https://gcc.gnu.org/bugzilla/show_bug.cgi?id=95732
Bug ID: 95732 Summary: Use CPU dispatching to support mixing -fcf-protection with -mindirect-branch and -mfunction-return Product: gcc Version: 10.1.0 Status: UNCONFIRMED Severity: normal Priority: P3 Component: target Assignee: unassigned at gcc dot gnu.org Reporter: josephcsible at gmail dot com Target Milestone: --- Target: x86_64 The thunks generated by -mindirect-branch and -mfunction-return should do CPU dispatching à la "ifunc". We should generate one path for CPUs with CET and one without. The path without CET should stay like it is today. Intel claims that their CPUs that support CET no longer need Spectre mitigations. For as long as this remains true, the path with CET should just be "jmp *%rax" and "ret". If this ends up turning out to be false, then we should instead use the "incsspq", "rdsspq", and "wrssq" instructions to make the shadow stack match what we do in the real stack. (We can't just do this unconditionally, since unlike "endbr64", those instructions aren't all NOPs on older CPUs.) This change will allow the same binary to run safely on Spectre-vulnerable CPUs and still get the benefits of CET on new CPUs, without needing programs to all supply their own external thunks.