Re: [PATCH] x86: Allow -fcf-protection with multi-byte NOPs

["H.J. Lu" <hjl dot tools at gmail dot com>]

On Tue, Apr 17, 2018 at 12:03 PM, H.J. Lu <hjl.tools@gmail.com> wrote:
> On Tue, Apr 17, 2018 at 11:55 AM, Uros Bizjak <ubizjak@gmail.com> wrote:
>> On Tue, Apr 17, 2018 at 8:42 PM, H.J. Lu <hongjiu.lu@intel.com> wrote:
>>> -fcf-protection -mcet can't be used with IFUNC features, like symbol
>>> multiversioning or target clone, since IBT/SHSTK are applied to the whole
>>> program and they may be disabled in some functions.  But -fcf-protection
>>> is implemented with multi-byte NOPs on all 64-bit processors as well as
>>> 32-bit processors starting with Pentium Pro.  If -fcf-protection requires
>>> -mcet, IFUNC features can't be used on Linux when -fcf-protection is
>>> enabled by default.
>>>
>>> This patch changes -fcf-protection to to enable the NOP portion of CET
>>> ISAs unless IBT and/or SHSTK are disabled explicitly.  The rest of CET
>>> ISAs, including intrinsics, still requires -mcet, -mibt or -mshstk.
>>>
>>> OK for trunk?
>>
>> As said in the PR, NOP sequences have non-zero cost in the executable
>> (they enlarge the executable), so I don't think this feature should be
>> enabled by default.
>>
>> There is always a configure option if someone wants their compiler to
>> always emit relevant multi-byte nops.
>
> What we need is an option to enable -fcf-function with multi-byte NOPs
> without -mcet which enables the full CET ISAs.  A configure option
> without the corresponding the command-line option makes test and
> debug difficult.   I can add
>
> --enable-cf-function-nop or --with-cf-function-nop
>
> with
>
> -fct-function-nop
>

How about adding -mno-cet, which enables the NOP portion of CET
ISAs?

-- 
H.J.