public inbox for gcc-patches@gcc.gnu.org
 help / color / mirror / Atom feed
* 0002-Part-2.-Document-finstrument-control-flow-and-notrack attribute
@ 2017-08-01  8:56 Tsimbalist, Igor V
  2017-08-25 21:38 ` Jeff Law
  0 siblings, 1 reply; 12+ messages in thread
From: Tsimbalist, Igor V @ 2017-08-01  8:56 UTC (permalink / raw)
  To: 'gcc-patches@gcc.gnu.org'; +Cc: Tsimbalist, Igor V

[-- Attachment #1: Type: text/plain, Size: 69 bytes --]

Part#2. Document -finstrument-control-flow and notrack attribute.


[-- Attachment #2: 0002-Part-2.-Document-finstrument-control-flow-and-notrac.patch --]
[-- Type: application/octet-stream, Size: 5798 bytes --]

From c3e45c80731672e74d638f787e80ba975279b9b9 Mon Sep 17 00:00:00 2001
From: Igor Tsimbalist <igor.v.tsimbalist@intel.com>
Date: Mon, 3 Jul 2017 17:12:49 +0300
Subject: [PATCH 2/9] Part#2. Document -finstrument-control-flow and notrack
 attribute.

gcc/
	* doc/extend.texi: Add 'notrack' documentation.
	* doc/invoke.texi: Add -finstrument-control-flow documentation.
	* doc/rtl.texi: Add REG_CALL_NOTRACK documenation.
---
 gcc/doc/extend.texi | 52 ++++++++++++++++++++++++++++++++++++++++++++++++++++
 gcc/doc/invoke.texi | 22 ++++++++++++++++++++++
 gcc/doc/rtl.texi    | 15 +++++++++++++++
 3 files changed, 89 insertions(+)

diff --git a/gcc/doc/extend.texi b/gcc/doc/extend.texi
index 6934b4c..80de8a7 100644
--- a/gcc/doc/extend.texi
+++ b/gcc/doc/extend.texi
@@ -5632,6 +5632,58 @@ Specify which floating-point unit to use.  You must specify the
 @code{target("fpmath=sse,387")} option as
 @code{target("fpmath=sse+387")} because the comma would separate
 different options.
+
+@item notrack
+@cindex @code{notrack} function attribute
+The @code{notrack} attribute on a function is used to inform the
+compiler that the function's prolog should not be instrumented when
+compiled with the @option{-finstrument-control-flow} option.  The
+compiler assumes that the function's address is a valid target for a
+control-flow transfer.
+
+The @code{notrack} attribute on a type of pointer to function is
+used to inform the compiler that a call through the pointer should
+not be instrumented when compiled with the
+@option{-finstrument-control-flow} option.  The compiler assumes
+that the function's address from the pointer is a valid target for
+a control-flow transfer.  A direct function call through a function
+name is assumed as a save call thus direct calls will not be
+instrumented by the compiler.
+
+The @code{notrack} attribute is applied to an object's type.  A
+The @code{notrack} attribute is transfered to a call instruction at
+the GIMPLE and RTL translation phases.  The attribute is not propagated
+through assignment, store and load.
+
+@smallexample
+@{
+void (*foo)(void) __attribute__(notrack);
+void (*foo1)(void) __attribute__(notrack);
+void (*foo2)(void);
+
+int
+foo (void) /* The function's address is not tracked.  */
+
+  /* This call site is not tracked for
+     control-flow instrumentation.  */
+  (*foo1)();
+  foo1 = foo2;
+  /* This call site is still not tracked for
+     control-flow instrumentation.  */
+  (*foo1)();
+
+  /* This call site is tracked for
+     control-flow instrumentation.  */
+  (*foo2)();
+  foo2 = foo1;
+  /* This call site is still tracked for
+     control-flow instrumentation.  */
+  (*foo2)();
+
+  return 0;
+@}
+@end smallexample
+
 @end table
 
 On the x86, the inliner does not inline a
diff --git a/gcc/doc/invoke.texi b/gcc/doc/invoke.texi
index 5ae9dc4..ff2ce92 100644
--- a/gcc/doc/invoke.texi
+++ b/gcc/doc/invoke.texi
@@ -459,6 +459,7 @@ Objective-C and Objective-C++ Dialects}.
 -fchkp-check-read  -fchkp-check-write  -fchkp-store-bounds @gol
 -fchkp-instrument-calls  -fchkp-instrument-marked-only @gol
 -fchkp-use-wrappers  -fchkp-flexible-struct-trailing-arrays@gol
+-finstrument-control-flow @gol
 -fstack-protector  -fstack-protector-all  -fstack-protector-strong @gol
 -fstack-protector-explicit  -fstack-check @gol
 -fstack-limit-register=@var{reg}  -fstack-limit-symbol=@var{sym} @gol
@@ -11284,6 +11285,27 @@ is used to link a program, the GCC driver automatically links
 against @file{libmpxwrappers}.  See also @option{-static-libmpxwrappers}.
 Enabled by default.
 
+@item -finstrument-control-flow
+@opindex finstrument-control-flow
+@opindex fno-instrument-control-flow
+Enable code instrumentation of control-flow transfers to increase
+a program security by checking a target address of control-flow
+transfer instructions (i.e. routine call, routine return, jump)
+are valid targets.  This prevents diverting the control flow
+instructions from its original target address to a new undesigned
+target.  This is intended to protect against such theats as
+Return-oriented Programming (ROP), and similarly call/jmp-oriented
+programming (COP/JOP).
+
+Each compiler, which will support the control-flow instrumentation,
+is supposed to have its own target specific implementation of the
+control-flow instrumentation and in case of absence of such
+implementation the @option{-finstrument-control-flow} will
+cause an error message.
+
+A user has a control through the @code{notrack} attribute to identify
+which functions and calls should be skipped from instrumentation.
+
 @item -fstack-protector
 @opindex fstack-protector
 Emit extra code to check for buffer overflows, such as stack smashing
diff --git a/gcc/doc/rtl.texi b/gcc/doc/rtl.texi
index 6e2799a..59b4d1a 100644
--- a/gcc/doc/rtl.texi
+++ b/gcc/doc/rtl.texi
@@ -4040,6 +4040,21 @@ is used in place of the actual insn pattern.  This is done in cases where
 the pattern is either complex or misleading.
 @end table
 
+The note @code{REG_CALL_NOTRACK} describe the information connected to
+the code instrumentation which is done when @code{-finstrument-control-flow}
+option is specified.  The note is set if a @code{notrack} attribute is
+specified. The note is stored in the @code{REG_NOTES} field of an insn.
+
+@table @code
+@findex REG_CALL_NOTRACK
+@item REG_CALL_NOTRACK
+A user has a control through the @code{notrack} attribute to identify
+which call to a function should be skipped from instrumentation.  The
+compiler puts a @samp{REG_CALL_NOTRACK} note on @samp{CALL_INSN}
+instruction, which has a function type marked with a @code{notrack}
+attribute.
+@end table
+
 For convenience, the machine mode in an @code{insn_list} or
 @code{expr_list} is printed using these symbolic codes in debugging dumps.
 
-- 
1.8.3.1


^ permalink raw reply	[flat|nested] 12+ messages in thread

* Re: 0002-Part-2.-Document-finstrument-control-flow-and-notrack attribute
  2017-08-01  8:56 0002-Part-2.-Document-finstrument-control-flow-and-notrack attribute Tsimbalist, Igor V
@ 2017-08-25 21:38 ` Jeff Law
  2017-09-15 15:14   ` Tsimbalist, Igor V
  2017-09-19 13:45   ` Tsimbalist, Igor V
  0 siblings, 2 replies; 12+ messages in thread
From: Jeff Law @ 2017-08-25 21:38 UTC (permalink / raw)
  To: Tsimbalist, Igor V, 'gcc-patches@gcc.gnu.org'

On 08/01/2017 02:56 AM, Tsimbalist, Igor V wrote:
> Part#2. Document -finstrument-control-flow and notrack attribute.
> 
> 
> 0002-Part-2.-Document-finstrument-control-flow-and-notrac.patch
> 
> 
> From c3e45c80731672e74d638f787e80ba975279b9b9 Mon Sep 17 00:00:00 2001
> From: Igor Tsimbalist <igor.v.tsimbalist@intel.com>
> Date: Mon, 3 Jul 2017 17:12:49 +0300
> Subject: [PATCH 2/9] Part#2. Document -finstrument-control-flow and notrack
>  attribute.
> 
> gcc/
> 	* doc/extend.texi: Add 'notrack' documentation.
> 	* doc/invoke.texi: Add -finstrument-control-flow documentation.
> 	* doc/rtl.texi: Add REG_CALL_NOTRACK documenation.
> ---
>  gcc/doc/extend.texi | 52 ++++++++++++++++++++++++++++++++++++++++++++++++++++
>  gcc/doc/invoke.texi | 22 ++++++++++++++++++++++
>  gcc/doc/rtl.texi    | 15 +++++++++++++++
>  3 files changed, 89 insertions(+)
> 
> diff --git a/gcc/doc/extend.texi b/gcc/doc/extend.texi
> index 6934b4c..80de8a7 100644
> --- a/gcc/doc/extend.texi
> +++ b/gcc/doc/extend.texi
> @@ -5632,6 +5632,58 @@ Specify which floating-point unit to use.  You must specify the
>  @code{target("fpmath=sse,387")} option as
>  @code{target("fpmath=sse+387")} because the comma would separate
>  different options.
> +
> +@item notrack
> +@cindex @code{notrack} function attribute
> +The @code{notrack} attribute on a function is used to inform the
> +compiler that the function's prolog should not be instrumented when
> +compiled with the @option{-finstrument-control-flow} option.  The
> +compiler assumes that the function's address is a valid target for a
> +control-flow transfer.
Is the default to instrument everything when -finstrument-control-flow
is enabled?  Or can we avoid instrumentation on a function that never
has its address taken (ie, it is only called via a call instruction?)

> +
> +The @code{notrack} attribute on a type of pointer to function is
> +used to inform the compiler that a call through the pointer should
> +not be instrumented when compiled with the
> +@option{-finstrument-control-flow} option.  The compiler assumes
> +that the function's address from the pointer is a valid target for
> +a control-flow transfer.  A direct function call through a function
> +name is assumed as a save call thus direct calls will not be
> +instrumented by the compiler.
s/save/safe/

FWIW, I think putting the attribute into in the type system is a good
thing :-)

> +
> +The @code{notrack} attribute is applied to an object's type.  A
> +The @code{notrack} attribute is transfered to a call instruction at
> +the GIMPLE and RTL translation phases.  The attribute is not propagated
> +through assignment, store and load.
> +
> +@smallexample
> +@{
> +void (*foo)(void) __attribute__(notrack);
> +void (*foo1)(void) __attribute__(notrack);
> +void (*foo2)(void);
> +
> +int
> +foo (void) /* The function's address is not tracked.  */
> +
> +  /* This call site is not tracked for
> +     control-flow instrumentation.  */
> +  (*foo1)();
> +  foo1 = foo2;
> +  /* This call site is still not tracked for
> +     control-flow instrumentation.  */
> +  (*foo1)();
> +
> +  /* This call site is tracked for
> +     control-flow instrumentation.  */
> +  (*foo2)();
> +  foo2 = foo1;
> +  /* This call site is still tracked for
> +     control-flow instrumentation.  */
> +  (*foo2)();
> +
> +  return 0;
> +@}
> +@end smallexample
Given the notrack attribute is part of the type system, could we issue a
warning on the foo1 = foo2 assignment since we're discarding tracking
that's implicit on foo2?

> +
>  @end table
>  
>  On the x86, the inliner does not inline a
> diff --git a/gcc/doc/invoke.texi b/gcc/doc/invoke.texi
> index 5ae9dc4..ff2ce92 100644
> --- a/gcc/doc/invoke.texi
> +++ b/gcc/doc/invoke.texi
> @@ -459,6 +459,7 @@ Objective-C and Objective-C++ Dialects}.
>  -fchkp-check-read  -fchkp-check-write  -fchkp-store-bounds @gol
>  -fchkp-instrument-calls  -fchkp-instrument-marked-only @gol
>  -fchkp-use-wrappers  -fchkp-flexible-struct-trailing-arrays@gol
> +-finstrument-control-flow @gol
>  -fstack-protector  -fstack-protector-all  -fstack-protector-strong @gol
>  -fstack-protector-explicit  -fstack-check @gol
>  -fstack-limit-register=@var{reg}  -fstack-limit-symbol=@var{sym} @gol
> @@ -11284,6 +11285,27 @@ is used to link a program, the GCC driver automatically links
>  against @file{libmpxwrappers}.  See also @option{-static-libmpxwrappers}.
>  Enabled by default.
>  
> +@item -finstrument-control-flow
> +@opindex finstrument-control-flow
> +@opindex fno-instrument-control-flow
> +Enable code instrumentation of control-flow transfers to increase
> +a program security by checking a target address of control-flow
> +transfer instructions (i.e. routine call, routine return, jump)
> +are valid targets.  This prevents diverting the control flow
> +instructions from its original target address to a new undesigned
> +target.  This is intended to protect against such theats as
> +Return-oriented Programming (ROP), and similarly call/jmp-oriented
> +programming (COP/JOP).
"function call, function return, indirect jump" rather than "routine
call, routine return, jump"?

