Intel CET: Document --enable-cet

	* NEWS: Mention --enable-cet.
	* manual/install.texi: Document --enable-cet.
	* INSTALL: Regenerated.

diff --git a/ChangeLog b/ChangeLog
index d1c5235849148f7a9aad59ba596f2f940b42d982..6d1229ca97511680be9eb4195591dbf48b3f4cde 100644 (file)
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,9 @@
+2018-07-18  H.J. Lu  <hongjiu.lu@intel.com>
+
+       * NEWS: Mention --enable-cet.
+       * manual/install.texi: Document --enable-cet.
+       * INSTALL: Regenerated.
+
 2018-07-18  H.J. Lu  <hongjiu.lu@intel.com>
 
        * sysdeps/x86_64/multiarch/memcmp-sse4.S (BRANCH_TO_JMPTBL_ENTRY):

diff --git a/INSTALL b/INSTALL
index 3c656fb7a67e56135f8fa374c2f1cf23b66b2a84..844aa0f34cfd25a79b1ab61ef10e76ce621b7946 100644 (file)
--- a/INSTALL
+++ b/INSTALL
@@ -106,6 +106,17 @@ if 'CFLAGS' is specified it must enable optimization.  For example:
      programs and tests are created as dynamic position independent
      executables (PIE) by default.
 
+'--enable-cet'
+     Enable Intel Control-flow Enforcement Technology (CET) support.
+     When the GNU C Library is built with '--enable-cet', the resulting
+     library is protected with indirect branch tracking (IBT) and shadow
+     stack (SHSTK).  When CET is enabled, the GNU C Library is
+     compatible with all existing executables and shared libraries.
+     This feature is currently supported on i386, x86_64 and x32 with
+     GCC 8 and binutils 2.29 or later.  Note that when CET is enabled,
+     the GNU C Library requires CPUs capable of multi-byte NOPs, like
+     x86-64 processors as well as Intel Pentium Pro or newer.
+
 '--disable-profile'
      Don't build libraries with profiling information.  You may want to
      use this option if you don't plan to do profiling.

diff --git a/NEWS b/NEWS
index c2896a7d93deacc539b725aedf79baf248082ab8..daef815ae7c36e963070d80e5b42ba51d7d831e4 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -9,6 +9,16 @@ Version 2.28
 
 Major new features:
 
+* The GNU C Library can now be compiled with support for Intel CET, AKA
+  Intel Control-flow Enforcement Technology.  When the library is built
+  with --enable-cet, the resulting glibc is protected with indirect
+  branch tracking (IBT) and shadow stack (SHSTK).  CET-enabled glibc is
+  compatible with all existing executables and shared libraries.  This
+  feature is currently supported on i386, x86_64 and x32 with GCC 8 and
+  binutils 2.29 or later.  Note that CET-enabled glibc requires CPUs
+  capable of multi-byte NOPs, like x86-64 processors as well as Intel
+  Pentium Pro or newer.
+
 * The GNU C Library now has correct support for ABSOLUTE symbols
   (SHN_ABS-relative symbols).  Previously such ABSOLUTE symbols were
   relocated incorrectly or in some cases discarded.  The GNU linker can

diff --git a/manual/install.texi b/manual/install.texi
index 42e9954199ffc18a40b2e10cedf1a37ded09060a..3a87ac8bb5919e3c48a4e6859421a46f8a045795 100644 (file)
--- a/manual/install.texi
+++ b/manual/install.texi
@@ -137,6 +137,17 @@ with no-pie.  The resulting glibc can be used with the GCC option,
 PIE.  This option also implies that glibc programs and tests are created
 as dynamic position independent executables (PIE) by default.
 
+@item --enable-cet
+Enable Intel Control-flow Enforcement Technology (CET) support.  When
+@theglibc{} is built with @option{--enable-cet}, the resulting library
+is protected with indirect branch tracking (IBT) and shadow stack
+(SHSTK)@.  When CET is enabled, @theglibc{} is compatible with all
+existing executables and shared libraries.  This feature is currently
+supported on i386, x86_64 and x32 with GCC 8 and binutils 2.29 or later.
+Note that when CET is enabled, @theglibc{} requires CPUs capable of
+multi-byte NOPs, like x86-64 processors as well as Intel Pentium Pro or
+newer.
+
 @item --disable-profile
 Don't build libraries with profiling information.  You may want to use
 this option if you don't plan to do profiling.