On Wed, Apr 18, 2018 at 3:34 AM, Jakub Jelinek <ja...@redhat.com> wrote: > On Wed, Apr 18, 2018 at 12:30:03PM +0200, Richard Biener wrote: >> On Wed, 18 Apr 2018, Uros Bizjak wrote: >> >> > Hello! >> > >> > Currently, CET is enabled by default for linux if target supports >> > multi-byte NOPs and if assembler supports CET insn. Effectively, with >> > newer binutils, CET support is an opt-out feature. >> > >> > I don't think this should be the case, and I propose to consider CET >> > as an opt-in feature. Multi-byte NOPs have non-zero cost (at least >> > they increase the binary). If someone wants to enable the feature, it >> > can be done in less surprising way to --enable-cet during configure >> > time. >> > >> > I'd like to hear the opinion of RMs, if CET should remain to be an >> > opt-out feature by default? >> >> My personal opinion is that CET should be opt-in (I explicitely >> disable it for SUSE). I'm not sure if it doesn't go the way MPX > > I agree it should be opt-in, have said that in the past already. > In Fedora it will not make a difference, as the whole distro is > built with -mcet -fcf-protection on i?86/x86_64. >
I submitted a patch to add -mnop to enable multi-byte NOP code generation which can be used with -fcf-protection to implement indirect branch and return address tracking without -mcet: https://gcc.gnu.org/ml/gcc-patches/2018-04/msg00868.html -- H.J.
