From: deraadt <deraadt@openbsd.org>
Date: Wed, 26 Apr 2023 22:04:58 +0000 (+0000)
Subject: On openbsd amd64, emit IBT endbr64 instructions by default (meaning,
X-Git-Url: http://artulab.com/gitweb/?a=commitdiff_plain;h=bba006a81846d90e529167c689ea0d456b4599bc;p=openbsd

On openbsd amd64, emit IBT endbr64 instructions by default (meaning,
-fcf-protection=branch is the default).  All binaries grow slightly, but
we can slowly move towards greater IBT enforcement in userland.
4th or 5th variation of this diff, with mortimer
ok kettenis
---

diff --git a/gnu/llvm/clang/lib/Driver/ToolChains/Clang.cpp b/gnu/llvm/clang/lib/Driver/ToolChains/Clang.cpp
index 67d4c1daa78..3c80a6e88e8 100644
--- a/gnu/llvm/clang/lib/Driver/ToolChains/Clang.cpp
+++ b/gnu/llvm/clang/lib/Driver/ToolChains/Clang.cpp
@@ -6014,6 +6014,9 @@ void Clang::ConstructJob(Compilation &C, const JobAction &JA,
   if (Arg *A = Args.getLastArg(options::OPT_fcf_protection_EQ)) {
     CmdArgs.push_back(
         Args.MakeArgString(Twine("-fcf-protection=") + A->getValue()));
+  } else if (Triple.isOSOpenBSD() && Triple.getArch() == llvm::Triple::x86_64) {
+    // Emit IBT endbr64 instructions by default
+    CmdArgs.push_back("-fcf-protection=branch");
   }
 
   // Forward -f options with positive and negative forms; we translate these by