diff options
| author | Andrea Corallo <andrea.corallo@arm.com> | 2021-12-06 11:39:03 +0100 |
|---|---|---|
| committer | Andrea Corallo <andrea.corallo@arm.com> | 2023-01-23 11:22:02 +0100 |
| commit | 14fab5fb9aa6432ca59fb02b7b82ac17093f4de2 (patch) | |
| tree | dc159627475e0243d89b300a265b9b7a23f112db /gcc/doc | |
| parent | c91bb7b9fc87284f5382d9fb04db0cb10f6c1fe9 (diff) | |
| download | gcc-14fab5fb9aa6432ca59fb02b7b82ac17093f4de2.zip gcc-14fab5fb9aa6432ca59fb02b7b82ac17093f4de2.tar.gz gcc-14fab5fb9aa6432ca59fb02b7b82ac17093f4de2.tar.bz2 | |
[PATCH 3/15] arm: Add option -mbranch-protection
Add -mbranch-protection option. This option enables the
code-generation of pointer signing and authentication instructions in
function prologues and epilogues.
gcc/ChangeLog:
* config/arm/arm.cc (arm_configure_build_target): Parse and validate
-mbranch-protection option and initialize appropriate data structures.
* config/arm/arm.opt (-mbranch-protection): New option.
* doc/invoke.texi (Arm Options): Document it.
Co-Authored-By: Tejas Belagod <tbelagod@arm.com>
Co-Authored-By: Richard Earnshaw <Richard.Earnshaw@arm.com>
Diffstat (limited to 'gcc/doc')
| -rw-r--r-- | gcc/doc/invoke.texi | 38 |
1 files changed, 37 insertions, 1 deletions
diff --git a/gcc/doc/invoke.texi b/gcc/doc/invoke.texi index e37e92f..b4a271d 100644 --- a/gcc/doc/invoke.texi +++ b/gcc/doc/invoke.texi @@ -850,7 +850,9 @@ Objective-C and Objective-C++ Dialects}. -mcmse @gol -mfix-cmse-cve-2021-35465 @gol -mstack-protector-guard=@var{guard} -mstack-protector-guard-offset=@var{offset} @gol --mfdpic} +-mfdpic @gol +-mbranch-protection=@var{none}|@var{standard}|@var{pac-ret}[+@var{leaf}] +[+@var{bti}]|@var{bti}[+@var{pac-ret}[+@var{leaf}]]} @emph{AVR Options} @gccoptlist{-mmcu=@var{mcu} -mabsdata -maccumulate-args @gol @@ -22556,6 +22558,40 @@ The opposite @option{-mno-fdpic} option is useful (and required) to build the Linux kernel using the same (@code{arm-*-uclinuxfdpiceabi}) toolchain as the one used to build the userland programs. +@item +-mbranch-protection=@var{none}|@var{standard}|@var{pac-ret}[+@var{leaf}][+@var{bti}]|@var{bti}[+@var{pac-ret}[+@var{leaf}]] +@opindex mbranch-protection +Enable branch protection features (armv8.1-m.main only). +@samp{none} generate code without branch protection or return address +signing. +@samp{standard[+@var{leaf}]} generate code with all branch protection +features enabled at their standard level. +@samp{pac-ret[+@var{leaf}]} generate code with return address signing +set to its standard level, which is to sign all functions that save +the return address to memory. +@samp{leaf} When return address signing is enabled, also sign leaf +functions even if they do not write the return address to memory. ++@samp{bti} Add landing-pad instructions at the permitted targets of +indirect branch instructions. + +If the @samp{+pacbti} architecture extension is not enabled, then all +branch protection and return address signing operations are +constrained to use only the instructions defined in the +architectural-NOP space. The generated code will remain +backwards-compatible with earlier versions of the architecture, but +the additional security can be enabled at run time on processors that +support the @samp{PACBTI} extension. + +Branch target enforcement using BTI can only be enabled at runtime if +all code in the application has been compiled with at least +@samp{-mbranch-protection=bti}. + +Any setting other than @samp{none} is supported only on armv8-m.main +or later. + +The default is to generate code without branch protection or return +address signing. + @end table @node AVR Options |