On 02.05.2023 07:48, Olaf Hering wrote: > The next push to xen.git#staging will trigger a build failure in the > refreshed Leap docker image. > > For some reason HAS_CC_CET_IBT will evaluate to true. I think the significant > change is the binutils upgrade from 2.37 to 2.39 in November 2022. > > The comment indicates the combination of gcc7 and binutils 2.39 is supposed > to evaluate HAS_CC_CET_IBT to false.
How does 2.37 vs 2.39 matter? CET-IBT support is present in gas as of 2.29. IOW I think it all ought to be tied to gcc being 7.x when 9.x is the supposed minimum. Did you / could you check which of the three options (-fcf-protection=branch -mmanual-endbr -mindirect-branch=thunk-extern) is/are possibly recognized by the (likely also updated) gcc7 there? That may provide a hint at what's going wrong ... Jan
