* [PATCH v2] x86: Document -mcet-switch
@ 2022-05-11 20:52 H.J. Lu
2022-05-18 17:27 ` H.J. Lu
0 siblings, 1 reply; 6+ messages in thread
From: H.J. Lu @ 2022-05-11 20:52 UTC (permalink / raw)
To: gcc-patches; +Cc: Uros Bizjak, Florian Weimer
When -fcf-protection=branch is used, the compiler will generate jump
tables for switch statements where the indirect jump is prefixed with
the NOTRACK prefix, so it can jump to non-ENDBR targets. Since the
indirect jump targets are generated by the compiler, they are always
valid.
Document -mcet-switch to generate jump tables for switch statements with
ENDBR and skip the NOTRACK prefix for indirect jump. This option should
be used when the NOTRACK prefix is disabled.
PR target/104816
* config/i386/i386.opt: Remove Undocumented.
* doc/invoke.texi: Document -mcet-switch.
---
gcc/config/i386/i386.opt | 2 +-
gcc/doc/invoke.texi | 8 +++++++-
2 files changed, 8 insertions(+), 2 deletions(-)
diff --git a/gcc/config/i386/i386.opt b/gcc/config/i386/i386.opt
index a6b0e28f238..0dbaacb57ed 100644
--- a/gcc/config/i386/i386.opt
+++ b/gcc/config/i386/i386.opt
@@ -1047,7 +1047,7 @@ Enable shadow stack built-in functions from Control-flow Enforcement
Technology (CET).
mcet-switch
-Target Undocumented Var(flag_cet_switch) Init(0)
+Target Var(flag_cet_switch) Init(0)
Turn on CET instrumentation for switch statements that use a jump table and
an indirect jump.
diff --git a/gcc/doc/invoke.texi b/gcc/doc/invoke.texi
index 7a35d9613a4..968853690f9 100644
--- a/gcc/doc/invoke.texi
+++ b/gcc/doc/invoke.texi
@@ -1420,7 +1420,8 @@ See RS/6000 and PowerPC Options.
-msse4a -m3dnow -m3dnowa -mpopcnt -mabm -mbmi -mtbm -mfma4 -mxop @gol
-madx -mlzcnt -mbmi2 -mfxsr -mxsave -mxsaveopt -mrtm -mhle -mlwp @gol
-mmwaitx -mclzero -mpku -mthreads -mgfni -mvaes -mwaitpkg @gol
--mshstk -mmanual-endbr -mforce-indirect-call -mavx512vbmi2 -mavx512bf16 -menqcmd @gol
+-mshstk -mmanual-endbr -mcet-switch -mforce-indirect-call @gol
+-mavx512vbmi2 -mavx512bf16 -menqcmd @gol
-mvpclmulqdq -mavx512bitalg -mmovdiri -mmovdir64b -mavx512vpopcntdq @gol
-mavx5124fmaps -mavx512vnni -mavx5124vnniw -mprfchw -mrdpid @gol
-mrdseed -msgx -mavx512vp2intersect -mserialize -mtsxldtrk@gol
@@ -32641,6 +32642,11 @@ function attribute. This is useful when used with the option
@option{-fcf-protection=branch} to control ENDBR insertion at the
function entry.
+@item -mcet-switch
+@opindex mcet-switch
+Turn on CET instrumentation for switch statements that use a jump table
+and an indirect jump.
+
@item -mcall-ms2sysv-xlogues
@opindex mcall-ms2sysv-xlogues
@opindex mno-call-ms2sysv-xlogues
--
2.35.1
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH v2] x86: Document -mcet-switch
2022-05-11 20:52 [PATCH v2] x86: Document -mcet-switch H.J. Lu
@ 2022-05-18 17:27 ` H.J. Lu
2022-05-19 6:02 ` Richard Biener
0 siblings, 1 reply; 6+ messages in thread
From: H.J. Lu @ 2022-05-18 17:27 UTC (permalink / raw)
To: GCC Patches; +Cc: Uros Bizjak, Florian Weimer
On Wed, May 11, 2022 at 1:52 PM H.J. Lu <hjl.tools@gmail.com> wrote:
>
> When -fcf-protection=branch is used, the compiler will generate jump
> tables for switch statements where the indirect jump is prefixed with
> the NOTRACK prefix, so it can jump to non-ENDBR targets. Since the
> indirect jump targets are generated by the compiler, they are always
> valid.
