On Wed, Apr 18, 2018 at 1:57 PM, H.J. Lu <hjl.to...@gmail.com> wrote:
> On Wed, Apr 18, 2018 at 4:55 AM, Uros Bizjak <ubiz...@gmail.com> wrote:
>> On Wed, Apr 18, 2018 at 1:39 PM, H.J. Lu <hjl.to...@gmail.com> wrote:
>>
>>>>> Here is a patch to add -mnop and use it with -fcf-protection.
>>>>
>>>> +mnop
>>>> +Target Report Var(flag_nop) Init(0)
>>>> +Support multi-byte NOP code generation.
>>>>
>>>> the option name is incredibly bad and the documentation doesn't make it
>>>> better either. The invoke.texi docs refer to duplicate {-mcet}.
>>>>
>>>> Isn't there a -fcf-protection sub-set that can be used to automatically
>>>> enable this? Or simply do this mode by default when
>>>> -fcf-protection is used but neither -mcet nor -mibt is enabled?
>>>
>>> Make -fcf-protection default to multi-byte NOPs works. Uros,
>>> should I prepare a patch?
>>
>> Please make it an opt-in feature, so the compiler won't litter the
>> executable with unnecessary nops without user consent.
>>
>
> -fcf-protection is off by default. Users need to pass -fcf-protection
> to enable it. I will work on such a patch.
Please note that currently all libraries are compiled with
"-fcf-protection -mcet" by default, even without using --enable-cet
during configure. The CET instrumentation of libraries should be put
under strict user control, so please remove the "default" from
config/cet.m4.
Uros.
