https://gcc.gnu.org/bugzilla/show_bug.cgi?id=95732
Bug ID: 95732
Summary: Use CPU dispatching to support mixing -fcf-protection
with -mindirect-branch and -mfunction-return
Product: gcc
Version: 10.1.0
Status: UNCONFIRMED
Severity: normal
Priority: P3
Component: target
Assignee: unassigned at gcc dot gnu.org
Reporter: josephcsible at gmail dot com
Target Milestone: ---
Target: x86_64
The thunks generated by -mindirect-branch and -mfunction-return should do CPU
dispatching à la "ifunc". We should generate one path for CPUs with CET and one
without. The path without CET should stay like it is today. Intel claims that
their CPUs that support CET no longer need Spectre mitigations. For as long as
this remains true, the path with CET should just be "jmp *%rax" and "ret". If
this ends up turning out to be false, then we should instead use the "incsspq",
"rdsspq", and "wrssq" instructions to make the shadow stack match what we do in
the real stack. (We can't just do this unconditionally, since unlike "endbr64",
those instructions aren't all NOPs on older CPUs.) This change will allow the
same binary to run safely on Spectre-vulnerable CPUs and still get the benefits
of CET on new CPUs, without needing programs to all supply their own external
thunks.