Jeff

^ permalink raw reply	[flat|nested] 12+ messages in thread

* RE: 0002-Part-2.-Document-finstrument-control-flow-and-notrack attribute
  2017-08-25 21:38 ` Jeff Law
@ 2017-09-15 15:14   ` Tsimbalist, Igor V
  2017-09-19 13:45   ` Tsimbalist, Igor V
  1 sibling, 0 replies; 12+ messages in thread
From: Tsimbalist, Igor V @ 2017-09-15 15:14 UTC (permalink / raw)
  To: Jeff Law, 'gcc-patches@gcc.gnu.org'; +Cc: Tsimbalist, Igor V

> -----Original Message-----
> From: Jeff Law [mailto:law@redhat.com]
> Sent: Friday, August 25, 2017 10:59 PM
> To: Tsimbalist, Igor V <igor.v.tsimbalist@intel.com>; 'gcc-
> patches@gcc.gnu.org' <gcc-patches@gcc.gnu.org>
> Subject: Re: 0002-Part-2.-Document-finstrument-control-flow-and-notrack
> attribute
> 
> On 08/01/2017 02:56 AM, Tsimbalist, Igor V wrote:
> > Part#2. Document -finstrument-control-flow and notrack attribute.
> >
> >
> > 0002-Part-2.-Document-finstrument-control-flow-and-notrac.patch
> >
> >
> > From c3e45c80731672e74d638f787e80ba975279b9b9 Mon Sep 17 00:00:00
> 2001
> > From: Igor Tsimbalist <igor.v.tsimbalist@intel.com>
> > Date: Mon, 3 Jul 2017 17:12:49 +0300
> > Subject: [PATCH 2/9] Part#2. Document -finstrument-control-flow and
> > notrack  attribute.
> >
> > gcc/
> > 	* doc/extend.texi: Add 'notrack' documentation.
> > 	* doc/invoke.texi: Add -finstrument-control-flow documentation.
> > 	* doc/rtl.texi: Add REG_CALL_NOTRACK documenation.
> > ---
> >  gcc/doc/extend.texi | 52
> > ++++++++++++++++++++++++++++++++++++++++++++++++++++
> >  gcc/doc/invoke.texi | 22 ++++++++++++++++++++++
> >  gcc/doc/rtl.texi    | 15 +++++++++++++++
> >  3 files changed, 89 insertions(+)
> >
> > diff --git a/gcc/doc/extend.texi b/gcc/doc/extend.texi index
> > 6934b4c..80de8a7 100644
> > --- a/gcc/doc/extend.texi
> > +++ b/gcc/doc/extend.texi
> > @@ -5632,6 +5632,58 @@ Specify which floating-point unit to use.  You
> > must specify the  @code{target("fpmath=sse,387")} option as
> > @code{target("fpmath=sse+387")} because the comma would separate
> > different options.
> > +
> > +@item notrack
> > +@cindex @code{notrack} function attribute The @code{notrack}
> > +attribute on a function is used to inform the compiler that the
> > +function's prolog should not be instrumented when compiled with the
> > +@option{-finstrument-control-flow} option.  The compiler assumes that
> > +the function's address is a valid target for a control-flow transfer.
> Is the default to instrument everything when -finstrument-control-flow is
> enabled?  Or can we avoid instrumentation on a function that never has its
> address taken (ie, it is only called via a call instruction?)
The instrumentation is on by default but for all platform except of x86 it does nothing as
the implementation is not supported. For x86 the implementation is lightweight and just
increase a bit code size due to 'endbranch' instruction.

Given a function decl is there an information already available if an address was taken from
the function? I plan to do what you suggested later as an optimization especially for global
function where ipa is required. 

> > +
> > +The @code{notrack} attribute on a type of pointer to function is used
> > +to inform the compiler that a call through the pointer should not be
> > +instrumented when compiled with the
> > +@option{-finstrument-control-flow} option.  The compiler assumes that
> > +the function's address from the pointer is a valid target for a
> > +control-flow transfer.  A direct function call through a function
> > +name is assumed as a save call thus direct calls will not be
> > +instrumented by the compiler.
> s/save/safe/
> 
> FWIW, I think putting the attribute into in the type system is a good thing :-)
> 
> > +
> > +The @code{notrack} attribute is applied to an object's type.  A The
> > +@code{notrack} attribute is transfered to a call instruction at the
> > +GIMPLE and RTL translation phases.  The attribute is not propagated
> > +through assignment, store and load.
> > +
> > +@smallexample
> > +@{
> > +void (*foo)(void) __attribute__(notrack); void (*foo1)(void)
> > +__attribute__(notrack); void (*foo2)(void);
> > +
> > +int
> > +foo (void) /* The function's address is not tracked.  */
> > +
> > +  /* This call site is not tracked for
> > +     control-flow instrumentation.  */  (*foo1)();
> > +  foo1 = foo2;
> > +  /* This call site is still not tracked for
> > +     control-flow instrumentation.  */  (*foo1)();
> > +
> > +  /* This call site is tracked for
> > +     control-flow instrumentation.  */  (*foo2)();
> > +  foo2 = foo1;
> > +  /* This call site is still tracked for
> > +     control-flow instrumentation.  */  (*foo2)();
> > +
> > +  return 0;
> > +@}
> > +@end smallexample
> Given the notrack attribute is part of the type system, could we issue a
> warning on the foo1 = foo2 assignment since we're discarding tracking that's
> implicit on foo2?
Fixed. For the code above messages are issued
w.c: In function 'foo':
w.c:22:8: warning: nocf_check attribute mismatch for assignment [-Wattributes]
   foo1 = foo2;
        ^
w.c:31:8: warning: nocf_check attribute mismatch for assignment [-Wattributes]
   foo2 = foo1;
        ^

> > +
> >  @end table
> >
> >  On the x86, the inliner does not inline a diff --git
> > a/gcc/doc/invoke.texi b/gcc/doc/invoke.texi index 5ae9dc4..ff2ce92
> > 100644
> > --- a/gcc/doc/invoke.texi
> > +++ b/gcc/doc/invoke.texi
> > @@ -459,6 +459,7 @@ Objective-C and Objective-C++ Dialects}.
> >  -fchkp-check-read  -fchkp-check-write  -fchkp-store-bounds @gol
> > -fchkp-instrument-calls  -fchkp-instrument-marked-only @gol
> > -fchkp-use-wrappers  -fchkp-flexible-struct-trailing-arrays@gol
> > +-finstrument-control-flow @gol
> >  -fstack-protector  -fstack-protector-all  -fstack-protector-strong
> > @gol  -fstack-protector-explicit  -fstack-check @gol
> > -fstack-limit-register=@var{reg}  -fstack-limit-symbol=@var{sym} @gol
> > @@ -11284,6 +11285,27 @@ is used to link a program, the GCC driver
> > automatically links  against @file{libmpxwrappers}.  See also @option{-
> static-libmpxwrappers}.
> >  Enabled by default.
> >
> > +@item -finstrument-control-flow
> > +@opindex finstrument-control-flow
> > +@opindex fno-instrument-control-flow
> > +Enable code instrumentation of control-flow transfers to increase a
> > +program security by checking a target address of control-flow
> > +transfer instructions (i.e. routine call, routine return, jump) are
> > +valid targets.  This prevents diverting the control flow instructions
> > +from its original target address to a new undesigned target.  This is
> > +intended to protect against such theats as Return-oriented
> > +Programming (ROP), and similarly call/jmp-oriented programming
> > +(COP/JOP).
> "function call, function return, indirect jump" rather than "routine call,
> routine return, jump"?
Ok, fixed.

Thanks,
Igor

> 
> Jeff

^ permalink raw reply	[flat|nested] 12+ messages in thread

* RE: 0002-Part-2.-Document-finstrument-control-flow-and-notrack attribute
  2017-08-25 21:38 ` Jeff Law
  2017-09-15 15:14   ` Tsimbalist, Igor V
@ 2017-09-19 13:45   ` Tsimbalist, Igor V
  2017-09-25  3:06     ` Sandra Loosemore
  1 sibling, 1 reply; 12+ messages in thread
From: Tsimbalist, Igor V @ 2017-09-19 13:45 UTC (permalink / raw)
  To: 'gcc-patches@gcc.gnu.org'; +Cc: Jeff Law, Tsimbalist, Igor V

[-- Attachment #1: Type: text/plain, Size: 7606 bytes --]

Here is an updated patch (version #2). Mainly attribute and option  names were changed.

gcc/doc/
	* extend.texi: Add 'nocf_check' documentation.
	* gimple.texi: Add second parameter to gimple_build_call_from_tree.
	* invoke.texi: Add -fcf-protection documentation.
	* rtl.texi: Add REG_CALL_NOTRACK documenation.

Is it ok for trunk?

Thanks,
Igor


> -----Original Message-----
> From: Tsimbalist, Igor V
> Sent: Friday, September 15, 2017 5:14 PM
> To: 'Jeff Law' <law@redhat.com>; 'gcc-patches@gcc.gnu.org' <gcc-
> patches@gcc.gnu.org>
> Cc: Tsimbalist, Igor V <igor.v.tsimbalist@intel.com>
> Subject: RE: 0002-Part-2.-Document-finstrument-control-flow-and-notrack
> attribute
> 
> > -----Original Message-----
> > From: Jeff Law [mailto:law@redhat.com]
> > Sent: Friday, August 25, 2017 10:59 PM
> > To: Tsimbalist, Igor V <igor.v.tsimbalist@intel.com>; 'gcc-
> > patches@gcc.gnu.org' <gcc-patches@gcc.gnu.org>
> > Subject: Re:
> > 0002-Part-2.-Document-finstrument-control-flow-and-notrack
> > attribute
> >
> > On 08/01/2017 02:56 AM, Tsimbalist, Igor V wrote:
> > > Part#2. Document -finstrument-control-flow and notrack attribute.
> > >
> > >
> > > 0002-Part-2.-Document-finstrument-control-flow-and-notrac.patch
> > >
> > >
> > > From c3e45c80731672e74d638f787e80ba975279b9b9 Mon Sep 17 00:00:00
> > 2001
> > > From: Igor Tsimbalist <igor.v.tsimbalist@intel.com>
> > > Date: Mon, 3 Jul 2017 17:12:49 +0300
> > > Subject: [PATCH 2/9] Part#2. Document -finstrument-control-flow and
> > > notrack  attribute.
> > >
> > > gcc/
> > > 	* doc/extend.texi: Add 'notrack' documentation.
> > > 	* doc/invoke.texi: Add -finstrument-control-flow documentation.
> > > 	* doc/rtl.texi: Add REG_CALL_NOTRACK documenation.
> > > ---
> > >  gcc/doc/extend.texi | 52
> > > ++++++++++++++++++++++++++++++++++++++++++++++++++++
> > >  gcc/doc/invoke.texi | 22 ++++++++++++++++++++++
> > >  gcc/doc/rtl.texi    | 15 +++++++++++++++
> > >  3 files changed, 89 insertions(+)
> > >
> > > diff --git a/gcc/doc/extend.texi b/gcc/doc/extend.texi index
> > > 6934b4c..80de8a7 100644
> > > --- a/gcc/doc/extend.texi
> > > +++ b/gcc/doc/extend.texi
> > > @@ -5632,6 +5632,58 @@ Specify which floating-point unit to use.
> > > You must specify the  @code{target("fpmath=sse,387")} option as
> > > @code{target("fpmath=sse+387")} because the comma would separate
> > > different options.
> > > +
> > > +@item notrack
> > > +@cindex @code{notrack} function attribute The @code{notrack}
> > > +attribute on a function is used to inform the compiler that the
> > > +function's prolog should not be instrumented when compiled with the
> > > +@option{-finstrument-control-flow} option.  The compiler assumes
> > > +that the function's address is a valid target for a control-flow transfer.
> > Is the default to instrument everything when -finstrument-control-flow
> > is enabled?  Or can we avoid instrumentation on a function that never
> > has its address taken (ie, it is only called via a call instruction?)
> The instrumentation is on by default but for all platform except of x86 it does
> nothing as the implementation is not supported. For x86 the implementation
> is lightweight and just increase a bit code size due to 'endbranch' instruction.
> 
> Given a function decl is there an information already available if an address
> was taken from the function? I plan to do what you suggested later as an
> optimization especially for global function where ipa is required.
> 
> > > +
> > > +The @code{notrack} attribute on a type of pointer to function is
> > > +used to inform the compiler that a call through the pointer should
> > > +not be instrumented when compiled with the
> > > +@option{-finstrument-control-flow} option.  The compiler assumes
> > > +that the function's address from the pointer is a valid target for
> > > +a control-flow transfer.  A direct function call through a function
> > > +name is assumed as a save call thus direct calls will not be
> > > +instrumented by the compiler.
> > s/save/safe/
> >
> > FWIW, I think putting the attribute into in the type system is a good
> > thing :-)
> >
> > > +
> > > +The @code{notrack} attribute is applied to an object's type.  A The
> > > +@code{notrack} attribute is transfered to a call instruction at the
> > > +GIMPLE and RTL translation phases.  The attribute is not propagated
> > > +through assignment, store and load.
> > > +
> > > +@smallexample
> > > +@{
> > > +void (*foo)(void) __attribute__(notrack); void (*foo1)(void)
> > > +__attribute__(notrack); void (*foo2)(void);
> > > +
> > > +int
> > > +foo (void) /* The function's address is not tracked.  */
> > > +
> > > +  /* This call site is not tracked for
> > > +     control-flow instrumentation.  */  (*foo1)();
> > > +  foo1 = foo2;
> > > +  /* This call site is still not tracked for
> > > +     control-flow instrumentation.  */  (*foo1)();
> > > +
> > > +  /* This call site is tracked for
> > > +     control-flow instrumentation.  */  (*foo2)();
> > > +  foo2 = foo1;
> > > +  /* This call site is still tracked for
> > > +     control-flow instrumentation.  */  (*foo2)();
> > > +
> > > +  return 0;
> > > +@}
> > > +@end smallexample
> > Given the notrack attribute is part of the type system, could we issue
> > a warning on the foo1 = foo2 assignment since we're discarding
> > tracking that's implicit on foo2?
> Fixed. For the code above messages are issued
> w.c: In function 'foo':
> w.c:22:8: warning: nocf_check attribute mismatch for assignment [-
> Wattributes]
>    foo1 = foo2;
>         ^
> w.c:31:8: warning: nocf_check attribute mismatch for assignment [-
> Wattributes]
>    foo2 = foo1;
>         ^
> 
> > > +
> > >  @end table
> > >
> > >  On the x86, the inliner does not inline a diff --git
> > > a/gcc/doc/invoke.texi b/gcc/doc/invoke.texi index 5ae9dc4..ff2ce92
> > > 100644
> > > --- a/gcc/doc/invoke.texi
> > > +++ b/gcc/doc/invoke.texi
> > > @@ -459,6 +459,7 @@ Objective-C and Objective-C++ Dialects}.
> > >  -fchkp-check-read  -fchkp-check-write  -fchkp-store-bounds @gol
> > > -fchkp-instrument-calls  -fchkp-instrument-marked-only @gol
> > > -fchkp-use-wrappers  -fchkp-flexible-struct-trailing-arrays@gol
> > > +-finstrument-control-flow @gol
> > >  -fstack-protector  -fstack-protector-all  -fstack-protector-strong
> > > @gol  -fstack-protector-explicit  -fstack-check @gol
> > > -fstack-limit-register=@var{reg}  -fstack-limit-symbol=@var{sym}
> > > @gol @@ -11284,6 +11285,27 @@ is used to link a program, the GCC
> > > driver automatically links  against @file{libmpxwrappers}.  See also
> > > @option{-
> > static-libmpxwrappers}.
> > >  Enabled by default.
> > >
> > > +@item -finstrument-control-flow
> > > +@opindex finstrument-control-flow
> > > +@opindex fno-instrument-control-flow Enable code instrumentation of
> > > +control-flow transfers to increase a program security by checking a
> > > +target address of control-flow transfer instructions (i.e. routine
> > > +call, routine return, jump) are valid targets.  This prevents
> > > +diverting the control flow instructions from its original target
> > > +address to a new undesigned target.  This is intended to protect
> > > +against such theats as Return-oriented Programming (ROP), and
> > > +similarly call/jmp-oriented programming (COP/JOP).
> > "function call, function return, indirect jump" rather than "routine
> > call, routine return, jump"?
> Ok, fixed.
> 
> Thanks,
> Igor
> 
> >
> > Jeff

