From patchwork Wed Jun 13 15:32:07 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "H.J. Lu" X-Patchwork-Id: 928920 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (mailfrom) smtp.mailfrom=sourceware.org (client-ip=209.132.180.131; helo=sourceware.org; envelope-from=libc-alpha-return-93166-incoming=patchwork.ozlabs.org@sourceware.org; receiver=) Authentication-Results: ozlabs.org; dmarc=fail (p=none dis=none) header.from=gmail.com Authentication-Results: ozlabs.org; dkim=pass (1024-bit key; secure) header.d=sourceware.org header.i=@sourceware.org header.b="LLXmKNWX"; dkim-atps=neutral Received: from sourceware.org (server1.sourceware.org [209.132.180.131]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 415W3025R6z9s01 for ; Thu, 14 Jun 2018 01:32:28 +1000 (AEST) DomainKey-Signature: a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id :list-unsubscribe:list-subscribe:list-archive:list-post :list-help:sender:from:to:subject:date:message-id:in-reply-to :references; q=dns; s=default; b=tSxho3UU9kBDHA88xv5x2k3YyxualrW KhzL1J9KSl1BbNAcs8D3fL98lGH+5HkZkUbLexwPdISE9+9S/V/+3nvVOJjdPhY+ HwdLOOFuPx2AhljILi8Cs/K/4czRtGVHBIsAXZP8y7nO3gz40Nx4mQICP7S6GRQT t0+/1dIZEh0M= DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id :list-unsubscribe:list-subscribe:list-archive:list-post :list-help:sender:from:to:subject:date:message-id:in-reply-to :references; s=default; bh=ppxryqFQ6ogelLrDfiCx3gSxTWY=; b=LLXmK NWX0KMks650cXW2fBpShg3vvHCVyqxOlPl1u4/FVbYcXwAyIZi2jqsQt60cnyO7F 5qAdv6njZj011GPzQkQSSl3ozh9brk2JhABWKMVGhzKwwFlBCvsQdcjIQcy7V5Di dyqw5pyprZQp4K2gu24NbYxnzfLin64q6UnS/Y= Received: (qmail 16403 invoked by alias); 13 Jun 2018 15:32:12 -0000 Mailing-List: contact libc-alpha-help@sourceware.org; run by ezmlm Precedence: bulk List-Id: List-Unsubscribe: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: libc-alpha-owner@sourceware.org Delivered-To: mailing list libc-alpha@sourceware.org Received: (qmail 16274 invoked by uid 89); 13 Jun 2018 15:32:11 -0000 Authentication-Results: sourceware.org; auth=none X-Virus-Found: No X-Spam-SWARE-Status: No, score=-26.2 required=5.0 tests=BAYES_00, FREEMAIL_FROM, GIT_PATCH_0, GIT_PATCH_1, GIT_PATCH_2, GIT_PATCH_3, SPF_SOFTFAIL autolearn=ham version=3.3.2 spammy= X-HELO: mga07.intel.com X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False X-ExtLoop1: 1 From: "H.J. Lu" To: libc-alpha@sourceware.org Subject: [PATCH 24/24] Intel CET: Document --enable-cet Date: Wed, 13 Jun 2018 08:32:07 -0700 Message-Id: <20180613153207.57232-25-hjl.tools@gmail.com> In-Reply-To: <20180613153207.57232-1-hjl.tools@gmail.com> References: <20180613153207.57232-1-hjl.tools@gmail.com> * NEWS: Mention --enable-cet. * manual/install.texi: Document --enable-cet. * INSTALL: Regenerated. --- INSTALL | 11 +++++++++++ NEWS | 10 ++++++++++ manual/install.texi | 10 ++++++++++ 3 files changed, 31 insertions(+) diff --git a/INSTALL b/INSTALL index 052b1b6f89..5e6d80480b 100644 --- a/INSTALL +++ b/INSTALL @@ -106,6 +106,17 @@ if 'CFLAGS' is specified it must enable optimization. For example: programs and tests are created as dynamic position independent executables (PIE) by default. +'--enable-cet' + Enable Intel Control-flow Enforcement Technology (CET) support. + When the library is built with -enable-cet, the resulting glibc is + protected with indirect branch tracking (IBT) and shadow stack + (SHSTK). CET-enabled glibc is compatible with all existing + executables and shared libraries. This feature is currently + supported on i386, x86_64 and x32 with GCC 8 and binutils 2.29 or + later. Note that CET-enabled glibc requires CPUs capable of + multi-byte NOPs, like x86-64 processors as well as Intel Pentium + Pro or newer. + '--disable-profile' Don't build libraries with profiling information. You may want to use this option if you don't plan to do profiling. diff --git a/NEWS b/NEWS index d51fa09544..e914336557 100644 --- a/NEWS +++ b/NEWS @@ -9,6 +9,16 @@ Version 2.28 Major new features: +* The GNU C Library can now be compiled with support for Intel CET, AKA + Intel Control-flow Enforcement Technology. When the library is built + with --enable-cet, the resulting glibc is protected with indirect + branch tracking (IBT) and shadow stack (SHSTK). CET-enabled glibc is + compatible with all existing executables and shared libraries. This + feature is currently supported on i386, x86_64 and x32 with GCC 8 and + binutils 2.29 or later. Note that CET-enabled glibc requires CPUs + capable of multi-byte NOPs, like x86-64 processors as well as Intel + Pentium Pro or newer. + * functions that round their results to a narrower type are added from TS 18661-1:2014 and TS 18661-3:2015: diff --git a/manual/install.texi b/manual/install.texi index 4bbbfcffa5..62aec719d7 100644 --- a/manual/install.texi +++ b/manual/install.texi @@ -137,6 +137,16 @@ with no-pie. The resulting glibc can be used with the GCC option, PIE. This option also implies that glibc programs and tests are created as dynamic position independent executables (PIE) by default. +@item --enable-cet +Enable Intel Control-flow Enforcement Technology (CET) support. When +the library is built with --enable-cet, the resulting glibc is protected +with indirect branch tracking (IBT) and shadow stack (SHSTK)@. CET-enabled +glibc is compatible with all existing executables and shared libraries. +This feature is currently supported on i386, x86_64 and x32 with GCC 8 and +binutils 2.29 or later. Note that CET-enabled glibc requires CPUs capable +of multi-byte NOPs, like x86-64 processors as well as Intel Pentium Pro or +newer. + @item --disable-profile Don't build libraries with profiling information. You may want to use this option if you don't plan to do profiling.