V2 [PATCH 24/24] Intel CET: Document --enable-cet

Message ID	CAMe9rOonLGgUXaASnczrQtM8a0jkr3bdm770iYFEx4PeSyXHeA@mail.gmail.com
State	New
Headers	show Return-Path: <libc-alpha-return-94435-incoming=patchwork.ozlabs.org@sourceware.org> DomainKey-Signature: a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id :list-unsubscribe:list-subscribe:list-archive:list-post :list-help:sender:mime-version:from:date:message-id:subject:to :cc:content-type; q=dns; s=default; b=pmRlPsj74C9ZkzBdgEl5G/vtwC h/IwXnsZ3RXg8yHQQPwlT/MOTLEzSoSqbZAJvAWu02wnJzfWlZo5MPLq1mFOk0t+ Eev/+NY0b+GEXE7f5pbbOuqkGii9F4wN+YHvJUbGsJ4fODNf+7NAoxgdGM0nnwL5 FZHHpjkoUauAELCjg= Mailing-List: contact libc-alpha-help@sourceware.org; run by ezmlm Precedence: bulk Sender: libc-alpha-owner@sourceware.org MIME-Version: 1.0 From: "H.J. Lu" <hjl.tools@gmail.com> Date: Wed, 18 Jul 2018 09:41:55 -0700 Message-ID: <CAMe9rOonLGgUXaASnczrQtM8a0jkr3bdm770iYFEx4PeSyXHeA@mail.gmail.com> Subject: V2 [PATCH 24/24] Intel CET: Document --enable-cet To: Rical Jasan <rj@2c3t.io> Cc: GNU C Library <libc-alpha@sourceware.org>, "Carlos O'Donell" <carlos@redhat.com>, "Joseph S. Myers" <joseph@codesourcery.com> Content-Type: multipart/mixed; boundary="00000000000098382e057148bddb"
Series	V2 [PATCH 24/24] Intel CET: Document --enable-cet \| expand V2 [PATCH 24/24] Intel CET: Document --enable-cet

Message ID

CAMe9rOonLGgUXaASnczrQtM8a0jkr3bdm770iYFEx4PeSyXHeA@mail.gmail.com

State

New

Headers

DomainKey-Signature: a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:mime-version:from:date:message-id:subject:to
	:cc:content-type; q=dns; s=default; b=pmRlPsj74C9ZkzBdgEl5G/vtwC
	h/IwXnsZ3RXg8yHQQPwlT/MOTLEzSoSqbZAJvAWu02wnJzfWlZo5MPLq1mFOk0t+
	Eev/+NY0b+GEXE7f5pbbOuqkGii9F4wN+YHvJUbGsJ4fODNf+7NAoxgdGM0nnwL5
	FZHHpjkoUauAELCjg=
Mailing-List: contact libc-alpha-help@sourceware.org; run by ezmlm
Precedence: bulk
Sender: libc-alpha-owner@sourceware.org
MIME-Version: 1.0
From: "H.J. Lu" <hjl.tools@gmail.com>
Date: Wed, 18 Jul 2018 09:41:55 -0700
Message-ID: <CAMe9rOonLGgUXaASnczrQtM8a0jkr3bdm770iYFEx4PeSyXHeA@mail.gmail.com>
Subject: V2 [PATCH 24/24] Intel CET: Document --enable-cet
To: Rical Jasan <rj@2c3t.io>
Cc: GNU C Library <libc-alpha@sourceware.org>,
	"Carlos O'Donell" <carlos@redhat.com>, 
	"Joseph S. Myers" <joseph@codesourcery.com>
Content-Type: multipart/mixed; boundary="00000000000098382e057148bddb"