>
> Document -mcet-switch to generate jump tables for switch statements with
> ENDBR and skip the NOTRACK prefix for indirect jump. This option should
> be used when the NOTRACK prefix is disabled.
>
> PR target/104816
> * config/i386/i386.opt: Remove Undocumented.
> * doc/invoke.texi: Document -mcet-switch.
> ---
> gcc/config/i386/i386.opt | 2 +-
> gcc/doc/invoke.texi | 8 +++++++-
> 2 files changed, 8 insertions(+), 2 deletions(-)
>
> diff --git a/gcc/config/i386/i386.opt b/gcc/config/i386/i386.opt
> index a6b0e28f238..0dbaacb57ed 100644
> --- a/gcc/config/i386/i386.opt
> +++ b/gcc/config/i386/i386.opt
> @@ -1047,7 +1047,7 @@ Enable shadow stack built-in functions from Control-flow Enforcement
> Technology (CET).
>
> mcet-switch
> -Target Undocumented Var(flag_cet_switch) Init(0)
> +Target Var(flag_cet_switch) Init(0)
> Turn on CET instrumentation for switch statements that use a jump table and
> an indirect jump.
>
> diff --git a/gcc/doc/invoke.texi b/gcc/doc/invoke.texi
> index 7a35d9613a4..968853690f9 100644
> --- a/gcc/doc/invoke.texi
> +++ b/gcc/doc/invoke.texi
> @@ -1420,7 +1420,8 @@ See RS/6000 and PowerPC Options.
> -msse4a -m3dnow -m3dnowa -mpopcnt -mabm -mbmi -mtbm -mfma4 -mxop @gol
> -madx -mlzcnt -mbmi2 -mfxsr -mxsave -mxsaveopt -mrtm -mhle -mlwp @gol
> -mmwaitx -mclzero -mpku -mthreads -mgfni -mvaes -mwaitpkg @gol
> --mshstk -mmanual-endbr -mforce-indirect-call -mavx512vbmi2 -mavx512bf16 -menqcmd @gol
> +-mshstk -mmanual-endbr -mcet-switch -mforce-indirect-call @gol
> +-mavx512vbmi2 -mavx512bf16 -menqcmd @gol
> -mvpclmulqdq -mavx512bitalg -mmovdiri -mmovdir64b -mavx512vpopcntdq @gol
> -mavx5124fmaps -mavx512vnni -mavx5124vnniw -mprfchw -mrdpid @gol
> -mrdseed -msgx -mavx512vp2intersect -mserialize -mtsxldtrk@gol
> @@ -32641,6 +32642,11 @@ function attribute. This is useful when used with the option
> @option{-fcf-protection=branch} to control ENDBR insertion at the
> function entry.
>
> +@item -mcet-switch
> +@opindex mcet-switch
> +Turn on CET instrumentation for switch statements that use a jump table
> +and an indirect jump.
> +
> @item -mcall-ms2sysv-xlogues
> @opindex mcall-ms2sysv-xlogues
> @opindex mno-call-ms2sysv-xlogues
> --
> 2.35.1
>
Any comments?
Thanks.
--
H.J.
