Patchwork [24/24] Intel CET: Document --enable-cet

login
register
mail settings
Submitter H.J. Lu
Date June 13, 2018, 3:32 p.m.
Message ID <20180613153207.57232-25-hjl.tools@gmail.com>
Download mbox | patch
Permalink /patch/27783/
State New
Headers show

Comments

H.J. Lu - June 13, 2018, 3:32 p.m.
* NEWS: Mention --enable-cet.
	* manual/install.texi: Document --enable-cet.
	* INSTALL: Regenerated.
---
 INSTALL             | 11 +++++++++++
 NEWS                | 10 ++++++++++
 manual/install.texi | 10 ++++++++++
 3 files changed, 31 insertions(+)

Patch

diff --git a/INSTALL b/INSTALL
index 052b1b6f89..5e6d80480b 100644
--- a/INSTALL
+++ b/INSTALL
@@ -106,6 +106,17 @@  if 'CFLAGS' is specified it must enable optimization.  For example:
      programs and tests are created as dynamic position independent
      executables (PIE) by default.
 
+'--enable-cet'
+     Enable Intel Control-flow Enforcement Technology (CET) support.
+     When the library is built with -enable-cet, the resulting glibc is
+     protected with indirect branch tracking (IBT) and shadow stack
+     (SHSTK).  CET-enabled glibc is compatible with all existing
+     executables and shared libraries.  This feature is currently
+     supported on i386, x86_64 and x32 with GCC 8 and binutils 2.29 or
+     later.  Note that CET-enabled glibc requires CPUs capable of
+     multi-byte NOPs, like x86-64 processors as well as Intel Pentium
+     Pro or newer.
+
 '--disable-profile'
      Don't build libraries with profiling information.  You may want to
      use this option if you don't plan to do profiling.
diff --git a/NEWS b/NEWS
index d51fa09544..e914336557 100644
--- a/NEWS
+++ b/NEWS
@@ -9,6 +9,16 @@  Version 2.28
 
 Major new features:
 
+* The GNU C Library can now be compiled with support for Intel CET, AKA
+  Intel Control-flow Enforcement Technology.  When the library is built
+  with --enable-cet, the resulting glibc is protected with indirect
+  branch tracking (IBT) and shadow stack (SHSTK).  CET-enabled glibc is
+  compatible with all existing executables and shared libraries.  This
+  feature is currently supported on i386, x86_64 and x32 with GCC 8 and
+  binutils 2.29 or later.  Note that CET-enabled glibc requires CPUs
+  capable of multi-byte NOPs, like x86-64 processors as well as Intel
+  Pentium Pro or newer.
+
 * <math.h> functions that round their results to a narrower type are added
   from TS 18661-1:2014 and TS 18661-3:2015:
 
diff --git a/manual/install.texi b/manual/install.texi
index 4bbbfcffa5..62aec719d7 100644
--- a/manual/install.texi
+++ b/manual/install.texi
@@ -137,6 +137,16 @@  with no-pie.  The resulting glibc can be used with the GCC option,
 PIE.  This option also implies that glibc programs and tests are created
 as dynamic position independent executables (PIE) by default.
 
+@item --enable-cet
+Enable Intel Control-flow Enforcement Technology (CET) support.  When
+the library is built with --enable-cet, the resulting glibc is protected
+with indirect branch tracking (IBT) and shadow stack (SHSTK)@.  CET-enabled
+glibc is compatible with all existing executables and shared libraries.
+This feature is currently supported on i386, x86_64 and x32 with GCC 8 and
+binutils 2.29 or later.  Note that CET-enabled glibc requires CPUs capable
+of multi-byte NOPs, like x86-64 processors as well as Intel Pentium Pro or
+newer.
+
 @item --disable-profile
 Don't build libraries with profiling information.  You may want to use
 this option if you don't plan to do profiling.