On Mon, Mar 16, 2020 at 3:12 PM Jeffrey Walton noloader@gmail.com wrote:
On Mon, Mar 16, 2020 at 2:50 PM Niels Möller nisse@lysator.liu.se wrote:
... 2. What I tried to ask about in the message you reply to, was how to write a test within the Nettle testsuite, to verify that enabling CET really has effect on a test executable (on systems where it is expected to have effect). It's not obvious to me if and how the patch improves that.
One more time to the list this time....
For the CET patch on Linux, use objdump -d to disassemble a file built with CET. Then grep for ENDBR:
count=$(objdump -d some_source.o | grep -i -c endbr) if [ "$count" -eq 0 ]; then echo "Failed to enable CET" else echo "CET is enabled" fiYou need a modern Binutils that supports ENDBR and ENDBR64.
There are other instructions you can search for. See https://i.blackhat.com/asia-19/Thu-March-28/bh-asia-Sun-How-to-Survive-the-H.... For example to search for ENDBR, RDSSP and WRSSP"
count=$(objdump -d some_source.o | grep -i -c -E 'endbr|rdssp|wrssp')I don't know if/how to check for CET on other platforms, like the BSDs, OS X or Solaris. I know the tools to perform the disassembly, but I don't know the other details.
I just came across this from Checksec. There may be an elf section named '.cfi' to inspect, too. Also see https://github.com/slimm609/checksec.sh/issues/118 .
Jeff