Re: V2 [PATCH 24/24] Intel CET: Document --enable-cet

[Carlos O'Donell <carlos at redhat dot com>]

On 07/18/2018 12:41 PM, H.J. Lu wrote:
> From 36bc8d9755edfee0b28d4dd400431d08600b399c Mon Sep 17 00:00:00 2001
> From: "H.J. Lu" <hjl.tools@gmail.com>
> Date: Wed, 9 May 2018 08:28:29 -0700
> Subject: [PATCH] Intel CET: Document --enable-cet
> 
> 	* NEWS: Mention --enable-cet.
> 	* manual/install.texi: Document --enable-cet.
> 	* INSTALL: Regenerated.

OK to install for 2.28.

Reviewed-by: Carlos O'Donell <carlos@redhat.com>

> ---
>  INSTALL             | 11 +++++++++++
>  NEWS                | 10 ++++++++++
>  manual/install.texi | 11 +++++++++++
>  3 files changed, 32 insertions(+)
> 
> diff --git a/INSTALL b/INSTALL
> index 3c656fb7a6..844aa0f34c 100644
> --- a/INSTALL
> +++ b/INSTALL
> @@ -106,6 +106,17 @@ if 'CFLAGS' is specified it must enable optimization.  For example:
>       programs and tests are created as dynamic position independent
>       executables (PIE) by default.
>  
> +'--enable-cet'
> +     Enable Intel Control-flow Enforcement Technology (CET) support.
> +     When the GNU C Library is built with '--enable-cet', the resulting
> +     library is protected with indirect branch tracking (IBT) and shadow
> +     stack (SHSTK).  When CET is enabled, the GNU C Library is
> +     compatible with all existing executables and shared libraries.
> +     This feature is currently supported on i386, x86_64 and x32 with
> +     GCC 8 and binutils 2.29 or later.  Note that when CET is enabled,
> +     the GNU C Library requires CPUs capable of multi-byte NOPs, like
> +     x86-64 processors as well as Intel Pentium Pro or newer.
> +
>  '--disable-profile'
>       Don't build libraries with profiling information.  You may want to
>       use this option if you don't plan to do profiling.
> diff --git a/NEWS b/NEWS
> index c2896a7d93..daef815ae7 100644
> --- a/NEWS
> +++ b/NEWS
> @@ -9,6 +9,16 @@ Version 2.28
>  
>  Major new features:
>  
> +* The GNU C Library can now be compiled with support for Intel CET, AKA
> +  Intel Control-flow Enforcement Technology.  When the library is built
> +  with --enable-cet, the resulting glibc is protected with indirect
> +  branch tracking (IBT) and shadow stack (SHSTK).  CET-enabled glibc is
> +  compatible with all existing executables and shared libraries.  This
> +  feature is currently supported on i386, x86_64 and x32 with GCC 8 and
> +  binutils 2.29 or later.  Note that CET-enabled glibc requires CPUs
> +  capable of multi-byte NOPs, like x86-64 processors as well as Intel
> +  Pentium Pro or newer.

OK.

> +
>  * The GNU C Library now has correct support for ABSOLUTE symbols
>    (SHN_ABS-relative symbols).  Previously such ABSOLUTE symbols were
>    relocated incorrectly or in some cases discarded.  The GNU linker can
> diff --git a/manual/install.texi b/manual/install.texi
> index 42e9954199..3a87ac8bb5 100644
> --- a/manual/install.texi
> +++ b/manual/install.texi
> @@ -137,6 +137,17 @@ with no-pie.  The resulting glibc can be used with the GCC option,
>  PIE.  This option also implies that glibc programs and tests are created
>  as dynamic position independent executables (PIE) by default.
>  
> +@item --enable-cet
> +Enable Intel Control-flow Enforcement Technology (CET) support.  When
> +@theglibc{} is built with @option{--enable-cet}, the resulting library
> +is protected with indirect branch tracking (IBT) and shadow stack
> +(SHSTK)@.  When CET is enabled, @theglibc{} is compatible with all
> +existing executables and shared libraries.  This feature is currently
> +supported on i386, x86_64 and x32 with GCC 8 and binutils 2.29 or later.
> +Note that when CET is enabled, @theglibc{} requires CPUs capable of
> +multi-byte NOPs, like x86-64 processors as well as Intel Pentium Pro or
> +newer.

OK.

> +
>  @item --disable-profile
>  Don't build libraries with profiling information.  You may want to use
>  this option if you don't plan to do profiling.
> -- 2.17.1


-- 
Cheers,
Carlos.