From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-pl1-x629.google.com (mail-pl1-x629.google.com [IPv6:2607:f8b0:4864:20::629]) by sourceware.org (Postfix) with ESMTPS id 48BC1385626B for ; Wed, 11 May 2022 18:01:31 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.1 sourceware.org 48BC1385626B Received: by mail-pl1-x629.google.com with SMTP id n18so2630635plg.5 for ; Wed, 11 May 2022 11:01:31 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=qVu5pUTzKICfWfZ2UM60kupN3KzjDYwR98fZDA7JjfY=; b=FbakPjpvFsVAmM240yCc0BCOoub6JKni4DmvLqaX8U6JV9q7Ofz+ZjVZo/mQ2pJef7 bulFAu/KPf727CIY39T5iW3B1jIwvq9nFpcTqUMAYqwEKJC6Iz2VBUbDX1ubwTMWDYsN /cimlijwwnVUGaI9KYNamLhlJUiyxv+GkYhYn93o6LuHvvQAJVdp1IKlub3L7iCBZ4hr uQahKz1N8gFAZVDeS9/JdK7YLcpVf2Wjsac1ZMkYXSm6GVou2cDXjud34IGExwmK05kp fzp1s+26o9MEAHTXMSjl97OAhqQnhM9IteApcVQ55sHbPL0i1RNCMK0uzw9h/lXUPVMQ G7ww== X-Gm-Message-State: AOAM530tOfZ4XorKPWYBF0PAOhGw08EoJeBQbYLxQ0sgMzXtHDuvEjxP 2Wlw4626weohexOw5dq0RTFQOtI3cX4DEK3iXqM= X-Google-Smtp-Source: ABdhPJxd7JUepvPDG2Gup1jFZ7jimL7ZVz1nsOQcS5sdK9NrOZiH57n8C731mn1OGD4AoKkdxrlUSqem1yhrk7u7tH0= X-Received: by 2002:a17:902:8f8d:b0:15b:7b98:22e6 with SMTP id z13-20020a1709028f8d00b0015b7b9822e6mr26452546plo.102.1652292090066; Wed, 11 May 2022 11:01:30 -0700 (PDT) MIME-Version: 1.0 References: <20220510162049.2686945-1-hjl.tools@gmail.com> <87sfpgij2x.fsf@oldenburg.str.redhat.com> <87a6bof4cz.fsf@oldenburg.str.redhat.com> In-Reply-To: <87a6bof4cz.fsf@oldenburg.str.redhat.com> From: "H.J. Lu" Date: Wed, 11 May 2022 11:00:54 -0700 Message-ID: Subject: Re: [PATCH] x86: Document -mno-cet-switch To: Florian Weimer Cc: "H.J. Lu via Gcc-patches" Content-Type: text/plain; charset="UTF-8" X-Spam-Status: No, score=-3020.1 required=5.0 tests=BAYES_00, DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, DKIM_VALID_EF, FREEMAIL_FROM, RCVD_IN_DNSWL_NONE, SPF_HELO_NONE, SPF_PASS, TXREP, T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.4 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on server2.sourceware.org X-BeenThere: gcc-patches@gcc.gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Gcc-patches mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 11 May 2022 18:01:34 -0000 On Wed, May 11, 2022 at 8:58 AM Florian Weimer wrote: > > * H. J. Lu: > > > On Wed, May 11, 2022 at 1:12 AM Florian Weimer wrote: > >> > >> * H. J. Lu via Gcc-patches: > >> > >> > When -fcf-protection=branch is used, the compiler will generate jump > >> > tables where the indirect jump is prefixed with the NOTRACK prefix, so > >> > it can jump to non-ENDBR targets. Yet, for NOTRACK prefixes to work, the > >> > NOTRACK specific enable bit must be set, what renders the binary broken > >> > on any environment where this is not the case. In fact, having NOTRACK > >> > disabled was a design choice for the Linux kernel CET support. > >> > >> Why isn't that a kernel bug? It doesn't match what is in the current > >> glibc sources. > > > > User space uses NOTRACK in the jump table in assembly codes. > > And is expected to continue to use it? Yes, it should be allowed in user space. > >> > Generate jump tables with ENDBR and skip the NOTRACK prefix for indirect > >> > jump. Document -mno-cet-switch to turn off CET instrumentation on jump > >> > tables for switch statements. > >> > >> Of course, that is a slight regression in security hardening. > >> > >> Quite frankly, I'm puzzled why the kernel decided to require these > >> additional ENDBR instructions. > > > > Kernel is using -mcet-switch today. Should we document -mcet-switch > > and keep it off by default instead? > > Sorry, I'm not 100% certain of the mechanics/options involved. > > I think the default should reflect userspace requirements, like with the > red zone and vector register usage for integer code. The question is if the compiler should use NOTRACK by default for the jump table. It is independent of whether NOTRACK is enabled or not. Should I check in my patch asis? Thanks. -- H.J.