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH v2] x86: Document -mcet-switch
2022-05-18 17:27 ` H.J. Lu
@ 2022-05-19 6:02 ` Richard Biener
2022-05-19 20:37 ` H.J. Lu
0 siblings, 1 reply; 6+ messages in thread
From: Richard Biener @ 2022-05-19 6:02 UTC (permalink / raw)
To: H.J. Lu; +Cc: GCC Patches, Florian Weimer
On Wed, May 18, 2022 at 7:32 PM H.J. Lu via Gcc-patches
<gcc-patches@gcc.gnu.org> wrote:
>
> On Wed, May 11, 2022 at 1:52 PM H.J. Lu <hjl.tools@gmail.com> wrote:
> >
> > When -fcf-protection=branch is used, the compiler will generate jump
> > tables for switch statements where the indirect jump is prefixed with
> > the NOTRACK prefix, so it can jump to non-ENDBR targets. Since the
> > indirect jump targets are generated by the compiler, they are always
> > valid.
> >
> > Document -mcet-switch to generate jump tables for switch statements with
> > ENDBR and skip the NOTRACK prefix for indirect jump. This option should
> > be used when the NOTRACK prefix is disabled.
> >
> > PR target/104816
> > * config/i386/i386.opt: Remove Undocumented.
> > * doc/invoke.texi: Document -mcet-switch.
> > ---
> > gcc/config/i386/i386.opt | 2 +-
> > gcc/doc/invoke.texi | 8 +++++++-
> > 2 files changed, 8 insertions(+), 2 deletions(-)
> >
> > diff --git a/gcc/config/i386/i386.opt b/gcc/config/i386/i386.opt
> > index a6b0e28f238..0dbaacb57ed 100644
> > --- a/gcc/config/i386/i386.opt
> > +++ b/gcc/config/i386/i386.opt
> > @@ -1047,7 +1047,7 @@ Enable shadow stack built-in functions from Control-flow Enforcement
> > Technology (CET).
> >
> > mcet-switch
> > -Target Undocumented Var(flag_cet_switch) Init(0)
> > +Target Var(flag_cet_switch) Init(0)
> > Turn on CET instrumentation for switch statements that use a jump table and
> > an indirect jump.
> >
> > diff --git a/gcc/doc/invoke.texi b/gcc/doc/invoke.texi
> > index 7a35d9613a4..968853690f9 100644
> > --- a/gcc/doc/invoke.texi
> > +++ b/gcc/doc/invoke.texi
> > @@ -1420,7 +1420,8 @@ See RS/6000 and PowerPC Options.
> > -msse4a -m3dnow -m3dnowa -mpopcnt -mabm -mbmi -mtbm -mfma4 -mxop @gol
> > -madx -mlzcnt -mbmi2 -mfxsr -mxsave -mxsaveopt -mrtm -mhle -mlwp @gol
> > -mmwaitx -mclzero -mpku -mthreads -mgfni -mvaes -mwaitpkg @gol
> > --mshstk -mmanual-endbr -mforce-indirect-call -mavx512vbmi2 -mavx512bf16 -menqcmd @gol
> > +-mshstk -mmanual-endbr -mcet-switch -mforce-indirect-call @gol
> > +-mavx512vbmi2 -mavx512bf16 -menqcmd @gol
> > -mvpclmulqdq -mavx512bitalg -mmovdiri -mmovdir64b -mavx512vpopcntdq @gol
> > -mavx5124fmaps -mavx512vnni -mavx5124vnniw -mprfchw -mrdpid @gol
> > -mrdseed -msgx -mavx512vp2intersect -mserialize -mtsxldtrk@gol
> > @@ -32641,6 +32642,11 @@ function attribute. This is useful when used with the option
> > @option{-fcf-protection=branch} to control ENDBR insertion at the
> > function entry.
> >
> > +@item -mcet-switch
> > +@opindex mcet-switch
> > +Turn on CET instrumentation for switch statements that use a jump table
> > +and an indirect jump.
> > +
Can you explain the difference between -mcet-switch and -mno-cet-switch here
please and indicate the default? The above doesn't sound useful to me.
> > @item -mcall-ms2sysv-xlogues
> > @opindex mcall-ms2sysv-xlogues
> > @opindex mno-call-ms2sysv-xlogues
> > --
> > 2.35.1
> >
>
> Any comments?
>
> Thanks.
>
> --
> H.J.
