> -----Original Message----- > From: gcc-patches-ow...@gcc.gnu.org [mailto:gcc-patches- > ow...@gcc.gnu.org] On Behalf Of H.J. Lu > Sent: Wednesday, April 18, 2018 1:39 PM > To: Richard Biener <richard.guent...@gmail.com> > Cc: Uros Bizjak <ubiz...@gmail.com>; gcc-patches@gcc.gnu.org; Tsimbalist, > Igor V <igor.v.tsimbal...@intel.com> > Subject: Re: [PATCH] x86: Allow -fcf-protection with multi-byte NOPs > > On Wed, Apr 18, 2018 at 4:35 AM, Richard Biener > <richard.guent...@gmail.com> wrote: > > On Wed, Apr 18, 2018 at 1:24 PM, H.J. Lu <hjl.to...@gmail.com> wrote: > >> On Tue, Apr 17, 2018 at 12:25 PM, H.J. Lu <hjl.to...@gmail.com> wrote: > >>> On Tue, Apr 17, 2018 at 12:25 PM, H.J. Lu <hjl.to...@gmail.com> > wrote: > >>>> On Tue, Apr 17, 2018 at 12:03 PM, H.J. Lu <hjl.to...@gmail.com> > wrote: > >>>>> On Tue, Apr 17, 2018 at 11:55 AM, Uros Bizjak > <ubiz...@gmail.com> wrote: > >>>>>> On Tue, Apr 17, 2018 at 8:42 PM, H.J. Lu <hongjiu...@intel.com> > wrote: > >>>>>>> -fcf-protection -mcet can't be used with IFUNC features, like > symbol > >>>>>>> multiversioning or target clone, since IBT/SHSTK are applied to > the whole > >>>>>>> program and they may be disabled in some functions. But -fcf- > protection > >>>>>>> is implemented with multi-byte NOPs on all 64-bit processors as > well as > >>>>>>> 32-bit processors starting with Pentium Pro. If -fcf-protection > requires > >>>>>>> -mcet, IFUNC features can't be used on Linux when -fcf- > protection is > >>>>>>> enabled by default. > >>>>>>> > >>>>>>> This patch changes -fcf-protection to to enable the NOP portion > of CET > >>>>>>> ISAs unless IBT and/or SHSTK are disabled explicitly. The rest of > CET > >>>>>>> ISAs, including intrinsics, still requires -mcet, -mibt or -mshstk. > >>>>>>> > >>>>>>> OK for trunk? > >>>>>> > >>>>>> As said in the PR, NOP sequences have non-zero cost in the > executable > >>>>>> (they enlarge the executable), so I don't think this feature should > be > >>>>>> enabled by default. > >>>>>> > >>>>>> There is always a configure option if someone wants their compiler > to > >>>>>> always emit relevant multi-byte nops. > >>>>> > >>>>> What we need is an option to enable -fcf-function with multi-byte > NOPs > >>>>> without -mcet which enables the full CET ISAs. A configure option > >>>>> without the corresponding the command-line option makes test and > >>>>> debug difficult. I can add > >>>>> > >>>>> --enable-cf-function-nop or --with-cf-function-nop > >>>>> > >>>>> with > >>>>> > >>>>> -fct-function-nop > >>>>> > >>>> > >>>> How about adding -mno-cet, which enables the NOP portion of CET > >>> > >>> I meant -mnop-cet, not -mno-cet. > >>> > >> > >> Here is a patch to add -mnop and use it with -fcf-protection. > > > > +mnop > > +Target Report Var(flag_nop) Init(0) > > +Support multi-byte NOP code generation. > > > > the option name is incredibly bad and the documentation doesn't make it > > better either. The invoke.texi docs refer to duplicate {-mcet}. > > > > Isn't there a -fcf-protection sub-set that can be used to automatically > > enable this? Or simply do this mode by default when > > -fcf-protection is used but neither -mcet nor -mibt is enabled? > > Make -fcf-protection default to multi-byte NOPs works. Uros, > should I prepare a patch?
This is going to change the designed approach and has to be communicated to/agreed with other compilers. And I assume there will be no extra option introduced, like -mnop. Igor > -- > H.J.