2021 +0100
> >
> > x86: Use -mindirect-branch-cs-prefix for RETPOLINE builds
> >
> > H.J. Lu (5):
> > x86: Remove "%!" before ret
> > x86: Add -mharden-sls=[none|all|return|indirect-branch]
> > x86: Add -mindirect-branch-cs-prefix
> > x86: Rename -harden-sls=indirect-branch to -harden-sls=indirect-jmp
> > x86: Generate INT3 for __builtin_eh_return
> >
> > gcc/config/i386/i386-opts.h | 7 ++++
> > gcc/config/i386/i386.c | 38 +++++++++++++------
> > gcc/config/i386/i386.md | 2 +-
> > gcc/config/i386/i386.opt | 24 ++++++++++++
> > gcc/doc/invoke.texi | 18 ++++++++-
> > gcc/testsuite/gcc.target/i386/harden-sls-1.c | 14 +++++++
> > gcc/testsuite/gcc.target/i386/harden-sls-2.c | 14 +++++++
> > gcc/testsuite/gcc.target/i386/harden-sls-3.c | 14 +++++++
> > gcc/testsuite/gcc.target/i386/harden-sls-4.c | 16 ++++++++
> > gcc/testsuite/gcc.target/i386/harden-sls-5.c | 17 +++++++++
> > gcc/testsuite/gcc.target/i386/harden-sls-6.c | 18 +++++++++
> > .../i386/indirect-thunk-cs-prefix-1.c | 14 +++++++
> > .../i386/indirect-thunk-cs-prefix-2.c | 15 ++++++++
> > 13 files changed, 198 insertions(+), 13 deletions(-)
> > create mode 100644 gcc/testsuite/gcc.target/i386/harden-sls-1.c
> > create mode 100644 gcc/testsuite/gcc.target/i386/harden-sls-2.c
> > create mode 100644 gcc/testsuite/gcc.target/i386/harden-sls-3.c
> > create mode 100644 gcc/testsuite/gcc.target/i386/harden-sls-4.c
> > create mode 100644 gcc/testsuite/gcc.target/i386/harden-sls-5.c
> > create mode 100644 gcc/testsuite/gcc.target/i386/harden-sls-6.c
> > create mode 100644 gcc/testsuite/gcc.target/i386/indirect-thunk-cs-prefix-1.c
> > create mode 100644 gcc/testsuite/gcc.target/i386/indirect-thunk-cs-prefix-2.c
> >
> > --
> > 2.34.1
> >
--
H.J.
^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: [GCC 11 PATCH 0/5] x86: Backport straight-line-speculation mitigation
2022-02-01 16:59 ` H.J. Lu
@ 2022-02-02 9:22 ` Richard Biener
0 siblings, 0 replies; 12+ messages in thread
From: Richard Biener @ 2022-02-02 9:22 UTC (permalink / raw)
To: H.J. Lu; +Cc: GCC Patches, Uros Bizjak
On Tue, Feb 1, 2022 at 5:59 PM H.J. Lu <hjl.tools@gmail.com> wrote:
>
> On Mon, Jan 31, 2022 at 11:21 PM Richard Biener
> <richard.guenther@gmail.com> wrote:
> >
> > On Mon, Jan 31, 2022 at 7:56 PM H.J. Lu via Gcc-patches
> > <gcc-patches@gcc.gnu.org> wrote:
> > >
> > > Backport -mindirect-branch-cs-prefix:
> >
> > LGTM in case a x86 maintainer also acks this. Can you amend
> > the 10.3 release gcc-11/changes.html notes accordingly?
>
> Did you mean 11.3?
Yes, of course.
> Here is the patch for gcc-12/changes.html:
>
> https://gcc.gnu.org/pipermail/gcc-patches/2022-February/589600.html
>
> > Thanks,
> > Richard.
> >
> > > commit 48a4ae26c225eb018ecb59f131e2c4fd4f3cf89a
> > > Author: H.J. Lu <hjl.tools@gmail.com>
> > > Date: Wed Oct 27 06:27:15 2021 -0700
> > >
> > > x86: Add -mindirect-branch-cs-prefix
> > >
> > > Add -mindirect-branch-cs-prefix to add CS prefix to call and jmp to
> > > indirect thunk with branch target in r8-r15 registers so that the call
> > > and jmp instruction length is 6 bytes to allow them to be replaced with
> > > "lfence; call *%r8-r15" or "lfence; jmp *%r8-r15" at run-time.
