From: "H.J. Lu" <hjl.tools@gmail.com>
To: Florian Weimer <fweimer@redhat.com>
Cc: "H.J. Lu via Gcc-patches" <gcc-patches@gcc.gnu.org>
Subject: Re: [PATCH] x86: Document -mno-cet-switch
Date: Wed, 11 May 2022 11:00:54 -0700 [thread overview]
Message-ID: <CAMe9rOrQCPDnGG0S2u1+CRQP=39tXOZTVCmx1kCwEJ7C4rNXPA@mail.gmail.com> (raw)
In-Reply-To: <87a6bof4cz.fsf@oldenburg.str.redhat.com>
On Wed, May 11, 2022 at 8:58 AM Florian Weimer <fweimer@redhat.com> wrote:
>
> * H. J. Lu:
>
> > On Wed, May 11, 2022 at 1:12 AM Florian Weimer <fweimer@redhat.com> wrote:
> >>
> >> * H. J. Lu via Gcc-patches:
> >>
> >> > When -fcf-protection=branch is used, the compiler will generate jump
> >> > tables where the indirect jump is prefixed with the NOTRACK prefix, so
> >> > it can jump to non-ENDBR targets. Yet, for NOTRACK prefixes to work, the
> >> > NOTRACK specific enable bit must be set, what renders the binary broken
> >> > on any environment where this is not the case. In fact, having NOTRACK
> >> > disabled was a design choice for the Linux kernel CET support.
> >>
> >> Why isn't that a kernel bug? It doesn't match what is in the current
> >> glibc sources.
> >
> > User space uses NOTRACK in the jump table in assembly codes.
>
> And is expected to continue to use it?
Yes, it should be allowed in user space.
> >> > Generate jump tables with ENDBR and skip the NOTRACK prefix for indirect
> >> > jump. Document -mno-cet-switch to turn off CET instrumentation on jump
> >> > tables for switch statements.
> >>
> >> Of course, that is a slight regression in security hardening.
> >>
> >> Quite frankly, I'm puzzled why the kernel decided to require these
> >> additional ENDBR instructions.
> >
> > Kernel is using -mcet-switch today. Should we document -mcet-switch
> > and keep it off by default instead?
>
> Sorry, I'm not 100% certain of the mechanics/options involved.
>
> I think the default should reflect userspace requirements, like with the
> red zone and vector register usage for integer code.
The question is if the compiler should use NOTRACK by default for
the jump table. It is independent of whether NOTRACK is enabled or
not.
Should I check in my patch asis?
Thanks.
--
H.J.
next prev parent reply other threads:[~2022-05-11 18:01 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-05-10 16:20 H.J. Lu
2022-05-11 7:15 ` Uros Bizjak
2022-05-11 8:12 ` Florian Weimer
2022-05-11 14:20 ` H.J. Lu
2022-05-11 15:58 ` Florian Weimer
2022-05-11 18:00 ` H.J. Lu [this message]
2022-05-11 18:22 ` Florian Weimer
2022-05-11 18:36 ` H.J. Lu
2022-05-11 18:45 ` Florian Weimer
2022-05-11 18:57 ` H.J. Lu
2022-05-11 19:02 ` Florian Weimer
2022-05-11 20:04 ` H.J. Lu
2022-05-12 7:15 ` Richard Biener
2022-05-12 16:42 ` H.J. Lu
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CAMe9rOrQCPDnGG0S2u1+CRQP=39tXOZTVCmx1kCwEJ7C4rNXPA@mail.gmail.com' \
--to=hjl.tools@gmail.com \
--cc=fweimer@redhat.com \
--cc=gcc-patches@gcc.gnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).