[24/24] Intel CET: Document --enable-cet

Message ID CAMe9rOozenqLwj6okaGYMvUmf6qDxwhtxOZo_OTawyk+DscBNQ@mail.gmail.com
State New
Headers show
Series
  • Untitled series #43551
Related show

Commit Message

H.J. Lu May 9, 2018, 9:31 p.m.
On Tue, May 8, 2018 at 2:03 PM, Joseph Myers <joseph@codesourcery.com> wrote:
> On Tue, 8 May 2018, H.J. Lu wrote:
>
>>       * configure.ac: Add --enable-cet.
>
> A new configure option needs documenting in install.texi, with INSTALL
> regenerated.  I'd also expect such a new feature to have a NEWS entry
> added somewhere in the patch series.
>

Here is a separate patch for them.

Comments

Florian Weimer May 14, 2018, 5:44 p.m. | #1
On 05/09/2018 11:31 PM, H.J. Lu wrote:
> +* The GNU C Library can now be compiled with support for Intel CET, AKA
> +  Intel Control-flow Enforcement Technology.  When the library is built
> +  with --enable-cet, the resulting glibc is protected with indirect
> +  branch tracking (IBT) and shadow stack (SHSTK).  This feature is
> +  currently supported on i386, x86_64 and x32 with GCC 8 and binutils
> +  2.29 or later.

Both texts should say something about compatibility.  AFAIK, an 
--enable-cet glibc supports all existing binaries, but requires CPUs 
which support long NOPs (so AMD Geode is out, for example).

Thanks,
Florian
H.J. Lu May 14, 2018, 7:45 p.m. | #2
On Mon, May 14, 2018 at 10:44 AM, Florian Weimer <fweimer@redhat.com> wrote:
> On 05/09/2018 11:31 PM, H.J. Lu wrote:
>>
>> +* The GNU C Library can now be compiled with support for Intel CET, AKA
>> +  Intel Control-flow Enforcement Technology.  When the library is built
>> +  with --enable-cet, the resulting glibc is protected with indirect
>> +  branch tracking (IBT) and shadow stack (SHSTK).  This feature is
>> +  currently supported on i386, x86_64 and x32 with GCC 8 and binutils
>> +  2.29 or later.
>
>
> Both texts should say something about compatibility.  AFAIK, an --enable-cet
> glibc supports all existing binaries, but requires CPUs which support long
> NOPs (so AMD Geode is out, for example).
>

Like this?
Florian Weimer May 14, 2018, 7:48 p.m. | #3
On 05/14/2018 09:45 PM, H.J. Lu wrote:
> Like this?

Looks good, with one nit:

> +     (SHSTK). CET-enabled glibc is compatible with all existing

Missing space after period.

> +with indirect branch tracking (IBT) and shadow stack (SHSTK).  CET-enabled

You need to write “(SHSTK)@.” to add the missing space.

Thanks,
Florian
H.J. Lu May 14, 2018, 11:15 p.m. | #4
On Mon, May 14, 2018 at 12:48 PM, Florian Weimer <fweimer@redhat.com> wrote:
> On 05/14/2018 09:45 PM, H.J. Lu wrote:
>>
>> Like this?
>
>
> Looks good, with one nit:
>
>> +     (SHSTK). CET-enabled glibc is compatible with all existing
>
>
> Missing space after period.
>
>> +with indirect branch tracking (IBT) and shadow stack (SHSTK).
>> CET-enabled
>
>
> You need to write “(SHSTK)@.” to add the missing space.
>

Thanks for the tip.  Here is the updated patch.

Patch

From 86e85fcd5ca2a2f58b232f83dbbae93c8c6a0812 Mon Sep 17 00:00:00 2001
From: "H.J. Lu" <hjl.tools@gmail.com>
Date: Wed, 9 May 2018 08:28:29 -0700
Subject: [PATCH 24/24] Intel CET: Document --enable-cet

	* NEWS: Mention --enable-cet.
	* manual/install.texi: Document --enable-cet.
	* INSTALL: Regenerated.
---
 INSTALL             | 7 +++++++
 NEWS                | 7 +++++++
 manual/install.texi | 7 +++++++
 3 files changed, 21 insertions(+)

diff --git a/INSTALL b/INSTALL
index 052b1b6f89..8782c9607c 100644
--- a/INSTALL
+++ b/INSTALL
@@ -106,6 +106,13 @@  if 'CFLAGS' is specified it must enable optimization.  For example:
      programs and tests are created as dynamic position independent
      executables (PIE) by default.
 
+'--enable-cet'
+     Enable Intel Control-flow Enforcement Technology (CET) support.
+     When the library is built with -enable-cet, the resulting glibc is
+     protected with indirect branch tracking (IBT) and shadow stack
+     (SHSTK). This feature is currently supported on i386, x86_64 and
+     x32 with GCC 8 and binutils 2.29 or later.
+
 '--disable-profile'
      Don't build libraries with profiling information.  You may want to
      use this option if you don't plan to do profiling.
diff --git a/NEWS b/NEWS
index 5155c86318..7ed475dc4b 100644
--- a/NEWS
+++ b/NEWS
@@ -9,6 +9,13 @@  Version 2.28
 
 Major new features:
 
+* The GNU C Library can now be compiled with support for Intel CET, AKA
+  Intel Control-flow Enforcement Technology.  When the library is built
+  with --enable-cet, the resulting glibc is protected with indirect
+  branch tracking (IBT) and shadow stack (SHSTK).  This feature is
+  currently supported on i386, x86_64 and x32 with GCC 8 and binutils
+  2.29 or later.
+
 * <math.h> functions that round their results to a narrower type are added
   from TS 18661-1:2014 and TS 18661-3:2015:
 
diff --git a/manual/install.texi b/manual/install.texi
index 4bbbfcffa5..e8f1bbdb0a 100644
--- a/manual/install.texi
+++ b/manual/install.texi
@@ -137,6 +137,13 @@  with no-pie.  The resulting glibc can be used with the GCC option,
 PIE.  This option also implies that glibc programs and tests are created
 as dynamic position independent executables (PIE) by default.
 
+@item --enable-cet
+Enable Intel Control-flow Enforcement Technology (CET) support.  When
+the library is built with --enable-cet, the resulting glibc is protected
+with indirect branch tracking (IBT) and shadow stack (SHSTK).  This
+feature is currently supported on i386, x86_64 and x32 with GCC 8 and
+binutils 2.29 or later.
+
 @item --disable-profile
 Don't build libraries with profiling information.  You may want to use
 this option if you don't plan to do profiling.
-- 
2.17.0