From bba006a81846d90e529167c689ea0d456b4599bc Mon Sep 17 00:00:00 2001
From: deraadt <deraadt@openbsd.org>
Date: Wed, 26 Apr 2023 22:04:58 +0000
Subject: [PATCH] On openbsd amd64, emit IBT endbr64 instructions by default
 (meaning, -fcf-protection=branch is the default).  All binaries grow
 slightly, but we can slowly move towards greater IBT enforcement in userland.
 4th or 5th variation of this diff, with mortimer ok kettenis

---
 gnu/llvm/clang/lib/Driver/ToolChains/Clang.cpp | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/gnu/llvm/clang/lib/Driver/ToolChains/Clang.cpp b/gnu/llvm/clang/lib/Driver/ToolChains/Clang.cpp
index 67d4c1daa78..3c80a6e88e8 100644
--- a/gnu/llvm/clang/lib/Driver/ToolChains/Clang.cpp
+++ b/gnu/llvm/clang/lib/Driver/ToolChains/Clang.cpp
@@ -6014,6 +6014,9 @@ void Clang::ConstructJob(Compilation &C, const JobAction &JA,
   if (Arg *A = Args.getLastArg(options::OPT_fcf_protection_EQ)) {
     CmdArgs.push_back(
         Args.MakeArgString(Twine("-fcf-protection=") + A->getValue()));
+  } else if (Triple.isOSOpenBSD() && Triple.getArch() == llvm::Triple::x86_64) {
+    // Emit IBT endbr64 instructions by default
+    CmdArgs.push_back("-fcf-protection=branch");
   }
 
   // Forward -f options with positive and negative forms; we translate these by
-- 
2.20.1