Add options for enable code gen with CFI -fcf-protection=[full|branch|return|none] and -mcf-label-scheme=[simple|func-sig]

kito-cheng · kito-cheng · commit ce3e2ddd1b32 · 2024-08-15T17:35:56.000+08:00
Resue the options defined by X86 CET, `-fcf-protection=[full|branch|return|none]`

`-fcf-protection=branch` for landing pad (`Zicfilp`), `-fcf-protection=return`
for landing pad (`Zicfiss`) and `-fcf-protection=full` for enable both
if possible, landing pad just require instrcution defined by base
extension, so compiler will emit landing pad even without `Zicfilp`
extension, but `-fcf-protection=return` will require at least `Zimop`
since the instrcution isn't included in base extension.

Also we defined another option for specify the labeling scheme: `simple`
and `func-sig`.

The `simple` scheme is always use `lpad 0`, and `func-sig` is based
on the function signature, the rule is defined in psABI.
diff --git a/README.mkd b/README.mkd
@@ -445,6 +445,28 @@ NOTE: This option does not affect inline assembly.
 The precedence among `-m[no]-scalar-strict-align`, `-m[no-]vector-strict-align`,
 and `-m[no-]strict-align` is determined by the last one specified.
 
+### `-fcf-protection=[full|branch|return|none]`/`-fcf-protection`
+
+Enable control flow protection. The compiler will insert control flow integrity
+instructions to protect the program against control flow hijacking attacks.
+
+`-fcf-protection` is alias to `-fcf-protection=full`.
+
+- `none`: Disable control flow protection.
+- `full`: Protect all control flow instructions, will enable branch protection
+  and return protection if the `Zimop` extension is available.
+- `branch`: Protect branch instructions only by insert landing pad.
+- `return`: Protect branch instructions only, this require `Zimop` extension.
+
+### `-mcf-label-scheme=[simple|func-sig]`
+
+Specify the label scheme for the `-fcf-protectio=branch`. The default is value
+is platform defined.
+
+- `simple`: Use simple label scheme, the label is always `0`.
+- `func-sig`: Use function signature as the label, the label is generated by the
+  compiler, the rule is defined in psABI spec.
+
 ## TODO
 
 * `-mdiv`, `-mno-div`, `-mfdiv`, `-mno-fdiv`, `-msave-restore`,
