ENDBR is a special new instruction for the Indirect Branch Tracking (IBT) component of CET. IBT prevents attacks by ensuring that (most) indirect branches and function calls may only land at ENDBR instructions. Branches that don't follow the rules will result in control flow (#CF) exceptions. ENDBR is a noop when IBT is unsupported or disabled. Most ENDBR instructions are inserted automatically by the compiler, but branch targets written in assembly must have ENDBR added manually. There are two ENDBR versions: one for 64-bit and the other for 32. Introduce a macro to eliminate ifdeffery at call sites. Signed-off-by: Yu-cheng Yu <yu-cheng.yu@xxxxxxxxx> Cc: Andy Lutomirski <luto@xxxxxxxxxx> Cc: Borislav Petkov <bp@xxxxxxxxx> Cc: Dave Hansen <dave.hansen@xxxxxxxxxxxxxxx> Cc: Jarkko Sakkinen <jarkko@xxxxxxxxxx> Cc: Peter Zijlstra <peterz@xxxxxxxxxxxxx> --- arch/x86/entry/calling.h | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/arch/x86/entry/calling.h b/arch/x86/entry/calling.h index 07a9331d55e7..a63d33f7f069 100644 --- a/arch/x86/entry/calling.h +++ b/arch/x86/entry/calling.h @@ -392,3 +392,21 @@ For 32-bit we have the following conventions - kernel is built with .endm #endif /* CONFIG_SMP */ +/* + * ENDBR is an instruction for the Indirect Branch Tracking (IBT) component + * of CET. IBT prevents attacks by ensuring that (most) indirect branches + * function calls may only land at ENDBR instructions. Branches that don't + * follow the rules will result in control flow (#CF) exceptions. + * ENDBR is a noop when IBT is unsupported or disabled. Most ENDBR + * instructions are inserted automatically by the compiler, but branch + * targets written in assembly must have ENDBR added manually. + */ +.macro ENDBR +#ifdef CONFIG_X86_CET +#ifdef __i386__ + endbr32 +#else + endbr64 +#endif +#endif +.endm -- 2.21.0