On Wed, Apr 18, 2018 at 1:57 PM, H.J. Lu <hjl.to...@gmail.com> wrote: > On Wed, Apr 18, 2018 at 4:55 AM, Uros Bizjak <ubiz...@gmail.com> wrote: >> On Wed, Apr 18, 2018 at 1:39 PM, H.J. Lu <hjl.to...@gmail.com> wrote: >> >>>>> Here is a patch to add -mnop and use it with -fcf-protection. >>>> >>>> +mnop >>>> +Target Report Var(flag_nop) Init(0) >>>> +Support multi-byte NOP code generation. >>>> >>>> the option name is incredibly bad and the documentation doesn't make it >>>> better either. The invoke.texi docs refer to duplicate {-mcet}. >>>> >>>> Isn't there a -fcf-protection sub-set that can be used to automatically >>>> enable this? Or simply do this mode by default when >>>> -fcf-protection is used but neither -mcet nor -mibt is enabled? >>> >>> Make -fcf-protection default to multi-byte NOPs works. Uros, >>> should I prepare a patch? >> >> Please make it an opt-in feature, so the compiler won't litter the >> executable with unnecessary nops without user consent. >> > > -fcf-protection is off by default. Users need to pass -fcf-protection > to enable it. I will work on such a patch.
Please note that currently all libraries are compiled with "-fcf-protection -mcet" by default, even without using --enable-cet during configure. The CET instrumentation of libraries should be put under strict user control, so please remove the "default" from config/cet.m4. Uros.