[-- Attachment #2: 0002-Add-documentation-for-fcf-protection-option-and-nocf.patch --]
[-- Type: application/octet-stream, Size: 7826 bytes --]

From 1313b45a27500a93342c12ad486aee25bb07d701 Mon Sep 17 00:00:00 2001
From: Igor Tsimbalist <igor.v.tsimbalist@intel.com>
Date: Sun, 17 Sep 2017 14:57:29 +0300
Subject: [PATCH 2/3] Add documentation for fcf-protection option and
 nocf_check attribute

gcc/doc/
	* extend.texi: Add 'nocf_check' documentation.
	* gimple.texi: Add second parameter to gimple_build_call_from_tree.
	* invoke.texi: Add -fcf-protection documentation.
	* rtl.texi: Add REG_CALL_NOTRACK documenation.
---
 gcc/doc/extend.texi | 50 ++++++++++++++++++++++++++++++++++++++++++++++++++
 gcc/doc/gimple.texi |  8 +++++---
 gcc/doc/invoke.texi | 30 ++++++++++++++++++++++++++++++
 gcc/doc/rtl.texi    | 15 +++++++++++++++
 4 files changed, 100 insertions(+), 3 deletions(-)
---
 gcc/doc/extend.texi | 50 ++++++++++++++++++++++++++++++++++++++++++++++++++
 gcc/doc/gimple.texi |  8 +++++---
 gcc/doc/invoke.texi | 30 ++++++++++++++++++++++++++++++
 gcc/doc/rtl.texi    | 15 +++++++++++++++
 4 files changed, 100 insertions(+), 3 deletions(-)

diff --git a/gcc/doc/extend.texi b/gcc/doc/extend.texi
index cd5733e..6bdb183 100644
--- a/gcc/doc/extend.texi
+++ b/gcc/doc/extend.texi
@@ -5646,6 +5646,56 @@ Specify which floating-point unit to use.  You must specify the
 @code{target("fpmath=sse,387")} option as
 @code{target("fpmath=sse+387")} because the comma would separate
 different options.
+
+@item nocf_check
+@cindex @code{nocf_check} function attribute
+The @code{nocf_check} attribute on a function is used to inform the
+compiler that the function's prolog should not be instrumented when
+compiled with the @option{-fcf-protection=branch} option.  The
+compiler assumes that the function's address is a valid target for a
+control-flow transfer.
+
+The @code{nocf_check} attribute on a type of pointer to function is
+used to inform the compiler that a call through the pointer should
+not be instrumented when compiled with the
+@option{-fcf-protection=branch} option.  The compiler assumes
+that the function's address from the pointer is a valid target for
+a control-flow transfer.  A direct function call through a function
+name is assumed as a safe call thus direct calls will not be
+instrumented by the compiler.
+
+The @code{nocf_check} attribute is applied to an object's type.  A
+The @code{nocf_check} attribute is transfered to a call instruction at
+the GIMPLE and RTL translation phases.  The attribute is not propagated
+through assignment, store and load.
+
+@smallexample
+@{
+int foo (void) __attribute__(nocf_check);
+void (*foo1)(void) __attribute__(nocf_check);
+void (*foo2)(void);
+
+int
+foo (void) /* The function's address is assumed as valid.  */
+
+  /* This call site is not checked for control-flow validness.  */
+  (*foo1)();
+
+  foo1 = foo2;
+  /* This call site is still not checked for control-flow validness.  */
+  (*foo1)();
+
+  /* This call site is checked for control-flow validness.  */
+  (*foo2)();
+
+  foo2 = foo1;
+  /* This call site is still checked for control-flow validness.  */
+  (*foo2)();
+
+  return 0;
+@}
+@end smallexample
+
 @end table
 
 On the x86, the inliner does not inline a
diff --git a/gcc/doc/gimple.texi b/gcc/doc/gimple.texi
index 635abd3..b6d9149 100644
--- a/gcc/doc/gimple.texi
+++ b/gcc/doc/gimple.texi
@@ -1310,9 +1310,11 @@ operand is validated with @code{is_gimple_operand}).
 @end deftypefn
 
 
-@deftypefn {GIMPLE function} gcall *gimple_build_call_from_tree (tree call_expr)
-Build a @code{GIMPLE_CALL} from a @code{CALL_EXPR} node.  The arguments and the
-function are taken from the expression directly.  This routine
+@deftypefn {GIMPLE function} gcall *gimple_build_call_from_tree (tree call_expr, @
+tree fnptrtype)
+Build a @code{GIMPLE_CALL} from a @code{CALL_EXPR} node.  The arguments and
+the function are taken from the expression directly.  The type is set from
+the second parameter passed by a caller.  This routine
 assumes that @code{call_expr} is already in GIMPLE form.  That is, its
 operands are GIMPLE values and the function call needs no further
 simplification.  All the call flags in @code{call_expr} are copied over
diff --git a/gcc/doc/invoke.texi b/gcc/doc/invoke.texi
index e4cacf2..578bc25 100644
--- a/gcc/doc/invoke.texi
+++ b/gcc/doc/invoke.texi
@@ -460,6 +460,7 @@ Objective-C and Objective-C++ Dialects}.
 -fchkp-check-read  -fchkp-check-write  -fchkp-store-bounds @gol
 -fchkp-instrument-calls  -fchkp-instrument-marked-only @gol
 -fchkp-use-wrappers  -fchkp-flexible-struct-trailing-arrays@gol
+-fcf-protection=@r{[}@var{full}|@var{branch}|@var{return}|@var{none}@r{]} @gol
 -fstack-protector  -fstack-protector-all  -fstack-protector-strong @gol
 -fstack-protector-explicit  -fstack-check @gol
 -fstack-limit-register=@var{reg}  -fstack-limit-symbol=@var{sym} @gol
@@ -11348,6 +11349,35 @@ is used to link a program, the GCC driver automatically links
 against @file{libmpxwrappers}.  See also @option{-static-libmpxwrappers}.
 Enabled by default.
 
+@item -fcf-protection=@r{[}@var{full}|@var{branch}|@var{return}|@var{none}@r{]}
+@opindex fcf-protection
+Enable code instrumentation of control-flow transfers to increase
+a program security by checking a target address of control-flow
+transfer instructions (such as indirect function call, function return,
+indirect jump) are valid targets.  This prevents diverting the control
+flow instructions from its original target address to a new undesigned
+target.  This is intended to protect against such theats as
+Return-oriented Programming (ROP), and similarly call/jmp-oriented
+programming (COP/JOP).
+
+Each compiler, which will support the control-flow instrumentation,
+is supposed to have its own target specific implementation of the
+control-flow instrumentation and in case of absence of such
+implementation the usage of @option{-fcf-protection} will
+cause an error message.
+
+The value @var{branch} tells the compiler to implement checking of
+validness of control-flow trasfer for at the point of indirect branch
+instructions, i.e. call/jmp instructions.  The value @var{return}
+implements checking of validness at the point of returning from a
+function.  The value @var{full} is an alias for specifying both
+'branch' and 'return'. The value @var{none} turns off instrumentation.
+This value may be used for those architectures where @option{-fcf-protection}
+is switched on by default.
+
+A user also has a control through the @code{nocf_check} attribute to identify
+which functions and calls should be skipped from instrumentation.
+
 @item -fstack-protector
 @opindex fstack-protector
 Emit extra code to check for buffer overflows, such as stack smashing
diff --git a/gcc/doc/rtl.texi b/gcc/doc/rtl.texi
index 12355c2..f023067 100644
--- a/gcc/doc/rtl.texi
+++ b/gcc/doc/rtl.texi
@@ -4040,6 +4040,21 @@ is used in place of the actual insn pattern.  This is done in cases where
 the pattern is either complex or misleading.
 @end table
 
+The note @code{REG_CALL_NOCF_CHECK} describe the information connected to
+the code instrumentation which is done when @code{-fcf-protection=branch}
+option is specified.  The note is set if a @code{nocf_check} attribute is
+specified.  The note is stored in the @code{REG_NOTES} field of an insn.
+
+@table @code
+@findex REG_CALL_NOCF_CHECK
+@item REG_CALL_NOCF_CHECK
+A user has a control through the @code{nocf_check} attribute to identify
+which call to a function should be skipped from control-flow instrumentation
+when the option @code{-fcf-protection=branch} is specified.  The compiler
+puts a @samp{REG_CALL_NO_VERIFY} note on @samp{CALL_INSN} instruction,
+which has a function type marked with a @code{nocf_check} attribute.
+@end table
+
 For convenience, the machine mode in an @code{insn_list} or
 @code{expr_list} is printed using these symbolic codes in debugging dumps.
 
-- 
1.8.3.1


^ permalink raw reply	[flat|nested] 12+ messages in thread

* Re: 0002-Part-2.-Document-finstrument-control-flow-and-notrack attribute
  2017-09-19 13:45   ` Tsimbalist, Igor V
@ 2017-09-25  3:06     ` Sandra Loosemore
  2017-09-25 21:57       ` Tsimbalist, Igor V
  0 siblings, 1 reply; 12+ messages in thread
From: Sandra Loosemore @ 2017-09-25  3:06 UTC (permalink / raw)
  To: Tsimbalist, Igor V, 'gcc-patches@gcc.gnu.org'; +Cc: Jeff Law

On 09/19/2017 07:45 AM, Tsimbalist, Igor V wrote:
> Here is an updated patch (version #2). Mainly attribute and option  names were changed.
>
> gcc/doc/
> 	* extend.texi: Add 'nocf_check' documentation.
> 	* gimple.texi: Add second parameter to gimple_build_call_from_tree.
> 	* invoke.texi: Add -fcf-protection documentation.
> 	* rtl.texi: Add REG_CALL_NOTRACK documenation.
>
> Is it ok for trunk?
> diff --git a/gcc/doc/extend.texi b/gcc/doc/extend.texi
> index cd5733e..6bdb183 100644
> --- a/gcc/doc/extend.texi
> +++ b/gcc/doc/extend.texi
> @@ -5646,6 +5646,56 @@ Specify which floating-point unit to use.  You must specify the
>  @code{target("fpmath=sse,387")} option as
>  @code{target("fpmath=sse+387")} because the comma would separate
>  different options.
> +
> +@item nocf_check
> +@cindex @code{nocf_check} function attribute
> +The @code{nocf_check} attribute on a function is used to inform the
> +compiler that the function's prolog should not be instrumented when

s/prolog/prologue/

> +compiled with the @option{-fcf-protection=branch} option.  The
> +compiler assumes that the function's address is a valid target for a
> +control-flow transfer.
> +
> +The @code{nocf_check} attribute on a type of pointer to function is
> +used to inform the compiler that a call through the pointer should
> +not be instrumented when compiled with the
> +@option{-fcf-protection=branch} option.  The compiler assumes
> +that the function's address from the pointer is a valid target for
> +a control-flow transfer.  A direct function call through a function
> +name is assumed as a safe call thus direct calls will not be

...is assumed to be a safe call, thus direct calls are not...

> +instrumented by the compiler.
> +
> +The @code{nocf_check} attribute is applied to an object's type.  A
> +The @code{nocf_check} attribute is transfered to a call instruction at
> +the GIMPLE and RTL translation phases.  The attribute is not propagated
> +through assignment, store and load.

extend.texi is user-facing documentation, but the second sentence here 
is implementor-speak and not meaningful to users of GCC.  I don't 
understand what the third sentence is trying to say.

