From patchwork Mon May 14 19:45:47 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "H.J. Lu" X-Patchwork-Id: 27263 Received: (qmail 118427 invoked by alias); 14 May 2018 19:46:03 -0000 Mailing-List: contact libc-alpha-help@sourceware.org; run by ezmlm Precedence: bulk List-Id: List-Unsubscribe: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: libc-alpha-owner@sourceware.org Delivered-To: mailing list libc-alpha@sourceware.org Received: (qmail 118219 invoked by uid 89); 14 May 2018 19:45:52 -0000 Authentication-Results: sourceware.org; auth=none X-Virus-Found: No X-Spam-SWARE-Status: No, score=-25.3 required=5.0 tests=AWL, BAYES_00, FREEMAIL_FROM, GIT_PATCH_0, GIT_PATCH_1, GIT_PATCH_2, GIT_PATCH_3, RCVD_IN_DNSWL_NONE, SPF_PASS autolearn=ham version=3.3.2 spammy=NEWS, implies, HX-Received:sk:v6-v6mr X-HELO: mail-oi0-f47.google.com X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=ru0PG/cMrAEG47oSQvB115g8dBZeALjJfGZtNqa7yN0=; b=T+MoH08k/KiAVdUOW4zLe+7jTgU2wOvthB/FFZDlC0J5Rkrym8UrEy/gmd5bhbdVUL iHdOuKofNwVLiqU3a3dCJaW4NRt7zoLqATRz3RowbZERegOF4BEaiTsJEFbTtty/yoA1 UG1AMr9OLnc2dd5B9oUxxD8UH6Xnw2J9KuBehfP4czWU852hqDgPofSFxKjbco6OgmV6 vfvy4SHrSuFGTLLlwxXGk9gMN+6rtqV6ot9TNkVWnNr80Q3RGpQYhHy5AAk7+ha90BSX qqlpQntyrd36SLBnH0MkNQqND9JU3mB+0bi0qUnWjFHhx3Ir8eAuitgqPP3kQTJYI7F0 RSQw== X-Gm-Message-State: ALKqPwf0hwOF+gScpco2HEwD/0SIGDNGZJk+orLyb6N8yn4pPnrH2cSd 730zGrK7ysts2/ZgsBZ+uM3Z+5+10iyZ2AAvmao= X-Google-Smtp-Source: AB8JxZqSla3Z24nF4VQplacVVhjGW01QMxsNPeIZ+To35OBmFakSCvgzbfMi3RF1qb986f2H/yUSJxmi9S8/ePU7AcU= X-Received: by 2002:aca:ac06:: with SMTP id v6-v6mr7837135oie.227.1526327148754; Mon, 14 May 2018 12:45:48 -0700 (PDT) MIME-Version: 1.0 In-Reply-To: References: From: "H.J. Lu" Date: Mon, 14 May 2018 12:45:47 -0700 Message-ID: Subject: Re: [PATCH 24/24] Intel CET: Document --enable-cet To: Florian Weimer Cc: Joseph Myers , GNU C Library , "Carlos O'Donell" On Mon, May 14, 2018 at 10:44 AM, Florian Weimer wrote: > On 05/09/2018 11:31 PM, H.J. Lu wrote: >> >> +* The GNU C Library can now be compiled with support for Intel CET, AKA >> + Intel Control-flow Enforcement Technology. When the library is built >> + with --enable-cet, the resulting glibc is protected with indirect >> + branch tracking (IBT) and shadow stack (SHSTK). This feature is >> + currently supported on i386, x86_64 and x32 with GCC 8 and binutils >> + 2.29 or later. > > > Both texts should say something about compatibility. AFAIK, an --enable-cet > glibc supports all existing binaries, but requires CPUs which support long > NOPs (so AMD Geode is out, for example). > Like this? From 8a4e0709ee1c6c5d6c76b40966feebe3ad7e4c0a Mon Sep 17 00:00:00 2001 From: "H.J. Lu" Date: Wed, 9 May 2018 08:28:29 -0700 Subject: [PATCH] Intel CET: Document --enable-cet * NEWS: Mention --enable-cet. * manual/install.texi: Document --enable-cet. * INSTALL: Regenerated. --- INSTALL | 11 +++++++++++ NEWS | 10 ++++++++++ manual/install.texi | 10 ++++++++++ 3 files changed, 31 insertions(+) diff --git a/INSTALL b/INSTALL index 052b1b6f89..625e7b1673 100644 --- a/INSTALL +++ b/INSTALL @@ -106,6 +106,17 @@ if 'CFLAGS' is specified it must enable optimization. For example: programs and tests are created as dynamic position independent executables (PIE) by default. +'--enable-cet' + Enable Intel Control-flow Enforcement Technology (CET) support. + When the library is built with -enable-cet, the resulting glibc is + protected with indirect branch tracking (IBT) and shadow stack + (SHSTK). CET-enabled glibc is compatible with all existing + executables and shared libraries. This feature is currently + supported on i386, x86_64 and x32 with GCC 8 and binutils 2.29 or + later. Note that CET-enabled glibc requires CPUs capable of + multi-byte NOPs, like x86-64 processors as well as Intel Pentium + Pro or newer. + '--disable-profile' Don't build libraries with profiling information. You may want to use this option if you don't plan to do profiling. diff --git a/NEWS b/NEWS index 5155c86318..8b23de4de8 100644 --- a/NEWS +++ b/NEWS @@ -9,6 +9,16 @@ Version 2.28 Major new features: +* The GNU C Library can now be compiled with support for Intel CET, AKA + Intel Control-flow Enforcement Technology. When the library is built + with --enable-cet, the resulting glibc is protected with indirect + branch tracking (IBT) and shadow stack (SHSTK). CET-enabled glibc is + compatible with all existing executables and shared libraries. This + feature is currently supported on i386, x86_64 and x32 with GCC 8 and + binutils 2.29 or later. Note that CET-enabled glibc requires CPUs + capable of multi-byte NOPs, like x86-64 processors as well as Intel + Pentium Pro or newer. + * functions that round their results to a narrower type are added from TS 18661-1:2014 and TS 18661-3:2015: diff --git a/manual/install.texi b/manual/install.texi index 4bbbfcffa5..b2ee748673 100644 --- a/manual/install.texi +++ b/manual/install.texi @@ -137,6 +137,16 @@ with no-pie. The resulting glibc can be used with the GCC option, PIE. This option also implies that glibc programs and tests are created as dynamic position independent executables (PIE) by default. +@item --enable-cet +Enable Intel Control-flow Enforcement Technology (CET) support. When +the library is built with --enable-cet, the resulting glibc is protected +with indirect branch tracking (IBT) and shadow stack (SHSTK). CET-enabled +glibc is compatible with all existing executables and shared libraries. +This feature is currently supported on i386, x86_64 and x32 with GCC 8 and +binutils 2.29 or later. Note that CET-enabled glibc requires CPUs capable +of multi-byte NOPs, like x86-64 processors as well as Intel Pentium Pro or +newer. + @item --disable-profile Don't build libraries with profiling information. You may want to use this option if you don't plan to do profiling. -- 2.17.0