> > >
> > > commit 63738e176726d31953deb03f7e32cf8b760735ac
> > > Author: H.J. Lu <hjl.tools@gmail.com>
> > > Date: Wed Oct 27 07:48:54 2021 -0700
> > >
> > > x86: Add -mharden-sls=[none|all|return|indirect-branch]
> > >
> > > Add -mharden-sls= to mitigate against straight line speculation (SLS)
> > > for function return and indirect branch by adding an INT3 instruction
> > > after function return and indirect branch.
> > >
> > > and followup commits to support Linux kernel commits:
> > >
> > > commit e463a09af2f0677b9485a7e8e4e70b396b2ffb6f
> > > Author: Peter Zijlstra <peterz@infradead.org>
> > > Date: Sat Dec 4 14:43:44 2021 +0100
> > >
> > > x86: Add straight-line-speculation mitigation
> > >
> > > commit 68cf4f2a72ef8786e6b7af6fd9a89f27ac0f520d
> > > Author: Peter Zijlstra <peterz@infradead.org>
> > > Date: Fri Nov 19 17:50:25 2021 +0100
> > >
> > > x86: Use -mindirect-branch-cs-prefix for RETPOLINE builds
> > >
> > > H.J. Lu (5):
> > > x86: Remove "%!" before ret
> > > x86: Add -mharden-sls=[none|all|return|indirect-branch]
> > > x86: Add -mindirect-branch-cs-prefix
> > > x86: Rename -harden-sls=indirect-branch to -harden-sls=indirect-jmp
> > > x86: Generate INT3 for __builtin_eh_return
> > >
> > > gcc/config/i386/i386-opts.h | 7 ++++
> > > gcc/config/i386/i386.c | 38 +++++++++++++------
> > > gcc/config/i386/i386.md | 2 +-
> > > gcc/config/i386/i386.opt | 24 ++++++++++++
> > > gcc/doc/invoke.texi | 18 ++++++++-
> > > gcc/testsuite/gcc.target/i386/harden-sls-1.c | 14 +++++++
> > > gcc/testsuite/gcc.target/i386/harden-sls-2.c | 14 +++++++
> > > gcc/testsuite/gcc.target/i386/harden-sls-3.c | 14 +++++++
> > > gcc/testsuite/gcc.target/i386/harden-sls-4.c | 16 ++++++++
> > > gcc/testsuite/gcc.target/i386/harden-sls-5.c | 17 +++++++++
> > > gcc/testsuite/gcc.target/i386/harden-sls-6.c | 18 +++++++++
> > > .../i386/indirect-thunk-cs-prefix-1.c | 14 +++++++
> > > .../i386/indirect-thunk-cs-prefix-2.c | 15 ++++++++
> > > 13 files changed, 198 insertions(+), 13 deletions(-)
> > > create mode 100644 gcc/testsuite/gcc.target/i386/harden-sls-1.c
> > > create mode 100644 gcc/testsuite/gcc.target/i386/harden-sls-2.c
> > > create mode 100644 gcc/testsuite/gcc.target/i386/harden-sls-3.c
> > > create mode 100644 gcc/testsuite/gcc.target/i386/harden-sls-4.c
> > > create mode 100644 gcc/testsuite/gcc.target/i386/harden-sls-5.c
> > > create mode 100644 gcc/testsuite/gcc.target/i386/harden-sls-6.c
> > > create mode 100644 gcc/testsuite/gcc.target/i386/indirect-thunk-cs-prefix-1.c
> > > create mode 100644 gcc/testsuite/gcc.target/i386/indirect-thunk-cs-prefix-2.c
> > >
> > > --
> > > 2.34.1
> > >
>
>
>
> --
> H.J.
^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: [GCC 11 PATCH 1/5] x86: Remove "%!" before ret
2022-01-31 18:55 ` [GCC 11 PATCH 1/5] x86: Remove "%!" before ret H.J. Lu
@ 2022-02-16 6:46 ` Hongtao Liu
0 siblings, 0 replies; 12+ messages in thread
From: Hongtao Liu @ 2022-02-16 6:46 UTC (permalink / raw)
To: H.J. Lu; +Cc: GCC Patches
On Tue, Feb 1, 2022 at 2:56 AM H.J. Lu via Gcc-patches
<gcc-patches@gcc.gnu.org> wrote:
>
> Before MPX was removed, "%!" was mapped to
>
> case '!':
> if (ix86_bnd_prefixed_insn_p (current_output_insn))
> fputs ("bnd ", file);
> return;
>
> After CET was added and MPX was removed, "%!" was mapped to
>
> case '!':
> if (ix86_notrack_prefixed_insn_p (current_output_insn))
> fputs ("notrack ", file);
> return;
>
> ix86_notrack_prefixed_insn_p always returns false on ret since the
> notrack prefix is only for indirect branches. Remove the unused "%!"