> +
> +@smallexample
> +@{
> +int foo (void) __attribute__(nocf_check);
> +void (*foo1)(void) __attribute__(nocf_check);
> +void (*foo2)(void);
> +
> +int
> +foo (void) /* The function's address is assumed as valid.  */

s/as valid/to be valid/

> +
> +  /* This call site is not checked for control-flow validness.  */

s/validness/validity/g

> +  (*foo1)();
> +
> +  foo1 = foo2;
> +  /* This call site is still not checked for control-flow validness.  */
> +  (*foo1)();
> +
> +  /* This call site is checked for control-flow validness.  */
> +  (*foo2)();
> +
> +  foo2 = foo1;
> +  /* This call site is still checked for control-flow validness.  */
> +  (*foo2)();
> +
> +  return 0;
> +@}
> +@end smallexample
> +
>  @end table
>
>  On the x86, the inliner does not inline a
> diff --git a/gcc/doc/gimple.texi b/gcc/doc/gimple.texi
> index 635abd3..b6d9149 100644
> --- a/gcc/doc/gimple.texi
> +++ b/gcc/doc/gimple.texi
> @@ -1310,9 +1310,11 @@ operand is validated with @code{is_gimple_operand}).
>  @end deftypefn
>
>
> -@deftypefn {GIMPLE function} gcall *gimple_build_call_from_tree (tree call_expr)
> -Build a @code{GIMPLE_CALL} from a @code{CALL_EXPR} node.  The arguments and the
> -function are taken from the expression directly.  This routine
> +@deftypefn {GIMPLE function} gcall *gimple_build_call_from_tree (tree call_expr, @
> +tree fnptrtype)
> +Build a @code{GIMPLE_CALL} from a @code{CALL_EXPR} node.  The arguments and
> +the function are taken from the expression directly.  The type is set from
> +the second parameter passed by a caller.  This routine
>  assumes that @code{call_expr} is already in GIMPLE form.  That is, its
>  operands are GIMPLE values and the function call needs no further
>  simplification.  All the call flags in @code{call_expr} are copied over
> diff --git a/gcc/doc/invoke.texi b/gcc/doc/invoke.texi
> index e4cacf2..578bc25 100644
> --- a/gcc/doc/invoke.texi
> +++ b/gcc/doc/invoke.texi
> @@ -460,6 +460,7 @@ Objective-C and Objective-C++ Dialects}.
>  -fchkp-check-read  -fchkp-check-write  -fchkp-store-bounds @gol
>  -fchkp-instrument-calls  -fchkp-instrument-marked-only @gol
>  -fchkp-use-wrappers  -fchkp-flexible-struct-trailing-arrays@gol
> +-fcf-protection=@r{[}@var{full}|@var{branch}|@var{return}|@var{none}@r{]} @gol

Are full/branch/return/none supposed to be literal strings?  @var is the 
wrong markup for that.

>  -fstack-protector  -fstack-protector-all  -fstack-protector-strong @gol
>  -fstack-protector-explicit  -fstack-check @gol
>  -fstack-limit-register=@var{reg}  -fstack-limit-symbol=@var{sym} @gol
> @@ -11348,6 +11349,35 @@ is used to link a program, the GCC driver automatically links
>  against @file{libmpxwrappers}.  See also @option{-static-libmpxwrappers}.
>  Enabled by default.
>
> +@item -fcf-protection=@r{[}@var{full}|@var{branch}|@var{return}|@var{none}@r{]}

Again, markup?

> +@opindex fcf-protection
> +Enable code instrumentation of control-flow transfers to increase
> +a program security by checking a target address of control-flow

s/a program/program/
s/checking a target address/checking that target addresses/

> +transfer instructions (such as indirect function call, function return,
> +indirect jump) are valid targets.  This prevents diverting the control

s/are valid targets/are valid/

> +flow instructions from its original target address to a new undesigned

s/a new undesigned/an unintended/ ??
(not sure what you're trying to say here).

> +target.  This is intended to protect against such theats as

s/theats/threats

> +Return-oriented Programming (ROP), and similarly call/jmp-oriented
> +programming (COP/JOP).
> +
> +Each compiler, which will support the control-flow instrumentation,
> +is supposed to have its own target specific implementation of the
> +control-flow instrumentation and in case of absence of such
> +implementation the usage of @option{-fcf-protection} will
> +cause an error message.

That whole paragraph is very long-winded.  Are you trying to say here

Currently GCC only supports this option on [...] targets.

??

> +
> +The value @var{branch} tells the compiler to implement checking of

Again, wrong markup?  If it's a literal, use @code{branch}.

> +validness of control-flow trasfer for at the point of indirect branch

s/validness/validity/
s/trasfer for/transfer/

> +instructions, i.e. call/jmp instructions.  The value @var{return}

Again, wrong use of @var markup?

> +implements checking of validness at the point of returning from a
> +function.  The value @var{full} is an alias for specifying both
> +'branch' and 'return'. The value @var{none} turns off instrumentation.

Here too.  And do not use literal quotes for markup.

> +This value may be used for those architectures where @option{-fcf-protection}
> +is switched on by default.

Which architectures are those?

> +A user also has a control through the @code{nocf_check} attribute to identify

Users are the readers of this document and should be addressed directly:

You can also use the @code{nocf_check} attribute....

> +which functions and calls should be skipped from instrumentation.
> +

Please add a cross-reference here.

>  @item -fstack-protector
>  @opindex fstack-protector
>  Emit extra code to check for buffer overflows, such as stack smashing
> diff --git a/gcc/doc/rtl.texi b/gcc/doc/rtl.texi
> index 12355c2..f023067 100644
> --- a/gcc/doc/rtl.texi
> +++ b/gcc/doc/rtl.texi
> @@ -4040,6 +4040,21 @@ is used in place of the actual insn pattern.  This is done in cases where
>  the pattern is either complex or misleading.
>  @end table
>
> +The note @code{REG_CALL_NOCF_CHECK} describe the information connected to
> +the code instrumentation which is done when @code{-fcf-protection=branch}
> +option is specified.

Hmmm, how about rewriting this as

The note @code{REG_CALL_NOCF_CHECK} is used in conjunction with the
@option{-fcf-protection=branch} option.

> The note is set if a @code{nocf_check} attribute is
> +specified.  The note is stored in the @code{REG_NOTES} field of an insn.

> +@table @code
> +@findex REG_CALL_NOCF_CHECK
> +@item REG_CALL_NOCF_CHECK
> +A user has a control through the @code{nocf_check} attribute to identify
> +which call to a function should be skipped from control-flow instrumentation
> +when the option @code{-fcf-protection=branch} is specified.  The compiler

@option markup instead of @code on options, please.

> +puts a @samp{REG_CALL_NO_VERIFY} note on @samp{CALL_INSN} instruction,
> +which has a function type marked with a @code{nocf_check} attribute.
> +@end table
> +
>  For convenience, the machine mode in an @code{insn_list} or
>  @code{expr_list} is printed using these symbolic codes in debugging dumps.
>
> --
> 1.8.3.1
>

-Sandra

^ permalink raw reply	[flat|nested] 12+ messages in thread

* RE: 0002-Part-2.-Document-finstrument-control-flow-and-notrack attribute
  2017-09-25  3:06     ` Sandra Loosemore
@ 2017-09-25 21:57       ` Tsimbalist, Igor V
  2017-09-26 13:45         ` Tsimbalist, Igor V
  0 siblings, 1 reply; 12+ messages in thread
From: Tsimbalist, Igor V @ 2017-09-25 21:57 UTC (permalink / raw)
  To: Sandra Loosemore, 'gcc-patches@gcc.gnu.org'
  Cc: Jeff Law, Tsimbalist, Igor V

> -----Original Message-----
> From: Sandra Loosemore [mailto:sandra@codesourcery.com]
> Sent: Monday, September 25, 2017 5:07 AM
> To: Tsimbalist, Igor V <igor.v.tsimbalist@intel.com>; 'gcc-
> patches@gcc.gnu.org' <gcc-patches@gcc.gnu.org>
> Cc: Jeff Law <law@redhat.com>
> Subject: Re: 0002-Part-2.-Document-finstrument-control-flow-and-notrack
> attribute
> 
> On 09/19/2017 07:45 AM, Tsimbalist, Igor V wrote:
> > Here is an updated patch (version #2). Mainly attribute and option  names
> were changed.
> >
> > gcc/doc/
> > 	* extend.texi: Add 'nocf_check' documentation.
> > 	* gimple.texi: Add second parameter to
> gimple_build_call_from_tree.
> > 	* invoke.texi: Add -fcf-protection documentation.
> > 	* rtl.texi: Add REG_CALL_NOTRACK documenation.
> >
> > Is it ok for trunk?
> > diff --git a/gcc/doc/extend.texi b/gcc/doc/extend.texi index
> > cd5733e..6bdb183 100644
> > --- a/gcc/doc/extend.texi
> > +++ b/gcc/doc/extend.texi
> > @@ -5646,6 +5646,56 @@ Specify which floating-point unit to use.  You
> > must specify the  @code{target("fpmath=sse,387")} option as
> > @code{target("fpmath=sse+387")} because the comma would separate
> > different options.
> > +
> > +@item nocf_check
> > +@cindex @code{nocf_check} function attribute The @code{nocf_check}
> > +attribute on a function is used to inform the compiler that the
> > +function's prolog should not be instrumented when
> 
> s/prolog/prologue/

Fixed.

> > +compiled with the @option{-fcf-protection=branch} option.  The
> > +compiler assumes that the function's address is a valid target for a
> > +control-flow transfer.
> > +
> > +The @code{nocf_check} attribute on a type of pointer to function is
> > +used to inform the compiler that a call through the pointer should
> > +not be instrumented when compiled with the
> > +@option{-fcf-protection=branch} option.  The compiler assumes that
> > +the function's address from the pointer is a valid target for a
> > +control-flow transfer.  A direct function call through a function
> > +name is assumed as a safe call thus direct calls will not be
> 
> ...is assumed to be a safe call, thus direct calls are not...

Fixed.

> > +instrumented by the compiler.
> > +
> > +The @code{nocf_check} attribute is applied to an object's type.  A
> > +The @code{nocf_check} attribute is transfered to a call instruction
> > +at the GIMPLE and RTL translation phases.  The attribute is not
> > +propagated through assignment, store and load.
> 
> extend.texi is user-facing documentation, but the second sentence here is
> implementor-speak and not meaningful to users of GCC.  I don't understand
> what the third sentence is trying to say.

The second sentence is removed. The third sentence is re-written as

In case of assignment of a function address or a function pointer to
another pointer, the attribute is not carried over from the right-hand
object's type, the type of left-hand object stays unchanged.  The
compiler checks for @code{nocf_check} attribute mismatch and reports
a warning in case of mismatch.

> > +
> > +@smallexample
> > +@{
> > +int foo (void) __attribute__(nocf_check); void (*foo1)(void)
> > +__attribute__(nocf_check); void (*foo2)(void);
> > +
> > +int
> > +foo (void) /* The function's address is assumed as valid.  */
> 
> s/as valid/to be valid/

Fixed.

> > +
> > +  /* This call site is not checked for control-flow validness.  */
> 
> s/validness/validity/g

Fixed.

> > +  (*foo1)();
> > +
> > +  foo1 = foo2;
> > +  /* This call site is still not checked for control-flow validness.
> > + */  (*foo1)();
> > +
> > +  /* This call site is checked for control-flow validness.  */
> > + (*foo2)();
> > +
> > +  foo2 = foo1;
> > +  /* This call site is still checked for control-flow validness.  */
> > + (*foo2)();
> > +
> > +  return 0;
> > +@}
> > +@end smallexample
> > +
> >  @end table
> >
> >  On the x86, the inliner does not inline a diff --git
> > a/gcc/doc/gimple.texi b/gcc/doc/gimple.texi index 635abd3..b6d9149
> > 100644
> > --- a/gcc/doc/gimple.texi
> > +++ b/gcc/doc/gimple.texi
> > @@ -1310,9 +1310,11 @@ operand is validated with
> @code{is_gimple_operand}).
> >  @end deftypefn
> >
> >
> > -@deftypefn {GIMPLE function} gcall *gimple_build_call_from_tree (tree
> > call_expr) -Build a @code{GIMPLE_CALL} from a @code{CALL_EXPR} node.
> > The arguments and the -function are taken from the expression
> > directly.  This routine
> > +@deftypefn {GIMPLE function} gcall *gimple_build_call_from_tree (tree
> > +call_expr, @ tree fnptrtype) Build a @code{GIMPLE_CALL} from a
> > +@code{CALL_EXPR} node.  The arguments and the function are taken
> from
> > +the expression directly.  The type is set from the second parameter
> > +passed by a caller.  This routine
> >  assumes that @code{call_expr} is already in GIMPLE form.  That is,
> > its  operands are GIMPLE values and the function call needs no further
> > simplification.  All the call flags in @code{call_expr} are copied
> > over diff --git a/gcc/doc/invoke.texi b/gcc/doc/invoke.texi index
> > e4cacf2..578bc25 100644
> > --- a/gcc/doc/invoke.texi
> > +++ b/gcc/doc/invoke.texi
> > @@ -460,6 +460,7 @@ Objective-C and Objective-C++ Dialects}.
> >  -fchkp-check-read  -fchkp-check-write  -fchkp-store-bounds @gol
> > -fchkp-instrument-calls  -fchkp-instrument-marked-only @gol
> > -fchkp-use-wrappers  -fchkp-flexible-struct-trailing-arrays@gol
> > +-fcf-
> protection=@r{[}@var{full}|@var{branch}|@var{return}|@var{none}@
> > +r{]} @gol
> 
> Are full/branch/return/none supposed to be literal strings?  @var is the
> wrong markup for that.

