Re: 0005-Part-5.-Add-x86-CET-documentation

[Florian Weimer <fweimer@redhat.com>]

On 09/27/2017 05:40 AM, Sandra Loosemore wrote:
>>
>> +@emph{x86 implementation:} when @option{-fcf-protection} option is
>> +specified the compiler inserts an ENDBR instruction at function's
>> +prologue if the function's type does not have the @code{nocf_check}
>> +attribute and addresses to which indirect control-flow transfer can
>> +happen.  The instruction triggers the HW check if a control-flow
>> +transfer to the address of ENDBR instruction is valid.
> 
> Implementation details like this should be comments in the code, not 
> included in the user-facing documentation.

This is part of the ABI GCC implements, so it has to be documented 
somewhere, and not just as part of the GCC source code.

CET is not properly described in the ABI supplement and I don't think 
this will change, so detailed documentation in the GCC manual is very 
much desirable.

That being said, the implementation notes above need some clarification. 
  It's not clear to me what the conditions are under which the ENDBR 
instruction is emitted (and we probably should use @code{endbr} in the 
manual), what it is trying to achieve, and how the x86 calling 
convention changes.  I assume it is somehow related to what we call 
internally “the suffix problem”: without control flow integrity, an 
attacker might skip over precondition/hardening checks, directly to the 
critical changes we want to protect, executing only the suffix of a 
function (hence the name).

Thanks,
Florian