> before ret.
The patch LGTM.
BTW This patch seems to be independent of straight-line-speculation mitigation.
>
> PR target/103307
> * config/i386/i386.c (ix86_code_end): Remove "%!" before ret.
> (ix86_output_function_return): Likewise.
> * config/i386/i386.md (simple_return_pop_internal): Likewise.
>
> (cherry picked from commit 8e410de43ce039bbe08f1e0195e3b6ec24f68cae)
> ---
> gcc/config/i386/i386.c | 4 ++--
> gcc/config/i386/i386.md | 2 +-
> 2 files changed, 3 insertions(+), 3 deletions(-)
>
> diff --git a/gcc/config/i386/i386.c b/gcc/config/i386/i386.c
> index 8e8c8beb366..4ba1a218ee6 100644
> --- a/gcc/config/i386/i386.c
> +++ b/gcc/config/i386/i386.c
> @@ -6000,7 +6000,7 @@ ix86_code_end (void)
> xops[0] = gen_rtx_REG (Pmode, regno);
> xops[1] = gen_rtx_MEM (Pmode, stack_pointer_rtx);
> output_asm_insn ("mov%z0\t{%1, %0|%0, %1}", xops);
> - output_asm_insn ("%!ret", NULL);
> + fputs ("\tret\n", asm_out_file);
> final_end_function ();
> init_insn_lengths ();
> free_after_compilation (cfun);
> @@ -16027,7 +16027,7 @@ ix86_output_function_return (bool long_p)
> }
>
> if (!long_p)
> - return "%!ret";
> + return "ret";
>
> return "rep%; ret";
> }
> diff --git a/gcc/config/i386/i386.md b/gcc/config/i386/i386.md
> index db9dbf384ad..1aff2ac2a82 100644
> --- a/gcc/config/i386/i386.md
> +++ b/gcc/config/i386/i386.md
> @@ -13912,7 +13912,7 @@ (define_insn_and_split "simple_return_pop_internal"
> [(simple_return)
> (use (match_operand:SI 0 "const_int_operand"))]
> "reload_completed"
> - "%!ret\t%0"
> + "ret\t%0"
> "&& cfun->machine->function_return_type != indirect_branch_keep"
> [(const_int 0)]
> "ix86_split_simple_return_pop_internal (operands[0]); DONE;"
> --
> 2.34.1
>
--
BR,
Hongtao
^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: [GCC 11 PATCH 0/5] x86: Backport straight-line-speculation mitigation
2022-01-31 18:55 [GCC 11 PATCH 0/5] x86: Backport straight-line-speculation mitigation H.J. Lu
` (5 preceding siblings ...)
2022-02-01 7:21 ` [GCC 11 PATCH 0/5] x86: Backport straight-line-speculation mitigation Richard Biener
@ 2022-02-16 7:01 ` Hongtao Liu
2022-02-16 13:30 ` H.J. Lu
6 siblings, 1 reply; 12+ messages in thread
From: Hongtao Liu @ 2022-02-16 7:01 UTC (permalink / raw)
To: H.J. Lu; +Cc: GCC Patches
On Tue, Feb 1, 2022 at 2:55 AM H.J. Lu via Gcc-patches
<gcc-patches@gcc.gnu.org> wrote:
>
> Backport -mindirect-branch-cs-prefix:
>
> commit 48a4ae26c225eb018ecb59f131e2c4fd4f3cf89a
> Author: H.J. Lu <hjl.tools@gmail.com>
> Date: Wed Oct 27 06:27:15 2021 -0700
>
> x86: Add -mindirect-branch-cs-prefix
>
> Add -mindirect-branch-cs-prefix to add CS prefix to call and jmp to
> indirect thunk with branch target in r8-r15 registers so that the call
> and jmp instruction length is 6 bytes to allow them to be replaced with
> "lfence; call *%r8-r15" or "lfence; jmp *%r8-r15" at run-time.
>
> commit 63738e176726d31953deb03f7e32cf8b760735ac
> Author: H.J. Lu <hjl.tools@gmail.com>
> Date: Wed Oct 27 07:48:54 2021 -0700
>
> x86: Add -mharden-sls=[none|all|return|indirect-branch]
>
> Add -mharden-sls= to mitigate against straight line speculation (SLS)
> for function return and indirect branch by adding an INT3 instruction
> after function return and indirect branch.