Series

V2 [PATCH 24/24] Intel CET: Document --enable-cet | expand

Commit Message

H.J. Lu July 18, 2018, 4:41 p.m. UTC

On Tue, Jul 17, 2018 at 10:46 PM, Rical Jasan <rj@2c3t.io> wrote:
> On 07/17/2018 08:19 PM, H.J. Lu wrote:
>> On Wed, Jun 13, 2018 at 8:32 AM, H.J. Lu <hjl.tools@gmail.com> wrote:
> ...
>>> diff --git a/NEWS b/NEWS
>>> index d51fa09544..e914336557 100644
>>> --- a/NEWS
>>> +++ b/NEWS
>>> @@ -9,6 +9,16 @@ Version 2.28
>>>
>>>  Major new features:
>>>
>>> +* The GNU C Library can now be compiled with support for Intel CET, AKA
>>> +  Intel Control-flow Enforcement Technology.  When the library is built
>>> +  with --enable-cet, the resulting glibc is protected with indirect
>>> +  branch tracking (IBT) and shadow stack (SHSTK).  CET-enabled glibc is
>>> +  compatible with all existing executables and shared libraries.  This
>>> +  feature is currently supported on i386, x86_64 and x32 with GCC 8 and
>>> +  binutils 2.29 or later.  Note that CET-enabled glibc requires CPUs
>>> +  capable of multi-byte NOPs, like x86-64 processors as well as Intel
>>> +  Pentium Pro or newer.
>>> +
>>>  * <math.h> functions that round their results to a narrower type are added
>>>    from TS 18661-1:2014 and TS 18661-3:2015:
>>>
>>> diff --git a/manual/install.texi b/manual/install.texi
>>> index 4bbbfcffa5..62aec719d7 100644
>>> --- a/manual/install.texi
>>> +++ b/manual/install.texi
>>> @@ -137,6 +137,16 @@ with no-pie.  The resulting glibc can be used with the GCC option,
>>>  PIE.  This option also implies that glibc programs and tests are created
>>>  as dynamic position independent executables (PIE) by default.
>>>
>>> +@item --enable-cet
>>> +Enable Intel Control-flow Enforcement Technology (CET) support.  When
>>> +the library is built with --enable-cet, the resulting glibc is protected
>
> @option{--enable-cet} (else both dashes aren't preserved)

Fixed.

> @glibcadj{} wouldn't be right here because it's not an adjective, so it
> would be better to reword the sentence: "When @theglibc{} is built with
> @option{--enable-cet}, the resulting library ..."

Fixed.

>>> +with indirect branch tracking (IBT) and shadow stack (SHSTK)@.  CET-enabled
>>> +glibc is compatible with all existing executables and shared libraries.
>
> Similarly here; perhaps: "When CET is enabled, @theglibc{} ..."

Fixed.

>>> +This feature is currently supported on i386, x86_64 and x32 with GCC 8 and
>>> +binutils 2.29 or later.  Note that CET-enabled glibc requires CPUs capable
>
> Could reuse the same approach as above: "When CET is enabled,
> @theglibc{} ..."

Fixed.

>>> +of multi-byte NOPs, like x86-64 processors as well as Intel Pentium Pro or
>>> +newer.
>>> +
>>>  @item --disable-profile
>>>  Don't build libraries with profiling information.  You may want to use
>>>  this option if you don't plan to do profiling.
>>> --
>>> 2.17.1
>>>
>>
>> PING.
>
> Note that I don't have the same objection to using "glibc" in the NEWS
> entry as I do to using it in the manual.
>

Here is the updated patch.  OK for trunk?

Thanks.

Comments

Rical Jasan July 18, 2018, 4:46 p.m. UTC | #1

On 07/18/2018 09:41 AM, H.J. Lu wrote:
> Here is the updated patch.  OK for trunk?

LGTM.

Thanks,
Rical

Carlos O'Donell July 18, 2018, 5:41 p.m. UTC | #2

On 07/18/2018 12:41 PM, H.J. Lu wrote:
> From 36bc8d9755edfee0b28d4dd400431d08600b399c Mon Sep 17 00:00:00 2001
> From: "H.J. Lu" <hjl.tools@gmail.com>
> Date: Wed, 9 May 2018 08:28:29 -0700
> Subject: [PATCH] Intel CET: Document --enable-cet
> 
> 	* NEWS: Mention --enable-cet.
> 	* manual/install.texi: Document --enable-cet.
> 	* INSTALL: Regenerated.

