On Wed, Apr 18, 2018 at 1:24 PM, H.J. Lu <hjl.to...@gmail.com> wrote: > On Tue, Apr 17, 2018 at 12:25 PM, H.J. Lu <hjl.to...@gmail.com> wrote: >> On Tue, Apr 17, 2018 at 12:25 PM, H.J. Lu <hjl.to...@gmail.com> wrote: >>> On Tue, Apr 17, 2018 at 12:03 PM, H.J. Lu <hjl.to...@gmail.com> wrote: >>>> On Tue, Apr 17, 2018 at 11:55 AM, Uros Bizjak <ubiz...@gmail.com> wrote: >>>>> On Tue, Apr 17, 2018 at 8:42 PM, H.J. Lu <hongjiu...@intel.com> wrote: >>>>>> -fcf-protection -mcet can't be used with IFUNC features, like symbol >>>>>> multiversioning or target clone, since IBT/SHSTK are applied to the whole >>>>>> program and they may be disabled in some functions. But -fcf-protection >>>>>> is implemented with multi-byte NOPs on all 64-bit processors as well as >>>>>> 32-bit processors starting with Pentium Pro. If -fcf-protection requires >>>>>> -mcet, IFUNC features can't be used on Linux when -fcf-protection is >>>>>> enabled by default. >>>>>> >>>>>> This patch changes -fcf-protection to to enable the NOP portion of CET >>>>>> ISAs unless IBT and/or SHSTK are disabled explicitly. The rest of CET >>>>>> ISAs, including intrinsics, still requires -mcet, -mibt or -mshstk. >>>>>> >>>>>> OK for trunk? >>>>> >>>>> As said in the PR, NOP sequences have non-zero cost in the executable >>>>> (they enlarge the executable), so I don't think this feature should be >>>>> enabled by default. >>>>> >>>>> There is always a configure option if someone wants their compiler to >>>>> always emit relevant multi-byte nops. >>>> >>>> What we need is an option to enable -fcf-function with multi-byte NOPs >>>> without -mcet which enables the full CET ISAs. A configure option >>>> without the corresponding the command-line option makes test and >>>> debug difficult. I can add >>>> >>>> --enable-cf-function-nop or --with-cf-function-nop >>>> >>>> with >>>> >>>> -fct-function-nop >>>> >>> >>> How about adding -mno-cet, which enables the NOP portion of CET >> >> I meant -mnop-cet, not -mno-cet. >> > > Here is a patch to add -mnop and use it with -fcf-protection.
+mnop +Target Report Var(flag_nop) Init(0) +Support multi-byte NOP code generation. the option name is incredibly bad and the documentation doesn't make it better either. The invoke.texi docs refer to duplicate {-mcet}. Isn't there a -fcf-protection sub-set that can be used to automatically enable this? Or simply do this mode by default when -fcf-protection is used but neither -mcet nor -mibt is enabled? > > -- > H.J.