From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <gentoo-commits+bounces-1345249-garchives=archives.gentoo.org@lists.gentoo.org>
Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (2048 bits))
	(No client certificate requested)
	by finch.gentoo.org (Postfix) with ESMTPS id C92AD158086
	for <garchives@archives.gentoo.org>; Thu,  2 Dec 2021 15:03:06 +0000 (UTC)
Received: from pigeon.gentoo.org (localhost [127.0.0.1])
	by pigeon.gentoo.org (Postfix) with SMTP id AC6032BC016;
	Thu,  2 Dec 2021 15:03:05 +0000 (UTC)
Received: from smtp.gentoo.org (mail.gentoo.org [IPv6:2001:470:ea4a:1:5054:ff:fec7:86e4])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits))
	(No client certificate requested)
	by pigeon.gentoo.org (Postfix) with ESMTPS id BFD1A2BC012
	for <gentoo-commits@lists.gentoo.org>; Thu,  2 Dec 2021 15:03:04 +0000 (UTC)
Received: from oystercatcher.gentoo.org (oystercatcher.gentoo.org [148.251.78.52])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(No client certificate requested)
	by smtp.gentoo.org (Postfix) with ESMTPS id 029B83430F9
	for <gentoo-commits@lists.gentoo.org>; Thu,  2 Dec 2021 15:03:04 +0000 (UTC)
Received: from localhost.localdomain (localhost [IPv6:::1])
	by oystercatcher.gentoo.org (Postfix) with ESMTP id 4B562200
	for <gentoo-commits@lists.gentoo.org>; Thu,  2 Dec 2021 15:03:02 +0000 (UTC)
From: "David Seifert" <soap@gentoo.org>
To: gentoo-commits@lists.gentoo.org
Content-Transfer-Encoding: 8bit
Content-type: text/plain; charset=UTF-8
Reply-To: gentoo-dev@lists.gentoo.org, "David Seifert" <soap@gentoo.org>
Message-ID: <1638041417.51a7ace358097005038a0d31350b0c6d3da34e00.soap@gentoo>
Subject: [gentoo-commits] proj/gcc-patches:master commit in: 11.3.0/gentoo/
X-VCS-Repository: proj/gcc-patches
X-VCS-Files: 11.3.0/gentoo/26_all_enable-cet.patch 11.3.0/gentoo/README.history
X-VCS-Directories: 11.3.0/gentoo/
X-VCS-Committer: soap
X-VCS-Committer-Name: David Seifert
X-VCS-Revision: 51a7ace358097005038a0d31350b0c6d3da34e00
X-VCS-Branch: master
Date: Thu,  2 Dec 2021 15:03:02 +0000 (UTC)
Precedence: bulk
List-Post: <mailto:gentoo-commits@lists.gentoo.org>
List-Help: <mailto:gentoo-commits+help@lists.gentoo.org>
List-Unsubscribe: <mailto:gentoo-commits+unsubscribe@lists.gentoo.org>
List-Subscribe: <mailto:gentoo-commits+subscribe@lists.gentoo.org>
List-Id: Gentoo Linux mail <gentoo-commits.gentoo.org>
X-BeenThere: gentoo-commits@lists.gentoo.org
X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply
X-Archives-Salt: c3d4099b-877f-4866-beee-bebc8d595e7b
X-Archives-Hash: 6e32a7e5f6d23306d93c0bb609ab64db

commit:     51a7ace358097005038a0d31350b0c6d3da34e00
Author:     Sam James <sam <AT> gentoo <DOT> org>
AuthorDate: Sat Nov 27 19:30:17 2021 +0000
Commit:     David Seifert <soap <AT> gentoo <DOT> org>
CommitDate: Sat Nov 27 19:30:17 2021 +0000
URL:        https://gitweb.gentoo.org/proj/gcc-patches.git/commit/?id=51a7ace3

11.3.0: add patch to enable CET

Signed-off-by: David Seifert <soap <AT> gentoo.org>

 11.3.0/gentoo/26_all_enable-cet.patch | 101 ++++++++++++++++++++++++++++++++++
 11.3.0/gentoo/README.history          |   1 +
 2 files changed, 102 insertions(+)