Yes, these are string literals. @var is used a lot in text around my fixes that's why
I used it. What's the right markup for an option's values? Is it @code? Or fixed it
like this

-fcf-protection=@r{[}full@r{|}branch@r{|}return@r{|}none@r{]} @gol

Is it ok?

> >  -fstack-protector  -fstack-protector-all  -fstack-protector-strong
> > @gol  -fstack-protector-explicit  -fstack-check @gol
> > -fstack-limit-register=@var{reg}  -fstack-limit-symbol=@var{sym} @gol
> > @@ -11348,6 +11349,35 @@ is used to link a program, the GCC driver
> > automatically links  against @file{libmpxwrappers}.  See also @option{-
> static-libmpxwrappers}.
> >  Enabled by default.
> >
> > +@item
> > +-fcf-
> protection=@r{[}@var{full}|@var{branch}|@var{return}|@var{none}@
> > +r{]}
> 
> Again, markup?

Fixed as above.

> > +@opindex fcf-protection
> > +Enable code instrumentation of control-flow transfers to increase a
> > +program security by checking a target address of control-flow
> 
> s/a program/program/
> s/checking a target address/checking that target addresses/

Fixed.

> > +transfer instructions (such as indirect function call, function
> > +return, indirect jump) are valid targets.  This prevents diverting
> > +the control
> 
> s/are valid targets/are valid/

Fixed.

> > +flow instructions from its original target address to a new
> > +undesigned
> 
> s/a new undesigned/an unintended/ ??
> (not sure what you're trying to say here).

The point here is that an attacker can change a target address in a control
flow transfer instruction so the transfer will go not to the right address but to
some undesigned/unexpected or wrong address. 

> > +target.  This is intended to protect against such theats as
> 
> s/theats/threats

Fixed.

> > +Return-oriented Programming (ROP), and similarly call/jmp-oriented
> > +programming (COP/JOP).
> > +
> > +Each compiler, which will support the control-flow instrumentation,
> > +is supposed to have its own target specific implementation of the
> > +control-flow instrumentation and in case of absence of such
> > +implementation the usage of @option{-fcf-protection} will cause an
> > +error message.
> 
> That whole paragraph is very long-winded.  Are you trying to say here
> 
> Currently GCC only supports this option on [...] targets.
> 
> ??

How about this wording:

Each compiler target, which is going to support the control-flow
instrumentation, is supposed to have its own target specific
implementation. For all targets where an implementation is absent the
usage of @option{-fcf-protection} option causes an error message.

?

> > +
> > +The value @var{branch} tells the compiler to implement checking of
> 
> Again, wrong markup?  If it's a literal, use @code{branch}.

Fixed.

> > +validness of control-flow trasfer for at the point of indirect branch
> 
> s/validness/validity/
> s/trasfer for/transfer/

Fixed.

> > +instructions, i.e. call/jmp instructions.  The value @var{return}
> 
> Again, wrong use of @var markup?

Fixed.

> > +implements checking of validness at the point of returning from a
> > +function.  The value @var{full} is an alias for specifying both
> > +'branch' and 'return'. The value @var{none} turns off instrumentation.
> 
> Here too.  And do not use literal quotes for markup.

Fixed.

> > +This value may be used for those architectures where
> > +@option{-fcf-protection} is switched on by default.
> 
> Which architectures are those?

These are future architectures. I've changed 'those' to 'future'.

> > +A user also has a control through the @code{nocf_check} attribute to
> > +identify
> 
> Users are the readers of this document and should be addressed directly:
> 
> You can also use the @code{nocf_check} attribute....

Fixed.

> > +which functions and calls should be skipped from instrumentation.
> > +
> 
> Please add a cross-reference here.

Fixed.

> >  @item -fstack-protector
> >  @opindex fstack-protector
> >  Emit extra code to check for buffer overflows, such as stack smashing
> > diff --git a/gcc/doc/rtl.texi b/gcc/doc/rtl.texi index
> > 12355c2..f023067 100644
> > --- a/gcc/doc/rtl.texi
> > +++ b/gcc/doc/rtl.texi
> > @@ -4040,6 +4040,21 @@ is used in place of the actual insn pattern.
> > This is done in cases where  the pattern is either complex or misleading.
> >  @end table
> >
> > +The note @code{REG_CALL_NOCF_CHECK} describe the information
> > +connected to the code instrumentation which is done when
> > +@code{-fcf-protection=branch} option is specified.
> 
> Hmmm, how about rewriting this as
> 
> The note @code{REG_CALL_NOCF_CHECK} is used in conjunction with the
> @option{-fcf-protection=branch} option.

Good. Agree and fixed.

> > The note is set if a @code{nocf_check} attribute is
> > +specified.  The note is stored in the @code{REG_NOTES} field of an insn.
> 
> > +@table @code
> > +@findex REG_CALL_NOCF_CHECK
> > +@item REG_CALL_NOCF_CHECK
> > +A user has a control through the @code{nocf_check} attribute to
> > +identify which call to a function should be skipped from control-flow
> > +instrumentation when the option @code{-fcf-protection=branch} is
> > +specified.  The compiler
> 
> @option markup instead of @code on options, please.

Fixed.

> > +puts a @samp{REG_CALL_NO_VERIFY} note on @samp{CALL_INSN}
> > +instruction, which has a function type marked with a @code{nocf_check}
> attribute.
> > +@end table
> > +
> >  For convenience, the machine mode in an @code{insn_list} or
> > @code{expr_list} is printed using these symbolic codes in debugging
> dumps.
> >
> > --
> > 1.8.3.1
> >
> 
> -Sandra

^ permalink raw reply	[flat|nested] 12+ messages in thread

* RE: 0002-Part-2.-Document-finstrument-control-flow-and-notrack attribute
  2017-09-25 21:57       ` Tsimbalist, Igor V
@ 2017-09-26 13:45         ` Tsimbalist, Igor V
  2017-09-27  3:11           ` Sandra Loosemore
  0 siblings, 1 reply; 12+ messages in thread
From: Tsimbalist, Igor V @ 2017-09-26 13:45 UTC (permalink / raw)
  To: Sandra Loosemore, 'gcc-patches@gcc.gnu.org'
  Cc: Jeff Law, Tsimbalist, Igor V

[-- Attachment #1: Type: text/plain, Size: 12624 bytes --]

Here is the updated version (version#3). All comments below are fixed.

Igor


> -----Original Message-----
> From: Tsimbalist, Igor V
> Sent: Monday, September 25, 2017 11:57 PM
> To: Sandra Loosemore <sandra@codesourcery.com>; 'gcc-
> patches@gcc.gnu.org' <gcc-patches@gcc.gnu.org>
> Cc: Jeff Law <law@redhat.com>; Tsimbalist, Igor V
> <igor.v.tsimbalist@intel.com>
> Subject: RE: 0002-Part-2.-Document-finstrument-control-flow-and-notrack
> attribute
> 
> > -----Original Message-----
> > From: Sandra Loosemore [mailto:sandra@codesourcery.com]
> > Sent: Monday, September 25, 2017 5:07 AM
> > To: Tsimbalist, Igor V <igor.v.tsimbalist@intel.com>; 'gcc-
> > patches@gcc.gnu.org' <gcc-patches@gcc.gnu.org>
> > Cc: Jeff Law <law@redhat.com>
> > Subject: Re:
> > 0002-Part-2.-Document-finstrument-control-flow-and-notrack
> > attribute
> >
> > On 09/19/2017 07:45 AM, Tsimbalist, Igor V wrote:
> > > Here is an updated patch (version #2). Mainly attribute and option
> > > names
> > were changed.
> > >
> > > gcc/doc/
> > > 	* extend.texi: Add 'nocf_check' documentation.
> > > 	* gimple.texi: Add second parameter to
> > gimple_build_call_from_tree.
> > > 	* invoke.texi: Add -fcf-protection documentation.
> > > 	* rtl.texi: Add REG_CALL_NOTRACK documenation.
> > >
> > > Is it ok for trunk?
> > > diff --git a/gcc/doc/extend.texi b/gcc/doc/extend.texi index
> > > cd5733e..6bdb183 100644
> > > --- a/gcc/doc/extend.texi
> > > +++ b/gcc/doc/extend.texi
> > > @@ -5646,6 +5646,56 @@ Specify which floating-point unit to use.
> > > You must specify the  @code{target("fpmath=sse,387")} option as
> > > @code{target("fpmath=sse+387")} because the comma would separate
> > > different options.
> > > +
> > > +@item nocf_check
> > > +@cindex @code{nocf_check} function attribute The
> @code{nocf_check}
> > > +attribute on a function is used to inform the compiler that the
> > > +function's prolog should not be instrumented when
> >
> > s/prolog/prologue/
> 
> Fixed.
> 
> > > +compiled with the @option{-fcf-protection=branch} option.  The
> > > +compiler assumes that the function's address is a valid target for
> > > +a control-flow transfer.
> > > +
> > > +The @code{nocf_check} attribute on a type of pointer to function is
> > > +used to inform the compiler that a call through the pointer should
> > > +not be instrumented when compiled with the
> > > +@option{-fcf-protection=branch} option.  The compiler assumes that
> > > +the function's address from the pointer is a valid target for a
> > > +control-flow transfer.  A direct function call through a function
> > > +name is assumed as a safe call thus direct calls will not be
> >
> > ...is assumed to be a safe call, thus direct calls are not...
> 
> Fixed.
> 
> > > +instrumented by the compiler.
> > > +
> > > +The @code{nocf_check} attribute is applied to an object's type.  A
> > > +The @code{nocf_check} attribute is transfered to a call instruction
> > > +at the GIMPLE and RTL translation phases.  The attribute is not
> > > +propagated through assignment, store and load.
> >
> > extend.texi is user-facing documentation, but the second sentence here
> > is implementor-speak and not meaningful to users of GCC.  I don't
> > understand what the third sentence is trying to say.
> 
> The second sentence is removed. The third sentence is re-written as
> 
> In case of assignment of a function address or a function pointer to another
> pointer, the attribute is not carried over from the right-hand object's type,
> the type of left-hand object stays unchanged.  The compiler checks for
> @code{nocf_check} attribute mismatch and reports a warning in case of
> mismatch.
> 
> > > +
> > > +@smallexample
> > > +@{
> > > +int foo (void) __attribute__(nocf_check); void (*foo1)(void)
> > > +__attribute__(nocf_check); void (*foo2)(void);
> > > +
> > > +int
> > > +foo (void) /* The function's address is assumed as valid.  */
> >
> > s/as valid/to be valid/
> 
> Fixed.
> 
> > > +
> > > +  /* This call site is not checked for control-flow validness.  */
> >
> > s/validness/validity/g
> 
> Fixed.
> 
> > > +  (*foo1)();
> > > +
> > > +  foo1 = foo2;
> > > +  /* This call site is still not checked for control-flow validness.
> > > + */  (*foo1)();
> > > +
> > > +  /* This call site is checked for control-flow validness.  */
> > > + (*foo2)();
> > > +
> > > +  foo2 = foo1;
> > > +  /* This call site is still checked for control-flow validness.
> > > + */ (*foo2)();
> > > +
> > > +  return 0;
> > > +@}
> > > +@end smallexample
> > > +
> > >  @end table
> > >
> > >  On the x86, the inliner does not inline a diff --git
> > > a/gcc/doc/gimple.texi b/gcc/doc/gimple.texi index 635abd3..b6d9149
> > > 100644
> > > --- a/gcc/doc/gimple.texi
> > > +++ b/gcc/doc/gimple.texi
> > > @@ -1310,9 +1310,11 @@ operand is validated with
> > @code{is_gimple_operand}).
> > >  @end deftypefn
> > >
> > >
> > > -@deftypefn {GIMPLE function} gcall *gimple_build_call_from_tree
> > > (tree
> > > call_expr) -Build a @code{GIMPLE_CALL} from a @code{CALL_EXPR}
> node.
> > > The arguments and the -function are taken from the expression
> > > directly.  This routine
> > > +@deftypefn {GIMPLE function} gcall *gimple_build_call_from_tree
> > > +(tree call_expr, @ tree fnptrtype) Build a @code{GIMPLE_CALL} from
> > > +a @code{CALL_EXPR} node.  The arguments and the function are taken
> > from
> > > +the expression directly.  The type is set from the second parameter
> > > +passed by a caller.  This routine
> > >  assumes that @code{call_expr} is already in GIMPLE form.  That is,
> > > its  operands are GIMPLE values and the function call needs no
> > > further simplification.  All the call flags in @code{call_expr} are
> > > copied over diff --git a/gcc/doc/invoke.texi b/gcc/doc/invoke.texi
> > > index
> > > e4cacf2..578bc25 100644
> > > --- a/gcc/doc/invoke.texi
> > > +++ b/gcc/doc/invoke.texi
> > > @@ -460,6 +460,7 @@ Objective-C and Objective-C++ Dialects}.
> > >  -fchkp-check-read  -fchkp-check-write  -fchkp-store-bounds @gol
> > > -fchkp-instrument-calls  -fchkp-instrument-marked-only @gol
> > > -fchkp-use-wrappers  -fchkp-flexible-struct-trailing-arrays@gol
> > > +-fcf-
> > protection=@r{[}@var{full}|@var{branch}|@var{return}|@var{none}@
> > > +r{]} @gol
> >
> > Are full/branch/return/none supposed to be literal strings?  @var is
> > the wrong markup for that.
> 
> Yes, these are string literals. @var is used a lot in text around my fixes that's
> why I used it. What's the right markup for an option's values? Is it @code? Or
> fixed it like this
> 
> -fcf-protection=@r{[}full@r{|}branch@r{|}return@r{|}none@r{]} @gol
> 
> Is it ok?
> 
> > >  -fstack-protector  -fstack-protector-all  -fstack-protector-strong
> > > @gol  -fstack-protector-explicit  -fstack-check @gol
> > > -fstack-limit-register=@var{reg}  -fstack-limit-symbol=@var{sym}
> > > @gol @@ -11348,6 +11349,35 @@ is used to link a program, the GCC
> > > driver automatically links  against @file{libmpxwrappers}.  See also
> > > @option{-
> > static-libmpxwrappers}.
> > >  Enabled by default.
> > >
> > > +@item
> > > +-fcf-
> > protection=@r{[}@var{full}|@var{branch}|@var{return}|@var{none}@
> > > +r{]}
> >
> > Again, markup?
> 
> Fixed as above.
> 
> > > +@opindex fcf-protection
> > > +Enable code instrumentation of control-flow transfers to increase a
> > > +program security by checking a target address of control-flow
> >
> > s/a program/program/
> > s/checking a target address/checking that target addresses/
> 
> Fixed.
> 
> > > +transfer instructions (such as indirect function call, function
> > > +return, indirect jump) are valid targets.  This prevents diverting
> > > +the control
> >
> > s/are valid targets/are valid/
> 
> Fixed.
> 
> > > +flow instructions from its original target address to a new
> > > +undesigned
> >
> > s/a new undesigned/an unintended/ ??
> > (not sure what you're trying to say here).
> 
> The point here is that an attacker can change a target address in a control
> flow transfer instruction so the transfer will go not to the right address but to
> some undesigned/unexpected or wrong address.
> 
> > > +target.  This is intended to protect against such theats as
> >
> > s/theats/threats
> 
> Fixed.
> 
> > > +Return-oriented Programming (ROP), and similarly call/jmp-oriented
> > > +programming (COP/JOP).
> > > +
> > > +Each compiler, which will support the control-flow instrumentation,
> > > +is supposed to have its own target specific implementation of the
> > > +control-flow instrumentation and in case of absence of such
> > > +implementation the usage of @option{-fcf-protection} will cause an
> > > +error message.
> >
> > That whole paragraph is very long-winded.  Are you trying to say here
> >
> > Currently GCC only supports this option on [...] targets.
> >
> > ??
> 
> How about this wording:
> 
> Each compiler target, which is going to support the control-flow
> instrumentation, is supposed to have its own target specific implementation.
> For all targets where an implementation is absent the usage of @option{-fcf-
> protection} option causes an error message.
> 
> ?
> 
> > > +
> > > +The value @var{branch} tells the compiler to implement checking of
> >
> > Again, wrong markup?  If it's a literal, use @code{branch}.
> 
> Fixed.
> 
> > > +validness of control-flow trasfer for at the point of indirect
> > > +branch
> >
> > s/validness/validity/
> > s/trasfer for/transfer/
> 
> Fixed.
> 
> > > +instructions, i.e. call/jmp instructions.  The value @var{return}
> >
> > Again, wrong use of @var markup?
> 
> Fixed.
> 
> > > +implements checking of validness at the point of returning from a
> > > +function.  The value @var{full} is an alias for specifying both
> > > +'branch' and 'return'. The value @var{none} turns off instrumentation.
> >
> > Here too.  And do not use literal quotes for markup.
> 
> Fixed.
> 
> > > +This value may be used for those architectures where
> > > +@option{-fcf-protection} is switched on by default.
> >
> > Which architectures are those?
> 
> These are future architectures. I've changed 'those' to 'future'.
> 
> > > +A user also has a control through the @code{nocf_check} attribute
> > > +to identify
> >
> > Users are the readers of this document and should be addressed directly:
> >
> > You can also use the @code{nocf_check} attribute....
> 
> Fixed.
> 
> > > +which functions and calls should be skipped from instrumentation.
> > > +
> >
> > Please add a cross-reference here.
> 
> Fixed.
> 
> > >  @item -fstack-protector
> > >  @opindex fstack-protector
> > >  Emit extra code to check for buffer overflows, such as stack
> > > smashing diff --git a/gcc/doc/rtl.texi b/gcc/doc/rtl.texi index
> > > 12355c2..f023067 100644
> > > --- a/gcc/doc/rtl.texi
> > > +++ b/gcc/doc/rtl.texi
> > > @@ -4040,6 +4040,21 @@ is used in place of the actual insn pattern.
> > > This is done in cases where  the pattern is either complex or misleading.
> > >  @end table
> > >
> > > +The note @code{REG_CALL_NOCF_CHECK} describe the information
> > > +connected to the code instrumentation which is done when
> > > +@code{-fcf-protection=branch} option is specified.
> >
> > Hmmm, how about rewriting this as
> >
> > The note @code{REG_CALL_NOCF_CHECK} is used in conjunction with the
> > @option{-fcf-protection=branch} option.
> 
> Good. Agree and fixed.
> 
> > > The note is set if a @code{nocf_check} attribute is
> > > +specified.  The note is stored in the @code{REG_NOTES} field of an insn.
> >
> > > +@table @code
> > > +@findex REG_CALL_NOCF_CHECK
> > > +@item REG_CALL_NOCF_CHECK
> > > +A user has a control through the @code{nocf_check} attribute to
> > > +identify which call to a function should be skipped from
> > > +control-flow instrumentation when the option
> > > +@code{-fcf-protection=branch} is specified.  The compiler
> >
> > @option markup instead of @code on options, please.
> 
> Fixed.
> 
> > > +puts a @samp{REG_CALL_NO_VERIFY} note on @samp{CALL_INSN}
> > > +instruction, which has a function type marked with a
> > > +@code{nocf_check}
> > attribute.
> > > +@end table
> > > +
> > >  For convenience, the machine mode in an @code{insn_list} or
> > > @code{expr_list} is printed using these symbolic codes in debugging
> > dumps.
> > >
> > > --
> > > 1.8.3.1
> > >
> >
> > -Sandra


