From cb7894d644a51d794d742a843f01f56afe175e55 Mon Sep 17 00:00:00 2001 From: ouyangxiangzhen Date: Thu, 20 Jun 2024 20:03:41 +0800 Subject: [PATCH] arch/x86_64: Add ARCH_INTEL64_DISABLE_CET Intel CET (Control-flow Enforcement Technology) is a hardware enhancement aimed at mitigating the Retpoline vulnerability, but it may impact CPU branch prediction performance. This commit added ARCH_INTEL64_DISABLE_CET, which can disable CET completely with compilation option `-fcf-protection=none`. Signed-off-by: ouyangxiangzhen --- arch/x86_64/src/common/Toolchain.defs | 4 ++++ arch/x86_64/src/intel64/Kconfig | 9 +++++++++ 2 files changed, 13 insertions(+) diff --git a/arch/x86_64/src/common/Toolchain.defs b/arch/x86_64/src/common/Toolchain.defs index cd67920826..b3f36be40f 100644 --- a/arch/x86_64/src/common/Toolchain.defs +++ b/arch/x86_64/src/common/Toolchain.defs @@ -32,6 +32,10 @@ ARCHCPUFLAGS = -fPIC -fno-stack-protector -mno-red-zone -mrdrnd ARCHPICFLAGS = -fPIC ARCHWARNINGS = -Wall -Wstrict-prototypes -Wshadow -Wundef +ifeq ($(CONFIG_ARCH_INTEL64_DISABLE_CET),y) + ARCHOPTIMIZATION += -fcf-protection=none +endif + # We have to use a cross-development toolchain under Cygwin because the native # Cygwin toolchains don't generate ELF binaries. diff --git a/arch/x86_64/src/intel64/Kconfig b/arch/x86_64/src/intel64/Kconfig index e8a17fde9e..53ce634be6 100644 --- a/arch/x86_64/src/intel64/Kconfig +++ b/arch/x86_64/src/intel64/Kconfig @@ -195,4 +195,13 @@ config ARCH_INTEL64_DISABLE_INT_INIT controllers. This is necessary if those are already initialized, i.e. Jailhouse system. +config ARCH_INTEL64_DISABLE_CET + bool "Disable CET completely" + ---help--- + Intel CET (Control-flow Enforcement Technology) is a hardware + enhancement aimed at mitigating the Retpoline vulnerability. + It inserts the endbr64 instruction at the beginning of functions, + which may impact CPU branch prediction performance. + + endif