* H. J. Lu via Gcc-patches: > When -fcf-protection=branch is used, the compiler will generate jump > tables where the indirect jump is prefixed with the NOTRACK prefix, so > it can jump to non-ENDBR targets. Yet, for NOTRACK prefixes to work, the > NOTRACK specific enable bit must be set, what renders the binary broken > on any environment where this is not the case. In fact, having NOTRACK > disabled was a design choice for the Linux kernel CET support.
Why isn't that a kernel bug? It doesn't match what is in the current glibc sources. > Generate jump tables with ENDBR and skip the NOTRACK prefix for indirect > jump. Document -mno-cet-switch to turn off CET instrumentation on jump > tables for switch statements. Of course, that is a slight regression in security hardening. Quite frankly, I'm puzzled why the kernel decided to require these additional ENDBR instructions. Thanks, Florian