[-- Attachment #2: 0002-Add-documentation-for-fcf-protection-option-and-nocf.patch --]
[-- Type: application/octet-stream, Size: 8263 bytes --]

From 64ec2989b8e21fffc1aac1e3fdee656c3bc26171 Mon Sep 17 00:00:00 2001
From: Igor Tsimbalist <igor.v.tsimbalist@intel.com>
Date: Sun, 17 Sep 2017 14:57:29 +0300
Subject: [PATCH 2/6] Add documentation for fcf-protection option and
 nocf_check attribute

gcc/doc/
	* extend.texi: Add 'nocf_check' documentation.
	* gimple.texi: Add second parameter to gimple_build_call_from_tree.
	* invoke.texi: Add -fcf-protection documentation.
	* rtl.texi: Add REG_CALL_NOTRACK documenation.
---
 gcc/doc/extend.texi | 50 ++++++++++++++++++++++++++++++++++++++++++++++++++
 gcc/doc/gimple.texi |  8 +++++---
 gcc/doc/invoke.texi | 30 ++++++++++++++++++++++++++++++
 gcc/doc/rtl.texi    | 15 +++++++++++++++
 4 files changed, 100 insertions(+), 3 deletions(-)
---
 gcc/doc/extend.texi | 52 ++++++++++++++++++++++++++++++++++++++++++++++++++++
 gcc/doc/gimple.texi | 12 +++++++-----
 gcc/doc/invoke.texi | 30 ++++++++++++++++++++++++++++++
 gcc/doc/rtl.texi    | 16 ++++++++++++++++
 4 files changed, 105 insertions(+), 5 deletions(-)

diff --git a/gcc/doc/extend.texi b/gcc/doc/extend.texi
index cd5733e..a374890 100644
--- a/gcc/doc/extend.texi
+++ b/gcc/doc/extend.texi
@@ -5646,6 +5646,58 @@ Specify which floating-point unit to use.  You must specify the
 @code{target("fpmath=sse,387")} option as
 @code{target("fpmath=sse+387")} because the comma would separate
 different options.
+
+@item nocf_check
+@cindex @code{nocf_check} function attribute
+The @code{nocf_check} attribute on a function is used to inform the
+compiler that the function's prologue should not be instrumented when
+compiled with the @option{-fcf-protection=branch} option.  The
+compiler assumes that the function's address is a valid target for a
+control-flow transfer.
+
+The @code{nocf_check} attribute on a type of pointer to function is
+used to inform the compiler that a call through the pointer should
+not be instrumented when compiled with the
+@option{-fcf-protection=branch} option.  The compiler assumes
+that the function's address from the pointer is a valid target for
+a control-flow transfer.  A direct function call through a function
+name is assumed to be a safe call thus direct calls are not
+instrumented by the compiler.
+
+The @code{nocf_check} attribute is applied to an object's type.
+In case of assignment of a function address or a function pointer to
+another pointer, the attribute is not carried over from the right-hand
+object's type, the type of left-hand object stays unchanged.  The
+compiler checks for @code{nocf_check} attribute mismatch and reports
+a warning in case of mismatch.
+
+@smallexample
+@{
+int foo (void) __attribute__(nocf_check);
+void (*foo1)(void) __attribute__(nocf_check);
+void (*foo2)(void);
+
+int
+foo (void) /* The function's address is assumed to be valid.  */
+
+  /* This call site is not checked for control-flow validity.  */
+  (*foo1)();
+
+  foo1 = foo2; /* A warning is printed about attribute mismatch.  */
+  /* This call site is still not checked for control-flow validity.  */
+  (*foo1)();
+
+  /* This call site is checked for control-flow validity.  */
+  (*foo2)();
+
+  foo2 = foo1; /* A warning is printed about attribute mismatch.  */
+  /* This call site is still checked for control-flow validity.  */
+  (*foo2)();
+
+  return 0;
+@}
+@end smallexample
+
 @end table
 
 On the x86, the inliner does not inline a
diff --git a/gcc/doc/gimple.texi b/gcc/doc/gimple.texi
index 635abd3..fa98800 100644
--- a/gcc/doc/gimple.texi
+++ b/gcc/doc/gimple.texi
@@ -1310,11 +1310,13 @@ operand is validated with @code{is_gimple_operand}).
 @end deftypefn
 
 
-@deftypefn {GIMPLE function} gcall *gimple_build_call_from_tree (tree call_expr)
-Build a @code{GIMPLE_CALL} from a @code{CALL_EXPR} node.  The arguments and the
-function are taken from the expression directly.  This routine
-assumes that @code{call_expr} is already in GIMPLE form.  That is, its
-operands are GIMPLE values and the function call needs no further
+@deftypefn {GIMPLE function} gcall *gimple_build_call_from_tree (tree call_expr, @
+tree fnptrtype)
+Build a @code{GIMPLE_CALL} from a @code{CALL_EXPR} node.  The arguments
+and the function are taken from the expression directly.  The type of the
+@code{GIMPLE_CALL} is set from the second parameter passed by a caller.
+This routine assumes that @code{call_expr} is already in GIMPLE form.
+That is, its operands are GIMPLE values and the function call needs no further
 simplification.  All the call flags in @code{call_expr} are copied over
 to the new @code{GIMPLE_CALL}.
 @end deftypefn
diff --git a/gcc/doc/invoke.texi b/gcc/doc/invoke.texi
index e4cacf2..a0a65bd 100644
--- a/gcc/doc/invoke.texi
+++ b/gcc/doc/invoke.texi
@@ -460,6 +460,7 @@ Objective-C and Objective-C++ Dialects}.
 -fchkp-check-read  -fchkp-check-write  -fchkp-store-bounds @gol
 -fchkp-instrument-calls  -fchkp-instrument-marked-only @gol
 -fchkp-use-wrappers  -fchkp-flexible-struct-trailing-arrays@gol
+-fcf-protection==@r{[}full@r{|}branch@r{|}return@r{|}none@r{]} @gol
 -fstack-protector  -fstack-protector-all  -fstack-protector-strong @gol
 -fstack-protector-explicit  -fstack-check @gol
 -fstack-limit-register=@var{reg}  -fstack-limit-symbol=@var{sym} @gol
@@ -11348,6 +11349,35 @@ is used to link a program, the GCC driver automatically links
 against @file{libmpxwrappers}.  See also @option{-static-libmpxwrappers}.
 Enabled by default.
 
+@item -fcf-protection==@r{[}full@r{|}branch@r{|}return@r{|}none@r{]}
+@opindex fcf-protection
+Enable code instrumentation of control-flow transfers to increase
+program security by checking that target addresses of control-flow
+transfer instructions (such as indirect function call, function return,
+indirect jump) are valid.  This prevents diverting the control
+flow instructions from its original target address to a new undesigned
+target.  This is intended to protect against such threats as
+Return-oriented Programming (ROP), and similarly call/jmp-oriented
+programming (COP/JOP).
+
+Each compiler target, which is going to support the control-flow
+instrumentation, is supposed to have its own target specific
+implementation. For all targets where an implementation is absent the
+usage of @option{-fcf-protection} option causes an error message.
+
+The value @code{branch} tells the compiler to implement checking of
+validity of control-flow transfer at the point of indirect branch
+instructions, i.e. call/jmp instructions.  The value @code{return}
+implements checking of validity at the point of returning from a
+function.  The value @code{full} is an alias for specifying both
+@code{branch} and @code{return}. The value @code{none} turns off
+instrumentation.  This value may be used for future architectures
+where @option{-fcf-protection} option is switched on by default.
+
+You can also use the @code{nocf_check} attribute to identify
+which functions and calls should be skipped from instrumentation
+(@pxref{Function Attributes}).
+
 @item -fstack-protector
 @opindex fstack-protector
 Emit extra code to check for buffer overflows, such as stack smashing
diff --git a/gcc/doc/rtl.texi b/gcc/doc/rtl.texi
index 12355c2..b4fc5f3 100644
--- a/gcc/doc/rtl.texi
+++ b/gcc/doc/rtl.texi
@@ -4040,6 +4040,22 @@ is used in place of the actual insn pattern.  This is done in cases where
 the pattern is either complex or misleading.
 @end table
 
+The note @code{REG_CALL_NOCF_CHECK} is used in conjunction with the
+@option{-fcf-protection=branch} option.  The note is set if a
+@code{nocf_check} attribute is specified for a function type or a
+pointer to function type.  The note is stored in the @code{REG_NOTES}
+field of an insn.
+
+@table @code
+@findex REG_CALL_NOCF_CHECK
+@item REG_CALL_NOCF_CHECK
+A user has a control through the @code{nocf_check} attribute to identify
+which call to a function should be skipped from control-flow instrumentation
+when the option @option{-fcf-protection=branch} is specified.  The compiler
+puts a @code{REG_CALL_NOCF_CHECK} note on @code{CALL_INSN} instruction,
+which has a function type marked with a @code{nocf_check} attribute.
+@end table
+
 For convenience, the machine mode in an @code{insn_list} or
 @code{expr_list} is printed using these symbolic codes in debugging dumps.
 