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH v2] x86: Document -mcet-switch
2022-05-19 6:02 ` Richard Biener
@ 2022-05-19 20:37 ` H.J. Lu
2022-05-19 20:49 ` Florian Weimer
0 siblings, 1 reply; 6+ messages in thread
From: H.J. Lu @ 2022-05-19 20:37 UTC (permalink / raw)
To: Richard Biener; +Cc: GCC Patches, Florian Weimer
On Wed, May 18, 2022 at 11:02 PM Richard Biener
<richard.guenther@gmail.com> wrote:
>
> On Wed, May 18, 2022 at 7:32 PM H.J. Lu via Gcc-patches
> <gcc-patches@gcc.gnu.org> wrote:
> >
> > On Wed, May 11, 2022 at 1:52 PM H.J. Lu <hjl.tools@gmail.com> wrote:
> > >
> > > When -fcf-protection=branch is used, the compiler will generate jump
> > > tables for switch statements where the indirect jump is prefixed with
> > > the NOTRACK prefix, so it can jump to non-ENDBR targets. Since the
> > > indirect jump targets are generated by the compiler, they are always
> > > valid.
> > >
> > > Document -mcet-switch to generate jump tables for switch statements with
> > > ENDBR and skip the NOTRACK prefix for indirect jump. This option should
> > > be used when the NOTRACK prefix is disabled.
> > >
> > > PR target/104816
> > > * config/i386/i386.opt: Remove Undocumented.
> > > * doc/invoke.texi: Document -mcet-switch.
> > > ---
> > > gcc/config/i386/i386.opt | 2 +-
> > > gcc/doc/invoke.texi | 8 +++++++-
> > > 2 files changed, 8 insertions(+), 2 deletions(-)
> > >
> > > diff --git a/gcc/config/i386/i386.opt b/gcc/config/i386/i386.opt
> > > index a6b0e28f238..0dbaacb57ed 100644
> > > --- a/gcc/config/i386/i386.opt
> > > +++ b/gcc/config/i386/i386.opt
> > > @@ -1047,7 +1047,7 @@ Enable shadow stack built-in functions from Control-flow Enforcement
> > > Technology (CET).
> > >
> > > mcet-switch
> > > -Target Undocumented Var(flag_cet_switch) Init(0)
> > > +Target Var(flag_cet_switch) Init(0)
> > > Turn on CET instrumentation for switch statements that use a jump table and
> > > an indirect jump.
> > >
> > > diff --git a/gcc/doc/invoke.texi b/gcc/doc/invoke.texi
> > > index 7a35d9613a4..968853690f9 100644
> > > --- a/gcc/doc/invoke.texi
> > > +++ b/gcc/doc/invoke.texi
> > > @@ -1420,7 +1420,8 @@ See RS/6000 and PowerPC Options.
> > > -msse4a -m3dnow -m3dnowa -mpopcnt -mabm -mbmi -mtbm -mfma4 -mxop @gol
> > > -madx -mlzcnt -mbmi2 -mfxsr -mxsave -mxsaveopt -mrtm -mhle -mlwp @gol
> > > -mmwaitx -mclzero -mpku -mthreads -mgfni -mvaes -mwaitpkg @gol
> > > --mshstk -mmanual-endbr -mforce-indirect-call -mavx512vbmi2 -mavx512bf16 -menqcmd @gol
> > > +-mshstk -mmanual-endbr -mcet-switch -mforce-indirect-call @gol
> > > +-mavx512vbmi2 -mavx512bf16 -menqcmd @gol
> > > -mvpclmulqdq -mavx512bitalg -mmovdiri -mmovdir64b -mavx512vpopcntdq @gol
> > > -mavx5124fmaps -mavx512vnni -mavx5124vnniw -mprfchw -mrdpid @gol
> > > -mrdseed -msgx -mavx512vp2intersect -mserialize -mtsxldtrk@gol
> > > @@ -32641,6 +32642,11 @@ function attribute. This is useful when used with the option
> > > @option{-fcf-protection=branch} to control ENDBR insertion at the
> > > function entry.
