https://gcc.gnu.org/bugzilla/show_bug.cgi?id=104816
--- Comment #6 from peterz at infradead dot org --- (In reply to H.J. Lu from comment #5) > (In reply to Andrew Cooper from comment #4) > > I've worked around this in Xen with: > > https://xenbits.xen.org/gitweb/?p=xen.git;a=commitdiff; > > h=9d4a44380d273de22d5753883cbf5581795ff24d and > > https://lore.kernel.org/lkml/YiXpv0q88paPHPqF@hirez.programming.kicks-ass. > > net/ is pending for Linux. > > > > IMO, it's an error that -fcf-protection=branch is not obeyed for jump > > tables, and we don't want to end up in a situation where jump tables are > > unusable with CET. > > Are you suggesting to add an option to generate jump table with ENDBR? I would suggest having -fcf-protection=branch generate ENDBR for jump-tables and never generate NOTRACK prefix. Then add a mode that allows NOTRACK prefixes, perhaps -fcf-protection=branch,notrack. IBT without NOTRACK is the strongest form; it would be daft to require additional parameters for that.