OK to install for 2.28.

Reviewed-by: Carlos O'Donell <carlos@redhat.com>

> ---
>  INSTALL             | 11 +++++++++++
>  NEWS                | 10 ++++++++++
>  manual/install.texi | 11 +++++++++++
>  3 files changed, 32 insertions(+)
> 
> diff --git a/INSTALL b/INSTALL
> index 3c656fb7a6..844aa0f34c 100644
> --- a/INSTALL
> +++ b/INSTALL
> @@ -106,6 +106,17 @@ if 'CFLAGS' is specified it must enable optimization.  For example:
>       programs and tests are created as dynamic position independent
>       executables (PIE) by default.
>  
> +'--enable-cet'
> +     Enable Intel Control-flow Enforcement Technology (CET) support.
> +     When the GNU C Library is built with '--enable-cet', the resulting
> +     library is protected with indirect branch tracking (IBT) and shadow
> +     stack (SHSTK).  When CET is enabled, the GNU C Library is
> +     compatible with all existing executables and shared libraries.
> +     This feature is currently supported on i386, x86_64 and x32 with
> +     GCC 8 and binutils 2.29 or later.  Note that when CET is enabled,
> +     the GNU C Library requires CPUs capable of multi-byte NOPs, like
> +     x86-64 processors as well as Intel Pentium Pro or newer.
> +
>  '--disable-profile'
>       Don't build libraries with profiling information.  You may want to
>       use this option if you don't plan to do profiling.
> diff --git a/NEWS b/NEWS
> index c2896a7d93..daef815ae7 100644
> --- a/NEWS
> +++ b/NEWS
> @@ -9,6 +9,16 @@ Version 2.28
>  
>  Major new features:
>  
> +* The GNU C Library can now be compiled with support for Intel CET, AKA
> +  Intel Control-flow Enforcement Technology.  When the library is built
> +  with --enable-cet, the resulting glibc is protected with indirect
> +  branch tracking (IBT) and shadow stack (SHSTK).  CET-enabled glibc is
> +  compatible with all existing executables and shared libraries.  This
> +  feature is currently supported on i386, x86_64 and x32 with GCC 8 and
> +  binutils 2.29 or later.  Note that CET-enabled glibc requires CPUs
> +  capable of multi-byte NOPs, like x86-64 processors as well as Intel
> +  Pentium Pro or newer.

OK.

> +
>  * The GNU C Library now has correct support for ABSOLUTE symbols
>    (SHN_ABS-relative symbols).  Previously such ABSOLUTE symbols were
>    relocated incorrectly or in some cases discarded.  The GNU linker can
> diff --git a/manual/install.texi b/manual/install.texi
> index 42e9954199..3a87ac8bb5 100644
> --- a/manual/install.texi
> +++ b/manual/install.texi
> @@ -137,6 +137,17 @@ with no-pie.  The resulting glibc can be used with the GCC option,
>  PIE.  This option also implies that glibc programs and tests are created
>  as dynamic position independent executables (PIE) by default.
>  
> +@item --enable-cet
> +Enable Intel Control-flow Enforcement Technology (CET) support.  When
> +@theglibc{} is built with @option{--enable-cet}, the resulting library
> +is protected with indirect branch tracking (IBT) and shadow stack
> +(SHSTK)@.  When CET is enabled, @theglibc{} is compatible with all
> +existing executables and shared libraries.  This feature is currently
> +supported on i386, x86_64 and x32 with GCC 8 and binutils 2.29 or later.
> +Note that when CET is enabled, @theglibc{} requires CPUs capable of
> +multi-byte NOPs, like x86-64 processors as well as Intel Pentium Pro or
> +newer.

OK.

