This is the mail archive of the
libc-alpha@sourceware.org
mailing list for the glibc project.
V2 [PATCH 24/24] Intel CET: Document --enable-cet
- From: "H.J. Lu" <hjl dot tools at gmail dot com>
- To: Rical Jasan <rj at 2c3t dot io>
- Cc: GNU C Library <libc-alpha at sourceware dot org>, "Carlos O'Donell" <carlos at redhat dot com>, "Joseph S. Myers" <joseph at codesourcery dot com>
- Date: Wed, 18 Jul 2018 09:41:55 -0700
- Subject: V2 [PATCH 24/24] Intel CET: Document --enable-cet
On Tue, Jul 17, 2018 at 10:46 PM, Rical Jasan <rj@2c3t.io> wrote:
> On 07/17/2018 08:19 PM, H.J. Lu wrote:
>> On Wed, Jun 13, 2018 at 8:32 AM, H.J. Lu <hjl.tools@gmail.com> wrote:
> ...
>>> diff --git a/NEWS b/NEWS
>>> index d51fa09544..e914336557 100644
>>> --- a/NEWS
>>> +++ b/NEWS
>>> @@ -9,6 +9,16 @@ Version 2.28
>>>
>>> Major new features:
>>>
>>> +* The GNU C Library can now be compiled with support for Intel CET, AKA
>>> + Intel Control-flow Enforcement Technology. When the library is built
>>> + with --enable-cet, the resulting glibc is protected with indirect
>>> + branch tracking (IBT) and shadow stack (SHSTK). CET-enabled glibc is
>>> + compatible with all existing executables and shared libraries. This
>>> + feature is currently supported on i386, x86_64 and x32 with GCC 8 and
>>> + binutils 2.29 or later. Note that CET-enabled glibc requires CPUs
>>> + capable of multi-byte NOPs, like x86-64 processors as well as Intel
>>> + Pentium Pro or newer.
>>> +
>>> * <math.h> functions that round their results to a narrower type are added
>>> from TS 18661-1:2014 and TS 18661-3:2015:
>>>
>>> diff --git a/manual/install.texi b/manual/install.texi
>>> index 4bbbfcffa5..62aec719d7 100644
>>> --- a/manual/install.texi
>>> +++ b/manual/install.texi
>>> @@ -137,6 +137,16 @@ with no-pie. The resulting glibc can be used with the GCC option,
>>> PIE. This option also implies that glibc programs and tests are created
>>> as dynamic position independent executables (PIE) by default.
>>>
>>> +@item --enable-cet
>>> +Enable Intel Control-flow Enforcement Technology (CET) support. When
>>> +the library is built with --enable-cet, the resulting glibc is protected
>
> @option{--enable-cet} (else both dashes aren't preserved)
Fixed.
> @glibcadj{} wouldn't be right here because it's not an adjective, so it
> would be better to reword the sentence: "When @theglibc{} is built with
> @option{--enable-cet}, the resulting library ..."
Fixed.
>>> +with indirect branch tracking (IBT) and shadow stack (SHSTK)@. CET-enabled
>>> +glibc is compatible with all existing executables and shared libraries.
>
> Similarly here; perhaps: "When CET is enabled, @theglibc{} ..."
Fixed.
>>> +This feature is currently supported on i386, x86_64 and x32 with GCC 8 and
>>> +binutils 2.29 or later. Note that CET-enabled glibc requires CPUs capable
>
> Could reuse the same approach as above: "When CET is enabled,
> @theglibc{} ..."
Fixed.
>>> +of multi-byte NOPs, like x86-64 processors as well as Intel Pentium Pro or
>>> +newer.
>>> +
>>> @item --disable-profile
>>> Don't build libraries with profiling information. You may want to use
>>> this option if you don't plan to do profiling.
>>> --
>>> 2.17.1
>>>
>>
>> PING.
>
> Note that I don't have the same objection to using "glibc" in the NEWS
> entry as I do to using it in the manual.