>
> and followup commits to support Linux kernel commits:
>
> commit e463a09af2f0677b9485a7e8e4e70b396b2ffb6f
> Author: Peter Zijlstra <peterz@infradead.org>
> Date: Sat Dec 4 14:43:44 2021 +0100
>
> x86: Add straight-line-speculation mitigation
>
> commit 68cf4f2a72ef8786e6b7af6fd9a89f27ac0f520d
> Author: Peter Zijlstra <peterz@infradead.org>
> Date: Fri Nov 19 17:50:25 2021 +0100
>
> x86: Use -mindirect-branch-cs-prefix for RETPOLINE builds
>
> H.J. Lu (5):
> x86: Remove "%!" before ret
> x86: Add -mharden-sls=[none|all|return|indirect-branch]
> x86: Add -mindirect-branch-cs-prefix
> x86: Rename -harden-sls=indirect-branch to -harden-sls=indirect-jmp
> x86: Generate INT3 for __builtin_eh_return
The patch LGTM.
>
> gcc/config/i386/i386-opts.h | 7 ++++
> gcc/config/i386/i386.c | 38 +++++++++++++------
> gcc/config/i386/i386.md | 2 +-
> gcc/config/i386/i386.opt | 24 ++++++++++++
> gcc/doc/invoke.texi | 18 ++++++++-
> gcc/testsuite/gcc.target/i386/harden-sls-1.c | 14 +++++++
> gcc/testsuite/gcc.target/i386/harden-sls-2.c | 14 +++++++
> gcc/testsuite/gcc.target/i386/harden-sls-3.c | 14 +++++++
> gcc/testsuite/gcc.target/i386/harden-sls-4.c | 16 ++++++++
> gcc/testsuite/gcc.target/i386/harden-sls-5.c | 17 +++++++++
> gcc/testsuite/gcc.target/i386/harden-sls-6.c | 18 +++++++++
> .../i386/indirect-thunk-cs-prefix-1.c | 14 +++++++
> .../i386/indirect-thunk-cs-prefix-2.c | 15 ++++++++
> 13 files changed, 198 insertions(+), 13 deletions(-)
> create mode 100644 gcc/testsuite/gcc.target/i386/harden-sls-1.c
> create mode 100644 gcc/testsuite/gcc.target/i386/harden-sls-2.c
> create mode 100644 gcc/testsuite/gcc.target/i386/harden-sls-3.c
> create mode 100644 gcc/testsuite/gcc.target/i386/harden-sls-4.c
> create mode 100644 gcc/testsuite/gcc.target/i386/harden-sls-5.c
> create mode 100644 gcc/testsuite/gcc.target/i386/harden-sls-6.c
> create mode 100644 gcc/testsuite/gcc.target/i386/indirect-thunk-cs-prefix-1.c
> create mode 100644 gcc/testsuite/gcc.target/i386/indirect-thunk-cs-prefix-2.c
>
> --
> 2.34.1
>
--
BR,
Hongtao
^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: [GCC 11 PATCH 0/5] x86: Backport straight-line-speculation mitigation
2022-02-16 7:01 ` Hongtao Liu
@ 2022-02-16 13:30 ` H.J. Lu
0 siblings, 0 replies; 12+ messages in thread
From: H.J. Lu @ 2022-02-16 13:30 UTC (permalink / raw)
To: Hongtao Liu; +Cc: GCC Patches
On Tue, Feb 15, 2022 at 10:52 PM Hongtao Liu <crazylht@gmail.com> wrote:
>
> On Tue, Feb 1, 2022 at 2:55 AM H.J. Lu via Gcc-patches
> <gcc-patches@gcc.gnu.org> wrote:
> >
> > Backport -mindirect-branch-cs-prefix:
> >
> > commit 48a4ae26c225eb018ecb59f131e2c4fd4f3cf89a
> > Author: H.J. Lu <hjl.tools@gmail.com>
> > Date: Wed Oct 27 06:27:15 2021 -0700
> >
> > x86: Add -mindirect-branch-cs-prefix
> >
> > Add -mindirect-branch-cs-prefix to add CS prefix to call and jmp to
> > indirect thunk with branch target in r8-r15 registers so that the call
> > and jmp instruction length is 6 bytes to allow them to be replaced with
> > "lfence; call *%r8-r15" or "lfence; jmp *%r8-r15" at run-time.
> >
> > commit 63738e176726d31953deb03f7e32cf8b760735ac
> > Author: H.J. Lu <hjl.tools@gmail.com>
> > Date: Wed Oct 27 07:48:54 2021 -0700
> >
> > x86: Add -mharden-sls=[none|all|return|indirect-branch]
> >
> > Add -mharden-sls= to mitigate against straight line speculation (SLS)
> > for function return and indirect branch by adding an INT3 instruction
> > after function return and indirect branch.