-- 
1.8.3.1


^ permalink raw reply	[flat|nested] 12+ messages in thread

* Re: 0002-Part-2.-Document-finstrument-control-flow-and-notrack attribute
  2017-09-26 13:45         ` Tsimbalist, Igor V
@ 2017-09-27  3:11           ` Sandra Loosemore
  2017-09-27 12:27             ` Tsimbalist, Igor V
  0 siblings, 1 reply; 12+ messages in thread
From: Sandra Loosemore @ 2017-09-27  3:11 UTC (permalink / raw)
  To: Tsimbalist, Igor V, 'gcc-patches@gcc.gnu.org'; +Cc: Jeff Law

On 09/26/2017 07:45 AM, Tsimbalist, Igor V wrote:
> Here is the updated version (version#3). All comments below are fixed.

This still needs more work.  Specific comments below:

> +The @code{nocf_check} attribute is applied to an object's type.
> +In case of assignment of a function address or a function pointer to
> +another pointer, the attribute is not carried over from the right-hand
> +object's type, the type of left-hand object stays unchanged.  The

s/object's type,/object's type;/

> @@ -11348,6 +11349,35 @@ is used to link a program, the GCC driver automatically links
>  against @file{libmpxwrappers}.  See also @option{-static-libmpxwrappers}.
>  Enabled by default.
>
> +@item -fcf-protection==@r{[}full@r{|}branch@r{|}return@r{|}none@r{]}
> +@opindex fcf-protection
> +Enable code instrumentation of control-flow transfers to increase
> +program security by checking that target addresses of control-flow
> +transfer instructions (such as indirect function call, function return,
> +indirect jump) are valid.  This prevents diverting the control
> +flow instructions from its original target address to a new undesigned

s/control flow instructions/control-flow instructions/

I'd rewrite the next sentence as

This prevents diverting the flow of control to an unexpected target.

> +target.  This is intended to protect against such threats as
> +Return-oriented Programming (ROP), and similarly call/jmp-oriented
> +programming (COP/JOP).
> +
> +Each compiler target, which is going to support the control-flow
> +instrumentation, is supposed to have its own target specific
> +implementation. For all targets where an implementation is absent the
> +usage of @option{-fcf-protection} option causes an error message.

I would really prefer that you list the targets this works on here instead.

> +The value @code{branch} tells the compiler to implement checking of
> +validity of control-flow transfer at the point of indirect branch
> +instructions, i.e. call/jmp instructions.  The value @code{return}
> +implements checking of validity at the point of returning from a
> +function.  The value @code{full} is an alias for specifying both
> +@code{branch} and @code{return}. The value @code{none} turns off
> +instrumentation.  This value may be used for future architectures
> +where @option{-fcf-protection} option is switched on by default.

I don't think we need to document GCC's future behavior for future 
architectures (I'm always going around removing useless discussion from 
20 years ago of possible extensions that never got implemented).  I 
assume that this is just provided for completeness and to override a 
previous -fcf-protection option on the command line.

> +You can also use the @code{nocf_check} attribute to identify
> +which functions and calls should be skipped from instrumentation
> +(@pxref{Function Attributes}).
> +
>  @item -fstack-protector
>  @opindex fstack-protector
>  Emit extra code to check for buffer overflows, such as stack smashing
> diff --git a/gcc/doc/rtl.texi b/gcc/doc/rtl.texi
> index 12355c2..b4fc5f3 100644
> --- a/gcc/doc/rtl.texi
> +++ b/gcc/doc/rtl.texi
> @@ -4040,6 +4040,22 @@ is used in place of the actual insn pattern.  This is done in cases where
>  the pattern is either complex or misleading.
>  @end table
>
> +The note @code{REG_CALL_NOCF_CHECK} is used in conjunction with the
> +@option{-fcf-protection=branch} option.  The note is set if a
> +@code{nocf_check} attribute is specified for a function type or a
> +pointer to function type.  The note is stored in the @code{REG_NOTES}
> +field of an insn.
> +
> +@table @code
> +@findex REG_CALL_NOCF_CHECK
> +@item REG_CALL_NOCF_CHECK
> +A user has a control through the @code{nocf_check} attribute to identify

S/A user has a control/Users have control/

> +which call to a function should be skipped from control-flow instrumentation

s/call/calls/

> +when the option @option{-fcf-protection=branch} is specified.  The compiler
> +puts a @code{REG_CALL_NOCF_CHECK} note on @code{CALL_INSN} instruction,
> +which has a function type marked with a @code{nocf_check} attribute.

s/@code{CALL_INSN} instruction, which/each @code{CALL_INSN} instruction 
that/

-Sandra

^ permalink raw reply	[flat|nested] 12+ messages in thread

* RE: 0002-Part-2.-Document-finstrument-control-flow-and-notrack attribute
  2017-09-27  3:11           ` Sandra Loosemore
@ 2017-09-27 12:27             ` Tsimbalist, Igor V
  2017-09-28 23:20               ` Jeff Law
  2017-09-29  4:57               ` Sandra Loosemore
  0 siblings, 2 replies; 12+ messages in thread
From: Tsimbalist, Igor V @ 2017-09-27 12:27 UTC (permalink / raw)
  To: Sandra Loosemore, 'gcc-patches@gcc.gnu.org'
  Cc: Jeff Law, Tsimbalist, Igor V

[-- Attachment #1: Type: text/plain, Size: 5507 bytes --]

Updated version #4.

> -----Original Message-----
> From: Sandra Loosemore [mailto:sandra@codesourcery.com]
> Sent: Wednesday, September 27, 2017 5:11 AM
> To: Tsimbalist, Igor V <igor.v.tsimbalist@intel.com>; 'gcc-
> patches@gcc.gnu.org' <gcc-patches@gcc.gnu.org>
> Cc: Jeff Law <law@redhat.com>
> Subject: Re: 0002-Part-2.-Document-finstrument-control-flow-and-notrack
> attribute
> 
> On 09/26/2017 07:45 AM, Tsimbalist, Igor V wrote:
> > Here is the updated version (version#3). All comments below are fixed.
> 
> This still needs more work.  Specific comments below:
> 
> > +The @code{nocf_check} attribute is applied to an object's type.
> > +In case of assignment of a function address or a function pointer to
> > +another pointer, the attribute is not carried over from the
> > +right-hand object's type, the type of left-hand object stays
> > +unchanged.  The
> 
> s/object's type,/object's type;/


Fixed.

> > @@ -11348,6 +11349,35 @@ is used to link a program, the GCC driver
> > automatically links  against @file{libmpxwrappers}.  See also @option{-
> static-libmpxwrappers}.
> >  Enabled by default.
> >
> > +@item -fcf-
> protection==@r{[}full@r{|}branch@r{|}return@r{|}none@r{]}
> > +@opindex fcf-protection
> > +Enable code instrumentation of control-flow transfers to increase
> > +program security by checking that target addresses of control-flow
> > +transfer instructions (such as indirect function call, function
> > +return, indirect jump) are valid.  This prevents diverting the
> > +control flow instructions from its original target address to a new
> > +undesigned
> 
> s/control flow instructions/control-flow instructions/
> 
> I'd rewrite the next sentence as
> 
> This prevents diverting the flow of control to an unexpected target.

I used your suggestion.

> > +target.  This is intended to protect against such threats as
> > +Return-oriented Programming (ROP), and similarly call/jmp-oriented
> > +programming (COP/JOP).
> > +
> > +Each compiler target, which is going to support the control-flow
> > +instrumentation, is supposed to have its own target specific
> > +implementation. For all targets where an implementation is absent the
> > +usage of @option{-fcf-protection} option causes an error message.
> 
> I would really prefer that you list the targets this works on here instead.

Another patch you are reviewing now (its name starts with 0005-Part-5)
has the statement you would like to put here. The important point here is
an error issuing. When I commit the first patch none of target platforms supports
the option and an error is printed when the option is specified. I removed the
first sentence but keep the second one:

For all targets, which do not support the @option{-fcf-protection}
option, the option usage results in an error message.

> > +The value @code{branch} tells the compiler to implement checking of
> > +validity of control-flow transfer at the point of indirect branch
> > +instructions, i.e. call/jmp instructions.  The value @code{return}
> > +implements checking of validity at the point of returning from a
> > +function.  The value @code{full} is an alias for specifying both
> > +@code{branch} and @code{return}. The value @code{none} turns off
> > +instrumentation.  This value may be used for future architectures
> > +where @option{-fcf-protection} option is switched on by default.
> 
> I don't think we need to document GCC's future behavior for future
> architectures (I'm always going around removing useless discussion from
> 20 years ago of possible extensions that never got implemented).  I assume
> that this is just provided for completeness and to override a previous -fcf-
> protection option on the command line.

Ok, removed the last sentence.

> > +You can also use the @code{nocf_check} attribute to identify which
> > +functions and calls should be skipped from instrumentation
> > +(@pxref{Function Attributes}).
> > +
> >  @item -fstack-protector
> >  @opindex fstack-protector
> >  Emit extra code to check for buffer overflows, such as stack smashing
> > diff --git a/gcc/doc/rtl.texi b/gcc/doc/rtl.texi index
> > 12355c2..b4fc5f3 100644
> > --- a/gcc/doc/rtl.texi
> > +++ b/gcc/doc/rtl.texi
> > @@ -4040,6 +4040,22 @@ is used in place of the actual insn pattern.
> > This is done in cases where  the pattern is either complex or misleading.
> >  @end table
> >
> > +The note @code{REG_CALL_NOCF_CHECK} is used in conjunction with
> the
> > +@option{-fcf-protection=branch} option.  The note is set if a
> > +@code{nocf_check} attribute is specified for a function type or a
> > +pointer to function type.  The note is stored in the @code{REG_NOTES}
> > +field of an insn.
> > +
> > +@table @code
> > +@findex REG_CALL_NOCF_CHECK
> > +@item REG_CALL_NOCF_CHECK
> > +A user has a control through the @code{nocf_check} attribute to
> > +identify
> 
> S/A user has a control/Users have control/

Fixed.

> > +which call to a function should be skipped from control-flow
> > +instrumentation
> 
> s/call/calls/

Fixed.

> > +when the option @option{-fcf-protection=branch} is specified.  The
> > +compiler puts a @code{REG_CALL_NOCF_CHECK} note on
> @code{CALL_INSN}
> > +instruction, which has a function type marked with a @code{nocf_check}
> attribute.
> 
> s/@code{CALL_INSN} instruction, which/each @code{CALL_INSN}
> instruction that/

Fixed.

Igor

> -Sandra


[-- Attachment #2: 0002-Add-documentation-for-fcf-protection-option-and-nocf.patch --]
[-- Type: application/octet-stream, Size: 7956 bytes --]

From bc896670fef5eb7324c0e0134747696f3ed66553 Mon Sep 17 00:00:00 2001
From: Igor Tsimbalist <igor.v.tsimbalist@intel.com>
Date: Sun, 17 Sep 2017 14:57:29 +0300
Subject: [PATCH 2/5] Add documentation for fcf-protection option and
 nocf_check attribute

gcc/doc/
	* extend.texi: Add 'nocf_check' documentation.
	* gimple.texi: Add second parameter to gimple_build_call_from_tree.
	* invoke.texi: Add -fcf-protection documentation.
	* rtl.texi: Add REG_CALL_NOTRACK documenation.
---
 gcc/doc/extend.texi | 50 ++++++++++++++++++++++++++++++++++++++++++++++++++
 gcc/doc/gimple.texi |  8 +++++---
 gcc/doc/invoke.texi | 30 ++++++++++++++++++++++++++++++
 gcc/doc/rtl.texi    | 15 +++++++++++++++
 4 files changed, 100 insertions(+), 3 deletions(-)
---
 gcc/doc/extend.texi | 52 ++++++++++++++++++++++++++++++++++++++++++++++++++++
 gcc/doc/gimple.texi | 12 +++++++-----
 gcc/doc/invoke.texi | 26 ++++++++++++++++++++++++++
 gcc/doc/rtl.texi    | 16 ++++++++++++++++
 4 files changed, 101 insertions(+), 5 deletions(-)

diff --git a/gcc/doc/extend.texi b/gcc/doc/extend.texi
index cd5733e..e52a1ea 100644
--- a/gcc/doc/extend.texi
+++ b/gcc/doc/extend.texi
@@ -5646,6 +5646,58 @@ Specify which floating-point unit to use.  You must specify the
 @code{target("fpmath=sse,387")} option as
 @code{target("fpmath=sse+387")} because the comma would separate
 different options.
+
+@item nocf_check
+@cindex @code{nocf_check} function attribute
+The @code{nocf_check} attribute on a function is used to inform the
+compiler that the function's prologue should not be instrumented when
+compiled with the @option{-fcf-protection=branch} option.  The
+compiler assumes that the function's address is a valid target for a
+control-flow transfer.
+
+The @code{nocf_check} attribute on a type of pointer to function is
+used to inform the compiler that a call through the pointer should
+not be instrumented when compiled with the
+@option{-fcf-protection=branch} option.  The compiler assumes
+that the function's address from the pointer is a valid target for
+a control-flow transfer.  A direct function call through a function
+name is assumed to be a safe call thus direct calls are not
+instrumented by the compiler.
+
+The @code{nocf_check} attribute is applied to an object's type.
+In case of assignment of a function address or a function pointer to
+another pointer, the attribute is not carried over from the right-hand
+object's type; the type of left-hand object stays unchanged.  The
+compiler checks for @code{nocf_check} attribute mismatch and reports
+a warning in case of mismatch.
+
+@smallexample
+@{
+int foo (void) __attribute__(nocf_check);
+void (*foo1)(void) __attribute__(nocf_check);
+void (*foo2)(void);
+
+int
+foo (void) /* The function's address is assumed to be valid.  */
+
+  /* This call site is not checked for control-flow validity.  */
+  (*foo1)();
+
+  foo1 = foo2; /* A warning is printed about attribute mismatch.  */
+  /* This call site is still not checked for control-flow validity.  */
+  (*foo1)();
+
+  /* This call site is checked for control-flow validity.  */
+  (*foo2)();
+
+  foo2 = foo1; /* A warning is printed about attribute mismatch.  */
+  /* This call site is still checked for control-flow validity.  */
+  (*foo2)();
+
+  return 0;
+@}
+@end smallexample
+
 @end table
 