> +
>  @item --disable-profile
>  Don't build libraries with profiling information.  You may want to use
>  this option if you don't plan to do profiling.
> -- 2.17.1

From 36bc8d9755edfee0b28d4dd400431d08600b399c Mon Sep 17 00:00:00 2001
From: "H.J. Lu" <hjl.tools@gmail.com>
Date: Wed, 9 May 2018 08:28:29 -0700
Subject: [PATCH] Intel CET: Document --enable-cet

	* NEWS: Mention --enable-cet.
	* manual/install.texi: Document --enable-cet.
	* INSTALL: Regenerated.
---
 INSTALL             | 11 +++++++++++
 NEWS                | 10 ++++++++++
 manual/install.texi | 11 +++++++++++
 3 files changed, 32 insertions(+)

diff --git a/INSTALL b/INSTALL
index 3c656fb7a6..844aa0f34c 100644
--- a/INSTALL
+++ b/INSTALL
@@ -106,6 +106,17 @@  if 'CFLAGS' is specified it must enable optimization.  For example:
      programs and tests are created as dynamic position independent
      executables (PIE) by default.
 
+'--enable-cet'
+     Enable Intel Control-flow Enforcement Technology (CET) support.
+     When the GNU C Library is built with '--enable-cet', the resulting
+     library is protected with indirect branch tracking (IBT) and shadow
+     stack (SHSTK).  When CET is enabled, the GNU C Library is
+     compatible with all existing executables and shared libraries.
+     This feature is currently supported on i386, x86_64 and x32 with
+     GCC 8 and binutils 2.29 or later.  Note that when CET is enabled,
+     the GNU C Library requires CPUs capable of multi-byte NOPs, like
+     x86-64 processors as well as Intel Pentium Pro or newer.
+
 '--disable-profile'
      Don't build libraries with profiling information.  You may want to
      use this option if you don't plan to do profiling.
diff --git a/NEWS b/NEWS
index c2896a7d93..daef815ae7 100644
--- a/NEWS
+++ b/NEWS
@@ -9,6 +9,16 @@  Version 2.28
 
 Major new features:
 
+* The GNU C Library can now be compiled with support for Intel CET, AKA
+  Intel Control-flow Enforcement Technology.  When the library is built
+  with --enable-cet, the resulting glibc is protected with indirect
+  branch tracking (IBT) and shadow stack (SHSTK).  CET-enabled glibc is
+  compatible with all existing executables and shared libraries.  This
+  feature is currently supported on i386, x86_64 and x32 with GCC 8 and
+  binutils 2.29 or later.  Note that CET-enabled glibc requires CPUs
+  capable of multi-byte NOPs, like x86-64 processors as well as Intel
+  Pentium Pro or newer.
+
 * The GNU C Library now has correct support for ABSOLUTE symbols
   (SHN_ABS-relative symbols).  Previously such ABSOLUTE symbols were
   relocated incorrectly or in some cases discarded.  The GNU linker can
diff --git a/manual/install.texi b/manual/install.texi
index 42e9954199..3a87ac8bb5 100644
--- a/manual/install.texi
+++ b/manual/install.texi
@@ -137,6 +137,17 @@  with no-pie.  The resulting glibc can be used with the GCC option,
 PIE.  This option also implies that glibc programs and tests are created
 as dynamic position independent executables (PIE) by default.
 
+@item --enable-cet
+Enable Intel Control-flow Enforcement Technology (CET) support.  When
+@theglibc{} is built with @option{--enable-cet}, the resulting library
+is protected with indirect branch tracking (IBT) and shadow stack
+(SHSTK)@.  When CET is enabled, @theglibc{} is compatible with all
+existing executables and shared libraries.  This feature is currently
+supported on i386, x86_64 and x32 with GCC 8 and binutils 2.29 or later.
+Note that when CET is enabled, @theglibc{} requires CPUs capable of
+multi-byte NOPs, like x86-64 processors as well as Intel Pentium Pro or
+newer.
+
 @item --disable-profile
 Don't build libraries with profiling information.  You may want to use
 this option if you don't plan to do profiling.
-- 
2.17.1

V2 [PATCH 24/24] Intel CET: Document --enable-cet

Commit Message

Comments

Patch