* H. J. Lu: >> >> > Generate jump tables with ENDBR and skip the NOTRACK prefix for indirect >> >> > jump. Document -mno-cet-switch to turn off CET instrumentation on jump >> >> > tables for switch statements. >> >> >> >> Of course, that is a slight regression in security hardening. >> >> >> >> Quite frankly, I'm puzzled why the kernel decided to require these >> >> additional ENDBR instructions. >> > >> > Kernel is using -mcet-switch today. Should we document -mcet-switch >> > and keep it off by default instead? >> >> Sorry, I'm not 100% certain of the mechanics/options involved. >> >> I think the default should reflect userspace requirements, like with the >> red zone and vector register usage for integer code. > > The question is if the compiler should use NOTRACK by default for > the jump table. It is independent of whether NOTRACK is enabled or > not.
NOTRACK avoids the need for ENDBR instructions, right? That's a hardening improvement, so it should be used by default. Thanks, Florian
