Jump Oriented Programming attacks rely on tampering addresses used by indirect call / jmp, e.g. redirect control-flow to non-programmer intended bytes in binary.
X86 Supports Indirect Branch Tracking (IBT) as part of Control-Flow Enforcement Technology (CET).
IBT instruments ENDBR instructions used to specify valid targets of indirect call / jmp.
The `nocf_check` attribute has two roles in the context of X86 IBT technology:
- Appertains to a function - do not add ENDBR instruction at the beginning of the function.
- Appertains to a function pointer - do not track the target function of this pointer by adding nocf_check prefix to the indirect-call instruction.
When the CPU decodes `nocf_check` prefix, it will not update IBT state machine, hence, the target addresses of the following indirect jump will not be tracked.
So in that case there is no need for ENDBR instructions.
The patch implements `nocf_check` context for Indirect Branch Tracking.
It also auto generates `nocf_check` prefixes before indirect branchs to jump tables that are guarded by range checks.
Those cases are common in switch-case statements and it is safe to optimize them.
Meaning instead of adding many ENDBR instructions for each target address of a case statement, we add a single`nocf_check` prefix before the indirect jump of the switch statement.
SDLoc should be passed by const reference I think.