On Wed, Apr 18, 2018 at 4:35 AM, Richard Biener
<richard.guent...@gmail.com> wrote:
> On Wed, Apr 18, 2018 at 1:24 PM, H.J. Lu <hjl.to...@gmail.com> wrote:
>> On Tue, Apr 17, 2018 at 12:25 PM, H.J. Lu <hjl.to...@gmail.com> wrote:
>>> On Tue, Apr 17, 2018 at 12:25 PM, H.J. Lu <hjl.to...@gmail.com> wrote:
>>>> On Tue, Apr 17, 2018 at 12:03 PM, H.J. Lu <hjl.to...@gmail.com> wrote:
>>>>> On Tue, Apr 17, 2018 at 11:55 AM, Uros Bizjak <ubiz...@gmail.com> wrote:
>>>>>> On Tue, Apr 17, 2018 at 8:42 PM, H.J. Lu <hongjiu...@intel.com> wrote:
>>>>>>> -fcf-protection -mcet can't be used with IFUNC features, like symbol
>>>>>>> multiversioning or target clone, since IBT/SHSTK are applied to the
>>>>>>> whole
>>>>>>> program and they may be disabled in some functions. But -fcf-protection
>>>>>>> is implemented with multi-byte NOPs on all 64-bit processors as well as
>>>>>>> 32-bit processors starting with Pentium Pro. If -fcf-protection
>>>>>>> requires
>>>>>>> -mcet, IFUNC features can't be used on Linux when -fcf-protection is
>>>>>>> enabled by default.
>>>>>>>
>>>>>>> This patch changes -fcf-protection to to enable the NOP portion of CET
>>>>>>> ISAs unless IBT and/or SHSTK are disabled explicitly. The rest of CET
>>>>>>> ISAs, including intrinsics, still requires -mcet, -mibt or -mshstk.
>>>>>>>
>>>>>>> OK for trunk?
>>>>>>
>>>>>> As said in the PR, NOP sequences have non-zero cost in the executable
>>>>>> (they enlarge the executable), so I don't think this feature should be
>>>>>> enabled by default.
>>>>>>
>>>>>> There is always a configure option if someone wants their compiler to
>>>>>> always emit relevant multi-byte nops.
>>>>>
>>>>> What we need is an option to enable -fcf-function with multi-byte NOPs
>>>>> without -mcet which enables the full CET ISAs. A configure option
>>>>> without the corresponding the command-line option makes test and
>>>>> debug difficult. I can add
>>>>>
>>>>> --enable-cf-function-nop or --with-cf-function-nop
>>>>>
>>>>> with
>>>>>
>>>>> -fct-function-nop
>>>>>
>>>>
>>>> How about adding -mno-cet, which enables the NOP portion of CET
>>>
>>> I meant -mnop-cet, not -mno-cet.
>>>
>>
>> Here is a patch to add -mnop and use it with -fcf-protection.
>
> +mnop
> +Target Report Var(flag_nop) Init(0)
> +Support multi-byte NOP code generation.
>
> the option name is incredibly bad and the documentation doesn't make it
> better either. The invoke.texi docs refer to duplicate {-mcet}.
>
> Isn't there a -fcf-protection sub-set that can be used to automatically
> enable this? Or simply do this mode by default when
> -fcf-protection is used but neither -mcet nor -mibt is enabled?
Make -fcf-protection default to multi-byte NOPs works. Uros,
should I prepare a patch?
--
H.J.
