This is the mail archive of the
libc-alpha@sourceware.org
mailing list for the glibc project.
Re: V2 [PATCH] x86/CET: Document glibc.tune.x86_ibt and glibc.tune.x86_shstk
- From: Rical Jasan <rj at 2c3t dot io>
- To: "H.J. Lu" <hjl dot tools at gmail dot com>, Carlos O'Donell <carlos at redhat dot com>, "Joseph S. Myers" <joseph at codesourcery dot com>
- Cc: GNU C Library <libc-alpha at sourceware dot org>
- Date: Wed, 18 Jul 2018 09:55:40 -0700
- Subject: Re: V2 [PATCH] x86/CET: Document glibc.tune.x86_ibt and glibc.tune.x86_shstk
- References: <CAMe9rOo2125_bkhDNMQD3zj3SdyTzCrdZz1e2KxTXfaZT3273Q@mail.gmail.com>
On 07/18/2018 09:44 AM, H.J. Lu wrote:
...
> diff --git a/manual/tunables.texi b/manual/tunables.texi
> index be33c9fc79..13426ce238 100644
> --- a/manual/tunables.texi
> +++ b/manual/tunables.texi
> @@ -356,3 +356,31 @@ to set threshold in bytes for non temporal store.
>
> This tunable is specific to i386 and x86-64.
> @end deftp
> +
> +@deftp Tunable glibc.tune.x86_ibt
> +The @code{glibc.tune.x86_ibt=[on|off|permissive]} tunable allows the user
I meant to just use @code{glibc.tune.x86_ibt} here, and then list the
options after, like you did below.
> +to control how indirect branch tracking (IBT) should be enabled. Accepted
> +values are @code{on}, @code{off}, and @code{permissive}. @code{on} always
> +turns on IBT regardless of whether IBT is enabled in the executable and
> +its dependent shared libraries. @code{off} always turns off IBT regardless
> +of whether IBT is enabled in the executable and its dependent shared
> +libraries. @code{permissive} is the same as the default which disables
> +IBT on non-CET executables and shared libraries.
> +
> +This tunable is specific to i386 and x86-64.
> +@end deftp
> +
> +@deftp Tunable glibc.tune.x86_shstk
> +The @code{glibc.tune.x86_shstk=[on|off|permissive]} tunable allows the
And here.
> +user to control how the shadow stack (SHSTK) should be enabled. Accepted
> +values are @code{on}, @code{off}, and @code{permissive}. @code{on}
> +always turns on SHSTK regardless of whether SHSTK is enabled in the
> +executable and its dependent shared libraries. @code{off} always turns
> +off SHSTK regardless of whether SHSTK is enabled in the executable and
> +its dependent shared libraries. @code{permissive} changes how dlopen
> +works on non-CET shared libraries. By default, when SHSTK is enabled,
> +dlopening a non-CET shared library returns an error. With
> +@code{permissive}, it turns off SHSTK instead.
> +
> +This tunable is specific to i386 and x86-64.
> +@end deftp
> -- 2.17.1
The permissive explanations are much better, thank you.
Rical