On Wed, Apr 18, 2018 at 5:08 AM, Uros Bizjak <ubiz...@gmail.com> wrote: > On Wed, Apr 18, 2018 at 1:57 PM, H.J. Lu <hjl.to...@gmail.com> wrote: >> On Wed, Apr 18, 2018 at 4:55 AM, Uros Bizjak <ubiz...@gmail.com> wrote: >>> On Wed, Apr 18, 2018 at 1:39 PM, H.J. Lu <hjl.to...@gmail.com> wrote: >>> >>>>>> Here is a patch to add -mnop and use it with -fcf-protection. >>>>> >>>>> +mnop >>>>> +Target Report Var(flag_nop) Init(0) >>>>> +Support multi-byte NOP code generation. >>>>> >>>>> the option name is incredibly bad and the documentation doesn't make it >>>>> better either. The invoke.texi docs refer to duplicate {-mcet}. >>>>> >>>>> Isn't there a -fcf-protection sub-set that can be used to automatically >>>>> enable this? Or simply do this mode by default when >>>>> -fcf-protection is used but neither -mcet nor -mibt is enabled? >>>> >>>> Make -fcf-protection default to multi-byte NOPs works. Uros, >>>> should I prepare a patch? >>> >>> Please make it an opt-in feature, so the compiler won't litter the >>> executable with unnecessary nops without user consent. >>> >> >> -fcf-protection is off by default. Users need to pass -fcf-protection >> to enable it. I will work on such a patch. > > Please note that currently all libraries are compiled with > "-fcf-protection -mcet" by default, even without using --enable-cet > during configure. The CET instrumentation of libraries should be put > under strict user control, so please remove the "default" from > config/cet.m4. >
Igor, please prepare such a patch to config/cet.m4. -- H.J.