 On the x86, the inliner does not inline a
diff --git a/gcc/doc/gimple.texi b/gcc/doc/gimple.texi
index 635abd3..fa98800 100644
--- a/gcc/doc/gimple.texi
+++ b/gcc/doc/gimple.texi
@@ -1310,11 +1310,13 @@ operand is validated with @code{is_gimple_operand}).
 @end deftypefn
 
 
-@deftypefn {GIMPLE function} gcall *gimple_build_call_from_tree (tree call_expr)
-Build a @code{GIMPLE_CALL} from a @code{CALL_EXPR} node.  The arguments and the
-function are taken from the expression directly.  This routine
-assumes that @code{call_expr} is already in GIMPLE form.  That is, its
-operands are GIMPLE values and the function call needs no further
+@deftypefn {GIMPLE function} gcall *gimple_build_call_from_tree (tree call_expr, @
+tree fnptrtype)
+Build a @code{GIMPLE_CALL} from a @code{CALL_EXPR} node.  The arguments
+and the function are taken from the expression directly.  The type of the
+@code{GIMPLE_CALL} is set from the second parameter passed by a caller.
+This routine assumes that @code{call_expr} is already in GIMPLE form.
+That is, its operands are GIMPLE values and the function call needs no further
 simplification.  All the call flags in @code{call_expr} are copied over
 to the new @code{GIMPLE_CALL}.
 @end deftypefn
diff --git a/gcc/doc/invoke.texi b/gcc/doc/invoke.texi
index e4cacf2..c4faa23 100644
--- a/gcc/doc/invoke.texi
+++ b/gcc/doc/invoke.texi
@@ -460,6 +460,7 @@ Objective-C and Objective-C++ Dialects}.
 -fchkp-check-read  -fchkp-check-write  -fchkp-store-bounds @gol
 -fchkp-instrument-calls  -fchkp-instrument-marked-only @gol
 -fchkp-use-wrappers  -fchkp-flexible-struct-trailing-arrays@gol
+-fcf-protection==@r{[}full@r{|}branch@r{|}return@r{|}none@r{]} @gol
 -fstack-protector  -fstack-protector-all  -fstack-protector-strong @gol
 -fstack-protector-explicit  -fstack-check @gol
 -fstack-limit-register=@var{reg}  -fstack-limit-symbol=@var{sym} @gol
@@ -11348,6 +11349,31 @@ is used to link a program, the GCC driver automatically links
 against @file{libmpxwrappers}.  See also @option{-static-libmpxwrappers}.
 Enabled by default.
 
+@item -fcf-protection==@r{[}full@r{|}branch@r{|}return@r{|}none@r{]}
+@opindex fcf-protection
+Enable code instrumentation of control-flow transfers to increase
+program security by checking that target addresses of control-flow
+transfer instructions (such as indirect function call, function return,
+indirect jump) are valid.  This prevents diverting the flow of control
+to an unexpected target.  This is intended to protect against such
+threats as Return-oriented Programming (ROP), and similarly
+call/jmp-oriented programming (COP/JOP).
+
+For all targets, which do not support the @option{-fcf-protection}
+option, the option usage results in an error message.
+
+The value @code{branch} tells the compiler to implement checking of
+validity of control-flow transfer at the point of indirect branch
+instructions, i.e. call/jmp instructions.  The value @code{return}
+implements checking of validity at the point of returning from a
+function.  The value @code{full} is an alias for specifying both
+@code{branch} and @code{return}. The value @code{none} turns off
+instrumentation.
+
+You can also use the @code{nocf_check} attribute to identify
+which functions and calls should be skipped from instrumentation
+(@pxref{Function Attributes}).
+
 @item -fstack-protector
 @opindex fstack-protector
 Emit extra code to check for buffer overflows, such as stack smashing
diff --git a/gcc/doc/rtl.texi b/gcc/doc/rtl.texi
index 12355c2..c0aab98 100644
--- a/gcc/doc/rtl.texi
+++ b/gcc/doc/rtl.texi
@@ -4040,6 +4040,22 @@ is used in place of the actual insn pattern.  This is done in cases where
 the pattern is either complex or misleading.
 @end table
 
+The note @code{REG_CALL_NOCF_CHECK} is used in conjunction with the
+@option{-fcf-protection=branch} option.  The note is set if a
+@code{nocf_check} attribute is specified for a function type or a
+pointer to function type.  The note is stored in the @code{REG_NOTES}
+field of an insn.
+
+@table @code
+@findex REG_CALL_NOCF_CHECK
+@item REG_CALL_NOCF_CHECK
+Users have control through the @code{nocf_check} attribute to identify
+which calls to a function should be skipped from control-flow instrumentation
+when the option @option{-fcf-protection=branch} is specified.  The compiler
+puts a @code{REG_CALL_NOCF_CHECK} note on each @code{CALL_INSN} instruction
+that has a function type marked with a @code{nocf_check} attribute.
+@end table
+
 For convenience, the machine mode in an @code{insn_list} or
 @code{expr_list} is printed using these symbolic codes in debugging dumps.
 
-- 
1.8.3.1


^ permalink raw reply	[flat|nested] 12+ messages in thread

* Re: 0002-Part-2.-Document-finstrument-control-flow-and-notrack attribute
  2017-09-27 12:27             ` Tsimbalist, Igor V
@ 2017-09-28 23:20               ` Jeff Law
  2017-09-29  4:57               ` Sandra Loosemore
  1 sibling, 0 replies; 12+ messages in thread
From: Jeff Law @ 2017-09-28 23:20 UTC (permalink / raw)
  To: Tsimbalist, Igor V, Sandra Loosemore, 'gcc-patches@gcc.gnu.org'

On 09/27/2017 06:27 AM, Tsimbalist, Igor V wrote:

> 
> 
> 0002-Add-documentation-for-fcf-protection-option-and-nocf.patch
> 
> 
> From bc896670fef5eb7324c0e0134747696f3ed66553 Mon Sep 17 00:00:00 2001
> From: Igor Tsimbalist <igor.v.tsimbalist@intel.com>
> Date: Sun, 17 Sep 2017 14:57:29 +0300
> Subject: [PATCH 2/5] Add documentation for fcf-protection option and
>  nocf_check attribute
> 
> gcc/doc/
> 	* extend.texi: Add 'nocf_check' documentation.
> 	* gimple.texi: Add second parameter to gimple_build_call_from_tree.
> 	* invoke.texi: Add -fcf-protection documentation.
> 	* rtl.texi: Add REG_CALL_NOTRACK documenation.
s/documenation/documentation

Otherwise this is fine once Sandra gives her OK.

jeff

^ permalink raw reply	[flat|nested] 12+ messages in thread

* Re: 0002-Part-2.-Document-finstrument-control-flow-and-notrack attribute
  2017-09-27 12:27             ` Tsimbalist, Igor V
  2017-09-28 23:20               ` Jeff Law
@ 2017-09-29  4:57               ` Sandra Loosemore
  2017-09-29 15:30                 ` Tsimbalist, Igor V
  1 sibling, 1 reply; 12+ messages in thread
From: Sandra Loosemore @ 2017-09-29  4:57 UTC (permalink / raw)
  To: Tsimbalist, Igor V, 'gcc-patches@gcc.gnu.org'; +Cc: Jeff Law

On 09/27/2017 06:27 AM, Tsimbalist, Igor V wrote:
> Updated version #4.
>
> [snip]
> @@ -11348,6 +11349,31 @@ is used to link a program, the GCC driver automatically links
>  against @file{libmpxwrappers}.  See also @option{-static-libmpxwrappers}.
>  Enabled by default.
>
> +@item -fcf-protection==@r{[}full@r{|}branch@r{|}return@r{|}none@r{]}
> +@opindex fcf-protection
> +Enable code instrumentation of control-flow transfers to increase
> +program security by checking that target addresses of control-flow
> +transfer instructions (such as indirect function call, function return,
> +indirect jump) are valid.  This prevents diverting the flow of control
> +to an unexpected target.  This is intended to protect against such
> +threats as Return-oriented Programming (ROP), and similarly
> +call/jmp-oriented programming (COP/JOP).
> +
> +For all targets, which do not support the @option{-fcf-protection}
> +option, the option usage results in an error message.

Please take this sentence out.  It's ungrammatical and verbose and 
unnecessary.

Note that several of the other options described in this section are not 
enabled on all targets either.  E.g., I've just been looking at fixing 
the nios2 backend to make -fstack-protector work, and there is nothing 
in the manual to say that GCC issues an error if there's no target 
support, even though that's what it does.

The patch is OK to commit with that change.

-Sandra

^ permalink raw reply	[flat|nested] 12+ messages in thread

* RE: 0002-Part-2.-Document-finstrument-control-flow-and-notrack attribute
  2017-09-29  4:57               ` Sandra Loosemore
@ 2017-09-29 15:30                 ` Tsimbalist, Igor V
  0 siblings, 0 replies; 12+ messages in thread
From: Tsimbalist, Igor V @ 2017-09-29 15:30 UTC (permalink / raw)
  To: Sandra Loosemore, 'gcc-patches@gcc.gnu.org'
  Cc: Jeff Law, Tsimbalist, Igor V

> -----Original Message-----
> From: Sandra Loosemore [mailto:sandra@codesourcery.com]
> Sent: Friday, September 29, 2017 6:57 AM
> To: Tsimbalist, Igor V <igor.v.tsimbalist@intel.com>; 'gcc-
> patches@gcc.gnu.org' <gcc-patches@gcc.gnu.org>
> Cc: Jeff Law <law@redhat.com>
> Subject: Re: 0002-Part-2.-Document-finstrument-control-flow-and-notrack
> attribute
> 
> On 09/27/2017 06:27 AM, Tsimbalist, Igor V wrote:
> > Updated version #4.
> >
> > [snip]
> > @@ -11348,6 +11349,31 @@ is used to link a program, the GCC driver
> > automatically links  against @file{libmpxwrappers}.  See also @option{-
> static-libmpxwrappers}.
> >  Enabled by default.
> >
> > +@item -fcf-
> protection==@r{[}full@r{|}branch@r{|}return@r{|}none@r{]}
> > +@opindex fcf-protection
> > +Enable code instrumentation of control-flow transfers to increase
> > +program security by checking that target addresses of control-flow
> > +transfer instructions (such as indirect function call, function
> > +return, indirect jump) are valid.  This prevents diverting the flow
> > +of control to an unexpected target.  This is intended to protect
> > +against such threats as Return-oriented Programming (ROP), and
> > +similarly call/jmp-oriented programming (COP/JOP).
> > +
> > +For all targets, which do not support the @option{-fcf-protection}
> > +option, the option usage results in an error message.
> 
> Please take this sentence out.  It's ungrammatical and verbose and
> unnecessary.

Removed.

> Note that several of the other options described in this section are not
> enabled on all targets either.  E.g., I've just been looking at fixing the nios2
> backend to make -fstack-protector work, and there is nothing in the manual
> to say that GCC issues an error if there's no target support, even though
> that's what it does.
> 
> The patch is OK to commit with that change.

Thanks,
Igor

> -Sandra

^ permalink raw reply	[flat|nested] 12+ messages in thread

end of thread, other threads:[~2017-09-29 15:30 UTC | newest]

Thread overview: 12+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2017-08-01  8:56 0002-Part-2.-Document-finstrument-control-flow-and-notrack attribute Tsimbalist, Igor V
2017-08-25 21:38 ` Jeff Law
2017-09-15 15:14   ` Tsimbalist, Igor V
2017-09-19 13:45   ` Tsimbalist, Igor V
2017-09-25  3:06     ` Sandra Loosemore
2017-09-25 21:57       ` Tsimbalist, Igor V
2017-09-26 13:45         ` Tsimbalist, Igor V
2017-09-27  3:11           ` Sandra Loosemore
2017-09-27 12:27             ` Tsimbalist, Igor V
2017-09-28 23:20               ` Jeff Law
2017-09-29  4:57               ` Sandra Loosemore
2017-09-29 15:30                 ` Tsimbalist, Igor V

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).