> >
> > and followup commits to support Linux kernel commits:
> >
> > commit e463a09af2f0677b9485a7e8e4e70b396b2ffb6f
> > Author: Peter Zijlstra <peterz@infradead.org>
> > Date: Sat Dec 4 14:43:44 2021 +0100
> >
> > x86: Add straight-line-speculation mitigation
> >
> > commit 68cf4f2a72ef8786e6b7af6fd9a89f27ac0f520d
> > Author: Peter Zijlstra <peterz@infradead.org>
> > Date: Fri Nov 19 17:50:25 2021 +0100
> >
> > x86: Use -mindirect-branch-cs-prefix for RETPOLINE builds
> >
> > H.J. Lu (5):
> > x86: Remove "%!" before ret
> > x86: Add -mharden-sls=[none|all|return|indirect-branch]
> > x86: Add -mindirect-branch-cs-prefix
> > x86: Rename -harden-sls=indirect-branch to -harden-sls=indirect-jmp
> > x86: Generate INT3 for __builtin_eh_return
> The patch LGTM.
I am pushing this patch set into GCC 11 branch.
Thanks.
> >
> > gcc/config/i386/i386-opts.h | 7 ++++
> > gcc/config/i386/i386.c | 38 +++++++++++++------
> > gcc/config/i386/i386.md | 2 +-
> > gcc/config/i386/i386.opt | 24 ++++++++++++
> > gcc/doc/invoke.texi | 18 ++++++++-
> > gcc/testsuite/gcc.target/i386/harden-sls-1.c | 14 +++++++
> > gcc/testsuite/gcc.target/i386/harden-sls-2.c | 14 +++++++
> > gcc/testsuite/gcc.target/i386/harden-sls-3.c | 14 +++++++
> > gcc/testsuite/gcc.target/i386/harden-sls-4.c | 16 ++++++++
> > gcc/testsuite/gcc.target/i386/harden-sls-5.c | 17 +++++++++
> > gcc/testsuite/gcc.target/i386/harden-sls-6.c | 18 +++++++++
> > .../i386/indirect-thunk-cs-prefix-1.c | 14 +++++++
> > .../i386/indirect-thunk-cs-prefix-2.c | 15 ++++++++
> > 13 files changed, 198 insertions(+), 13 deletions(-)
> > create mode 100644 gcc/testsuite/gcc.target/i386/harden-sls-1.c
> > create mode 100644 gcc/testsuite/gcc.target/i386/harden-sls-2.c
> > create mode 100644 gcc/testsuite/gcc.target/i386/harden-sls-3.c
> > create mode 100644 gcc/testsuite/gcc.target/i386/harden-sls-4.c
> > create mode 100644 gcc/testsuite/gcc.target/i386/harden-sls-5.c
> > create mode 100644 gcc/testsuite/gcc.target/i386/harden-sls-6.c
> > create mode 100644 gcc/testsuite/gcc.target/i386/indirect-thunk-cs-prefix-1.c
> > create mode 100644 gcc/testsuite/gcc.target/i386/indirect-thunk-cs-prefix-2.c
> >
> > --
> > 2.34.1
> >
>
>
> --
> BR,
> Hongtao
--
H.J.
^ permalink raw reply [flat|nested] 12+ messages in thread
end of thread, other threads:[~2022-02-16 13:30 UTC | newest]
Thread overview: 12+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-01-31 18:55 [GCC 11 PATCH 0/5] x86: Backport straight-line-speculation mitigation H.J. Lu
2022-01-31 18:55 ` [GCC 11 PATCH 1/5] x86: Remove "%!" before ret H.J. Lu
2022-02-16 6:46 ` Hongtao Liu
2022-01-31 18:55 ` [GCC 11 PATCH 2/5] x86: Add -mharden-sls=[none|all|return|indirect-branch] H.J. Lu
2022-01-31 18:55 ` [GCC 11 PATCH 3/5] x86: Add -mindirect-branch-cs-prefix H.J. Lu
2022-01-31 18:55 ` [GCC 11 PATCH 4/5] x86: Rename -harden-sls=indirect-branch to -harden-sls=indirect-jmp H.J. Lu
2022-01-31 18:55 ` [GCC 11 PATCH 5/5] x86: Generate INT3 for __builtin_eh_return H.J. Lu
2022-02-01 7:21 ` [GCC 11 PATCH 0/5] x86: Backport straight-line-speculation mitigation Richard Biener
2022-02-01 16:59 ` H.J. Lu
2022-02-02 9:22 ` Richard Biener
2022-02-16 7:01 ` Hongtao Liu
2022-02-16 13:30 ` H.J. Lu
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).