Message ID | CAMe9rOozenqLwj6okaGYMvUmf6qDxwhtxOZo_OTawyk+DscBNQ@mail.gmail.com |
---|---|
State | New |
Headers | show |
Series | None | expand |
On 05/09/2018 11:31 PM, H.J. Lu wrote: > +* The GNU C Library can now be compiled with support for Intel CET, AKA > + Intel Control-flow Enforcement Technology. When the library is built > + with --enable-cet, the resulting glibc is protected with indirect > + branch tracking (IBT) and shadow stack (SHSTK). This feature is > + currently supported on i386, x86_64 and x32 with GCC 8 and binutils > + 2.29 or later. Both texts should say something about compatibility. AFAIK, an --enable-cet glibc supports all existing binaries, but requires CPUs which support long NOPs (so AMD Geode is out, for example). Thanks, Florian
On Mon, May 14, 2018 at 10:44 AM, Florian Weimer <fweimer@redhat.com> wrote: > On 05/09/2018 11:31 PM, H.J. Lu wrote: >> >> +* The GNU C Library can now be compiled with support for Intel CET, AKA >> + Intel Control-flow Enforcement Technology. When the library is built >> + with --enable-cet, the resulting glibc is protected with indirect >> + branch tracking (IBT) and shadow stack (SHSTK). This feature is >> + currently supported on i386, x86_64 and x32 with GCC 8 and binutils >> + 2.29 or later. > > > Both texts should say something about compatibility. AFAIK, an --enable-cet > glibc supports all existing binaries, but requires CPUs which support long > NOPs (so AMD Geode is out, for example). > Like this?
On 05/14/2018 09:45 PM, H.J. Lu wrote: > Like this? Looks good, with one nit: > + (SHSTK). CET-enabled glibc is compatible with all existing Missing space after period. > +with indirect branch tracking (IBT) and shadow stack (SHSTK). CET-enabled You need to write “(SHSTK)@.” to add the missing space. Thanks, Florian
On Mon, May 14, 2018 at 12:48 PM, Florian Weimer <fweimer@redhat.com> wrote: > On 05/14/2018 09:45 PM, H.J. Lu wrote: >> >> Like this? > > > Looks good, with one nit: > >> + (SHSTK). CET-enabled glibc is compatible with all existing > > > Missing space after period. > >> +with indirect branch tracking (IBT) and shadow stack (SHSTK). >> CET-enabled > > > You need to write “(SHSTK)@.” to add the missing space. > Thanks for the tip. Here is the updated patch.
From 86e85fcd5ca2a2f58b232f83dbbae93c8c6a0812 Mon Sep 17 00:00:00 2001 From: "H.J. Lu" <hjl.tools@gmail.com> Date: Wed, 9 May 2018 08:28:29 -0700 Subject: [PATCH 24/24] Intel CET: Document --enable-cet * NEWS: Mention --enable-cet. * manual/install.texi: Document --enable-cet. * INSTALL: Regenerated. --- INSTALL | 7 +++++++ NEWS | 7 +++++++ manual/install.texi | 7 +++++++ 3 files changed, 21 insertions(+) diff --git a/INSTALL b/INSTALL index 052b1b6f89..8782c9607c 100644 --- a/INSTALL +++ b/INSTALL @@ -106,6 +106,13 @@ if 'CFLAGS' is specified it must enable optimization. For example: programs and tests are created as dynamic position independent executables (PIE) by default. +'--enable-cet' + Enable Intel Control-flow Enforcement Technology (CET) support. + When the library is built with -enable-cet, the resulting glibc is + protected with indirect branch tracking (IBT) and shadow stack + (SHSTK). This feature is currently supported on i386, x86_64 and + x32 with GCC 8 and binutils 2.29 or later. + '--disable-profile' Don't build libraries with profiling information. You may want to use this option if you don't plan to do profiling. diff --git a/NEWS b/NEWS index 5155c86318..7ed475dc4b 100644 --- a/NEWS +++ b/NEWS @@ -9,6 +9,13 @@ Version 2.28 Major new features: +* The GNU C Library can now be compiled with support for Intel CET, AKA + Intel Control-flow Enforcement Technology. When the library is built + with --enable-cet, the resulting glibc is protected with indirect + branch tracking (IBT) and shadow stack (SHSTK). This feature is + currently supported on i386, x86_64 and x32 with GCC 8 and binutils + 2.29 or later. + * <math.h> functions that round their results to a narrower type are added from TS 18661-1:2014 and TS 18661-3:2015: diff --git a/manual/install.texi b/manual/install.texi index 4bbbfcffa5..e8f1bbdb0a 100644 --- a/manual/install.texi +++ b/manual/install.texi @@ -137,6 +137,13 @@ with no-pie. The resulting glibc can be used with the GCC option, PIE. This option also implies that glibc programs and tests are created as dynamic position independent executables (PIE) by default. +@item --enable-cet +Enable Intel Control-flow Enforcement Technology (CET) support. When +the library is built with --enable-cet, the resulting glibc is protected +with indirect branch tracking (IBT) and shadow stack (SHSTK). This +feature is currently supported on i386, x86_64 and x32 with GCC 8 and +binutils 2.29 or later. + @item --disable-profile Don't build libraries with profiling information. You may want to use this option if you don't plan to do profiling. -- 2.17.0