diff --git a/11.3.0/gentoo/26_all_enable-cet.patch b/11.3.0/gentoo/26_all_enable-cet.patch
new file mode 100644
index 0000000..77678a9
--- /dev/null
+++ b/11.3.0/gentoo/26_all_enable-cet.patch
@@ -0,0 +1,101 @@
+From c1f37f6e3a4fcdefb6b3dfc3d84fc42920a70c00 Mon Sep 17 00:00:00 2001
+From: Sam James <sam@gentoo.org>
+Date: Sat, 27 Nov 2021 19:16:02 +0000
+Subject: [PATCH] Enable CET (-fcf-protection=full) by default
+
+Needs:
+- CET to be enabled for GCC
+- -DEXTRA_OPTIONS_CF to be passed during build (via toolchain.eclass)
+  for now to avoid accidentally enabling it on other arches.
+
+  Only supported on amd64.
+---
+ gcc/common.opt                 |  2 +-
+ gcc/config/i386/i386-options.c |  5 +++++
+ gcc/defaults.h                 | 13 +++++++++++++
+ gcc/flag-types.h               |  1 +
+ gcc/toplev.c                   |  4 +++-
+ 5 files changed, 23 insertions(+), 2 deletions(-)
+
+diff --git a/gcc/common.opt b/gcc/common.opt
+index a88778b4e..4993a7ec3 100644
+--- a/gcc/common.opt
++++ b/gcc/common.opt
+@@ -1783,7 +1783,7 @@ fcf-protection
+ Common RejectNegative Alias(fcf-protection=,full)
+ 
+ fcf-protection=
+-Common Joined RejectNegative Enum(cf_protection_level) Var(flag_cf_protection) Init(CF_NONE)
++Common Joined RejectNegative Enum(cf_protection_level) Var(flag_cf_protection) Init(CF_UNSET)
+ -fcf-protection=[full|branch|return|none|check]	Instrument functions with checks to verify jump/call/return control-flow transfer
+ instructions have valid targets.
+ 
+diff --git a/gcc/config/i386/i386-options.c b/gcc/config/i386/i386-options.c
+index 18d2c0b9f..4fb76f2a1 100644
+--- a/gcc/config/i386/i386-options.c
++++ b/gcc/config/i386/i386-options.c
+@@ -3037,6 +3037,11 @@ ix86_option_override_internal (bool main_args_p,
+         = build_target_option_node (opts, opts_set);
+     }
+ 
++  if (flag_cf_protection == CF_UNSET)
++    {
++      flag_cf_protection = DEFAULT_FLAG_CF;
++    }
++
+   if (opts->x_flag_cf_protection != CF_NONE)
+     {
+       if ((opts->x_flag_cf_protection & CF_BRANCH) == CF_BRANCH
+diff --git a/gcc/defaults.h b/gcc/defaults.h
+index 0f6cd78c5..5694412b7 100644
+--- a/gcc/defaults.h
++++ b/gcc/defaults.h
+@@ -1463,6 +1463,19 @@ see the files COPYING3 and COPYING.RUNTIME respectively.  If not, see
+ #define DEFAULT_FLAG_SCP 0
+ #endif
+ 
++/* Default value for flag_cf_protection when flag_cf_protection is
++   initialized to CF_FULL.
++
++   We use a new option (EXTRA_OPTIONS_CF) here to avoid turning
++   this on accidentally for other arches. */
++#ifdef EXTRA_OPTIONS_CF
++#define DEFAULT_FLAG_CF CF_FULL
++#endif
++#ifndef DEFAULT_FLAG_CF
++#define DEFAULT_FLAG_CF CF_NONE
++#endif
++
++
+ /* By default, the C++ compiler will use function addresses in the
+    vtable entries.  Setting this nonzero tells the compiler to use
+    function descriptors instead.  The value of this macro says how
+diff --git a/gcc/flag-types.h b/gcc/flag-types.h
+index a038c8fb7..61be0b128 100644
+--- a/gcc/flag-types.h
++++ b/gcc/flag-types.h
+@@ -389,6 +389,7 @@ enum gfc_convert
+ /* Control-Flow Protection values.  */
+ enum cf_protection_level
+ {
++  CF_UNSET = -1,
+   CF_NONE = 0,
+   CF_BRANCH = 1 << 0,
+   CF_RETURN = 1 << 1,
+diff --git a/gcc/toplev.c b/gcc/toplev.c
+index ea0a2a1b0..d110c84ee 100644
+--- a/gcc/toplev.c
++++ b/gcc/toplev.c
+@@ -1297,7 +1297,9 @@ process_options (void)
+ 	   "%<-floop-nest-optimize%>, %<-floop-parallelize-all%>)");
+ #endif
+ 
+-  if (flag_cf_protection != CF_NONE
++  /* Gentoo: we add CF_UNSET here just to be safe, but we only patch the default
++     for amd64 + when CET is definitely enabled anyway. */
++  if ((flag_cf_protection != CF_NONE) && (flag_cf_protection != CF_UNSET)
+       && !(flag_cf_protection & CF_SET))
+     {
+       if (flag_cf_protection == CF_FULL)
+-- 
+2.34.1

diff --git a/11.3.0/gentoo/README.history b/11.3.0/gentoo/README.history
index f12e753..2fe9c27 100644
--- a/11.3.0/gentoo/README.history
+++ b/11.3.0/gentoo/README.history
@@ -24,3 +24,4 @@
 	+ 23_all_EXTRA_OPTIONS-fstack-clash-protection.patch
 	+ 24_all_lto-intl-workaround-PR95194.patch
 	+ 25_all_plugin-objdump.patch
+	+ 26_all_enable-cet.patch