From 5c648878e6ada2eee3821b591d5ca140c4b40df4 Mon Sep 17 00:00:00 2001 From: Kito Cheng Date: Thu, 15 Aug 2024 17:30:47 +0800 Subject: [PATCH] Add options for enable code gen with CFI `-fcf-protection=[full|branch|return|none]` and `-mcf-label-scheme=[unlabeled|func-sig]` Resue the options defined by X86 CET, `-fcf-protection=[full|branch|return|none]` `-fcf-protection=branch` for landing pad (`Zicfilp`), `-fcf-protection=return` for landing pad (`Zicfiss`) and `-fcf-protection=full` for enable both if possible, landing pad just require instrcution defined by base extension, so compiler will emit landing pad even without `Zicfilp` extension, but `-fcf-protection=return` will require at least `Zimop` since the instrcution isn't included in base extension. Also we defined another option for specify the labeling scheme: `unlabeled` and `func-sig`. The `unlabeled` scheme is always use `lpad 0`, and `func-sig` is based on the function signature, the rule is defined in psABI. --- src/toolchain-conventions.adoc | 23 +++++++++++++++++++++++ 1 file changed, 23 insertions(+) diff --git a/src/toolchain-conventions.adoc b/src/toolchain-conventions.adoc index 8f02372..80d014f 100644 --- a/src/toolchain-conventions.adoc +++ b/src/toolchain-conventions.adoc @@ -406,6 +406,29 @@ NOTE: This option does not affect inline assembly. The precedence among `-m[no]-scalar-strict-align`, `-m[no-]vector-strict-align`, and `-m[no-]strict-align` is determined by the last one specified. +=== `-fcf-protection=[full|branch|return|none]`/`-fcf-protection` + + +Enable control flow protection. The compiler will insert control flow integrity +instructions to protect the program against control flow hijacking attacks. + +`-fcf-protection` is alias to `-fcf-protection=full`. + +- `none`: Disable control flow protection. +- `full`: Protect all control flow instructions, will enable branch protection + and return protection if the `Zimop` extension is available. +- `branch`: Protect branch instructions only by insert landing pad. +- `return`: Protect return instructions only, this require `Zimop` extension. + +=== `-mcf-branch-label-scheme=[unlabeled|func-sig]` + +Specify the label scheme for the `-fcf-protection=branch`. The default is value +is platform defined. + +- `unlabeled`: Use simple label scheme, the label is always `0`. +- `func-sig`: Use function signature as the label, the label is generated by the + compiler, the rule is defined in psABI spec. + == TODO - `-mdiv`, `-mno-div`, `-mfdiv`, `-mno-fdiv`, `-msave-restore`,