"H.J. Lu" hjl.tools@gmail.com writes:
Here is the patch.
-- H.J.
From 6ba393c2e4eafc90d4e50365e740a1eeb04522d3 Mon Sep 17 00:00:00 2001 From: "H.J. Lu" hjl.tools@gmail.com Date: Mon, 16 Mar 2020 05:17:34 -0700 Subject: [PATCH] x86: Build with -z ibt -z shstk if possible
On Linux/x86, -fcf-protection must be used with GCC to enabele CET. In assembly sources, which must be properly marked wuth .note.gnu.property section, all indirect branch targets must start with ENDBR instruction. Linker can enable CET support in executable and shared library with -z ibt -z shstk option even if CET isn't properly enabled in all input files. This has no impact on non-CET Linux OS. On CET Linux OS, tests will fail if any sources aren't properly CET enabled.
Hi, this confuses me a bit, in two ways:
1. Why do we need to pass linker flags with -Wl,...? Isn't it enough to pass appropriate flags to the gcc frontend, and let it pass them through?
2. What I tried to ask about in the message you reply to, was how to write a test within the Nettle testsuite, to verify that enabling CET really has effect on a test executable (on systems where it is expected to have effect). It's not obvious to me if and how the patch improves that.
Regards, /Niels