>
Here is the updated patch. OK for trunk?
Thanks.
--
H.J.
From 36bc8d9755edfee0b28d4dd400431d08600b399c Mon Sep 17 00:00:00 2001
From: "H.J. Lu" <hjl.tools@gmail.com>
Date: Wed, 9 May 2018 08:28:29 -0700
Subject: [PATCH] Intel CET: Document --enable-cet
* NEWS: Mention --enable-cet.
* manual/install.texi: Document --enable-cet.
* INSTALL: Regenerated.
---
INSTALL | 11 +++++++++++
NEWS | 10 ++++++++++
manual/install.texi | 11 +++++++++++
3 files changed, 32 insertions(+)
diff --git a/INSTALL b/INSTALL
index 3c656fb7a6..844aa0f34c 100644
--- a/INSTALL
+++ b/INSTALL
@@ -106,6 +106,17 @@ if 'CFLAGS' is specified it must enable optimization. For example:
programs and tests are created as dynamic position independent
executables (PIE) by default.
+'--enable-cet'
+ Enable Intel Control-flow Enforcement Technology (CET) support.
+ When the GNU C Library is built with '--enable-cet', the resulting
+ library is protected with indirect branch tracking (IBT) and shadow
+ stack (SHSTK). When CET is enabled, the GNU C Library is
+ compatible with all existing executables and shared libraries.
+ This feature is currently supported on i386, x86_64 and x32 with
+ GCC 8 and binutils 2.29 or later. Note that when CET is enabled,
+ the GNU C Library requires CPUs capable of multi-byte NOPs, like
+ x86-64 processors as well as Intel Pentium Pro or newer.
+
'--disable-profile'
Don't build libraries with profiling information. You may want to
use this option if you don't plan to do profiling.
diff --git a/NEWS b/NEWS
index c2896a7d93..daef815ae7 100644
--- a/NEWS
+++ b/NEWS
@@ -9,6 +9,16 @@ Version 2.28
Major new features:
+* The GNU C Library can now be compiled with support for Intel CET, AKA
+ Intel Control-flow Enforcement Technology. When the library is built
+ with --enable-cet, the resulting glibc is protected with indirect
+ branch tracking (IBT) and shadow stack (SHSTK). CET-enabled glibc is
+ compatible with all existing executables and shared libraries. This
+ feature is currently supported on i386, x86_64 and x32 with GCC 8 and
+ binutils 2.29 or later. Note that CET-enabled glibc requires CPUs
+ capable of multi-byte NOPs, like x86-64 processors as well as Intel
+ Pentium Pro or newer.
+
* The GNU C Library now has correct support for ABSOLUTE symbols
(SHN_ABS-relative symbols). Previously such ABSOLUTE symbols were
relocated incorrectly or in some cases discarded. The GNU linker can
diff --git a/manual/install.texi b/manual/install.texi
index 42e9954199..3a87ac8bb5 100644
--- a/manual/install.texi
+++ b/manual/install.texi
@@ -137,6 +137,17 @@ with no-pie. The resulting glibc can be used with the GCC option,
PIE. This option also implies that glibc programs and tests are created
as dynamic position independent executables (PIE) by default.
+@item --enable-cet
+Enable Intel Control-flow Enforcement Technology (CET) support. When
+@theglibc{} is built with @option{--enable-cet}, the resulting library
+is protected with indirect branch tracking (IBT) and shadow stack
+(SHSTK)@. When CET is enabled, @theglibc{} is compatible with all
+existing executables and shared libraries. This feature is currently
+supported on i386, x86_64 and x32 with GCC 8 and binutils 2.29 or later.
+Note that when CET is enabled, @theglibc{} requires CPUs capable of
+multi-byte NOPs, like x86-64 processors as well as Intel Pentium Pro or
+newer.
+
@item --disable-profile
Don't build libraries with profiling information. You may want to use
this option if you don't plan to do profiling.
--
2.17.1