https://gcc.gnu.org/bugzilla/show_bug.cgi?id=85417
--- Comment #5 from H.J. Lu <hjl.tools at gmail dot com> --- (In reply to Uroš Bizjak from comment #4) > (In reply to H.J. Lu from comment #2) > > I am working to enable CET on Linux with a single binary. -fcf-protection > > should provide CET protection on x86 by default. We can add a command-line > > option if we want a different implementation. > > This should remain an opt-in feature, not opt-out. We can have > --with-fcf-protection configure option to override the default. -fcf-protection -mcet can't be used with IFUNC features, like symbol multiversioning or target clone since IBT/SHSTK are applied to the whole program and they may be disabled in some functions. But -fcf-protection can be implemented with the NOP portion of IBT/SHSTK, which is compatible with all functions. Without this, IFUNC can't be used on Linux when -fcf-protection is enabled by default.
