Add support for indirect branch tracking (IBT)

chen-hu-97 · chen-hu-97 · commit 7256b130c852 · 2022-04-26T02:26:48.000-07:00
Gcc already support IBT for most of the C code. This commit support IBT
for:
1. JIT
   Add endbr32/64 instruction in Dynasm.
   Insert endbr32/64 in indirect branch target for jitted code.
2. Fiber
   Add endbr in assembly.
   Inform compiler jump_fcontext may return via indirect branch.

Quote from Linux 5.18 git log:
Indirect branch tracking (IBT) is available since Intel Tigerlake (11th
gen) and Sapphire Rapids. It's also available on some AMD cpus. IBT is
hardware based, forward edge Control-Flow-Integrity mechanism where any
indirect CALL/JMP must target an ENDBR instruction or suffer #CP.

Signed-off-by: Chen, Hu &lt;hu1.chen@intel.com&gt;
diff --git a/Zend/asm/jump_x86_64_sysv_elf_gas.S b/Zend/asm/jump_x86_64_sysv_elf_gas.S
@@ -30,6 +30,7 @@
 .type jump_fcontext,@function
 .align 16
 jump_fcontext:
+    endbr64
     leaq  -0x38(%rsp), %rsp /* prepare stack */
 
 #if !defined(BOOST_USE_TSX)
diff --git a/Zend/asm/make_x86_64_sysv_elf_gas.S b/Zend/asm/make_x86_64_sysv_elf_gas.S
@@ -30,6 +30,7 @@
 .type make_fcontext,@function
 .align 16
 make_fcontext:
+    endbr64
     /* first arg of make_fcontext() == top of context-stack */
     movq  %rdi, %rax
 
@@ -66,11 +67,13 @@ make_fcontext:
 trampoline:
     /* store return address on stack */
     /* fix stack alignment */
+    endbr64
     push %rbp
     /* jump to context-function */
     jmp *%rbx
 
 finish:
+    endbr64
     /* exit code is zero */
     xorq  %rdi, %rdi
     /* exit application */
diff --git a/Zend/zend_fibers.c b/Zend/zend_fibers.c
@@ -141,7 +141,7 @@ typedef struct {
 
 /* These functions are defined in assembler files provided by boost.context (located in "Zend/asm"). */
 extern void *make_fcontext(void *sp, size_t size, void (*fn)(boost_context_data));
-extern boost_context_data jump_fcontext(void *to, zend_fiber_transfer *transfer);
+extern boost_context_data jump_fcontext(void *to, zend_fiber_transfer *transfer) __attribute__ ((__indirect_return__));
 #endif
 
 ZEND_API zend_class_entry *zend_ce_fiber;
diff --git a/ext/opcache/jit/dynasm/dasm_x86.lua b/ext/opcache/jit/dynasm/dasm_x86.lua
@@ -1147,6 +1147,8 @@ local map_op = {
   rep_0 =	"F3",
   repe_0 =	"F3",
   repz_0 =	"F3",
+  endbr32_0 = "F30F1EFB",
+  endbr64_0 =	"F30F1EFA",
   -- F4: *hlt
   cmc_0 =	"F5",
   -- F6: test... mb,i; div... mb
diff --git a/ext/opcache/jit/zend_jit_x86.dasc b/ext/opcache/jit/zend_jit_x86.dasc
