On 09/27/2017 05:40 AM, Sandra Loosemore wrote:
+@emph{x86 implementation:} when @option{-fcf-protection} option is +specified the compiler inserts an ENDBR instruction at function's +prologue if the function's type does not have the @code{nocf_check} +attribute and addresses to which indirect control-flow transfer can +happen. The instruction triggers the HW check if a control-flow +transfer to the address of ENDBR instruction is valid.Implementation details like this should be comments in the code, not included in the user-facing documentation.
This is part of the ABI GCC implements, so it has to be documented somewhere, and not just as part of the GCC source code.
CET is not properly described in the ABI supplement and I don't think this will change, so detailed documentation in the GCC manual is very much desirable.
That being said, the implementation notes above need some clarification. It's not clear to me what the conditions are under which the ENDBR instruction is emitted (and we probably should use @code{endbr} in the manual), what it is trying to achieve, and how the x86 calling convention changes. I assume it is somehow related to what we call internally “the suffix problem”: without control flow integrity, an attacker might skip over precondition/hardening checks, directly to the critical changes we want to protect, executing only the suffix of a function (hence the name).
Thanks, Florian