> > >
> > > +@item -mcet-switch
> > > +@opindex mcet-switch
> > > +Turn on CET instrumentation for switch statements that use a jump table
> > > +and an indirect jump.
> > > +
>
> Can you explain the difference between -mcet-switch and -mno-cet-switch here
> please and indicate the default? The above doesn't sound useful to me.
How about this?
@item -mcet-switch
@opindex mcet-switch
By default, CET instrumentation is turned off on switch statements that
use a jump table and indirect branch track is disabled. This option
turns on CET instrumentation to enable indirect branch track for switch
statements with jump tables.
--
H.J.
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH v2] x86: Document -mcet-switch
2022-05-19 20:37 ` H.J. Lu
@ 2022-05-19 20:49 ` Florian Weimer
2022-05-19 23:37 ` H.J. Lu
0 siblings, 1 reply; 6+ messages in thread
From: Florian Weimer @ 2022-05-19 20:49 UTC (permalink / raw)
To: H.J. Lu; +Cc: Richard Biener, GCC Patches
* H. J. Lu:
> How about this?
>
> @item -mcet-switch
> @opindex mcet-switch
> By default, CET instrumentation is turned off on switch statements that
> use a jump table and indirect branch track is disabled.
Maybe add here: “Since jump tables are stored in read-only memory, this
does not result in a direct loss of hardening. But if the jump table
index is attacker-controlled, the indirect jump may not be constrained
by CET.”
> This option turns on CET instrumentation to enable indirect branch
> track for switch statements with jump tables.
“This results in a loss of hardening because the jump targets are mow
reachable via all indirect jumps.”
Maybe GCC should just emit a forced (unoptimized) bounds check for jump
tables in CET mode …
Thanks,
Florian
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH v2] x86: Document -mcet-switch
2022-05-19 20:49 ` Florian Weimer
@ 2022-05-19 23:37 ` H.J. Lu
0 siblings, 0 replies; 6+ messages in thread
From: H.J. Lu @ 2022-05-19 23:37 UTC (permalink / raw)
To: Florian Weimer; +Cc: Richard Biener, GCC Patches
On Thu, May 19, 2022 at 1:49 PM Florian Weimer <fweimer@redhat.com> wrote:
>
> * H. J. Lu:
>
> > How about this?
> >
> > @item -mcet-switch
> > @opindex mcet-switch
> > By default, CET instrumentation is turned off on switch statements that
> > use a jump table and indirect branch track is disabled.
>
> Maybe add here: “Since jump tables are stored in read-only memory, this
> does not result in a direct loss of hardening. But if the jump table
> index is attacker-controlled, the indirect jump may not be constrained
> by CET.”
>
> > This option turns on CET instrumentation to enable indirect branch
> > track for switch statements with jump tables.
>
> “This results in a loss of hardening because the jump targets are mow
> reachable via all indirect jumps.”
Like this?
@item -mcet-switch
@opindex mcet-switch
By default, CET instrumentation is turned off on switch statements that
use a jump table and indirect branch track is disabled. Since jump
tables are stored in read-only memory, this does not result in a direct
loss of hardening. But if the jump table index is attacker-controlled,
the indirect jump may not be constrained by CET. This option turns on
CET instrumentation to enable indirect branch track for switch statements
with jump tables which leads to the jump targets reachable via any indirect
jumps.
> Maybe GCC should just emit a forced (unoptimized) bounds check for jump
> tables in CET mode …
>
> Thanks,
> Florian
>
--
H.J.
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2022-05-19 23:37 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-05-11 20:52 [PATCH v2] x86: Document -mcet-switch H.J. Lu
2022-05-18 17:27 ` H.J. Lu
2022-05-19 6:02 ` Richard Biener
2022-05-19 20:37 ` H.J. Lu
2022-05-19 20:49 ` Florian Weimer
2022-05-19 23:37 ` H.J. Lu
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).