On openbsd amd64, emit IBT endbr64 instructions by default (meaning,

-fcf-protection=branch is the default).  All binaries grow slightly, but
we can slowly move towards greater IBT enforcement in userland.
4th or 5th variation of this diff, with mortimer
ok kettenis

diff --git a/gnu/llvm/clang/lib/Driver/ToolChains/Clang.cpp b/gnu/llvm/clang/lib/Driver/ToolChains/Clang.cpp
index 67d4c1d..3c80a6e 100644 (file)
--- a/gnu/llvm/clang/lib/Driver/ToolChains/Clang.cpp
+++ b/gnu/llvm/clang/lib/Driver/ToolChains/Clang.cpp
@@ -6014,6 +6014,9 @@ void Clang::ConstructJob(Compilation &C, const JobAction &JA,
   if (Arg *A = Args.getLastArg(options::OPT_fcf_protection_EQ)) {
     CmdArgs.push_back(
         Args.MakeArgString(Twine("-fcf-protection=") + A->getValue()));
+  } else if (Triple.isOSOpenBSD() && Triple.getArch() == llvm::Triple::x86_64) {
+    // Emit IBT endbr64 instructions by default
+    CmdArgs.push_back("-fcf-protection=branch");
   }
 
   // Forward -f options with positive and negative forms; we translate these by