> -----Original Message-----
> From: Florian Weimer [mailto:fwei...@redhat.com]
> Sent: Wednesday, September 27, 2017 10:52 AM
> To: Sandra Loosemore <san...@codesourcery.com>; Tsimbalist, Igor V
> <igor.v.tsimbal...@intel.com>; Uros Bizjak <ubiz...@gmail.com>
> Cc: gcc-patches@gcc.gnu.org
> Subject: Re: 0005-Part-5.-Add-x86-CET-documentation
>
> On 09/27/2017 05:40 AM, Sandra Loosemore wrote:
> >>
> >> +@emph{x86 implementation:} when @option{-fcf-protection} option is
> >> +specified the compiler inserts an ENDBR instruction at function's
> >> +prologue if the function's type does not have the @code{nocf_check}
> >> +attribute and addresses to which indirect control-flow transfer can
> >> +happen. The instruction triggers the HW check if a control-flow
> >> +transfer to the address of ENDBR instruction is valid.
> >
> > Implementation details like this should be comments in the code, not
> > included in the user-facing documentation.
>
> This is part of the ABI GCC implements, so it has to be documented
> somewhere, and not just as part of the GCC source code.
A question for both Sandra and Florian - What is your suggestion where the text
should go?
> CET is not properly described in the ABI supplement and I don't think this
> will
> change, so detailed documentation in the GCC manual is very much
> desirable.
>
> That being said, the implementation notes above need some clarification.
> It's not clear to me what the conditions are under which the ENDBR
> instruction is emitted (and we probably should use @code{endbr} in the
> manual), what it is trying to achieve, and how the x86 calling convention
> changes. I assume it is somehow related to what we call internally “the
> suffix
We are diving into implementation details but it's simple enough.
- endbr is generated for every function, which does not have nocf_check
attribute.
Optimization can be done later to exclude functions, whose address was not
taken.
- there is no change in calling convention
Thanks,
Igor
> problem”: without control flow integrity, an attacker might skip over
> precondition/hardening checks, directly to the critical changes we want to
> protect, executing only the suffix of a function (hence the name).
>
> Thanks,
> Florian
