On Sat, Mar 7, 2020 at 12:29 PM Jeffrey Walton noloader@gmail.com wrote:
On Sat, Mar 7, 2020 at 11:49 AM Niels Möller nisse@lysator.liu.se wrote:
"H.J. Lu" hjl.tools@gmail.com writes:
Intel Control-flow Enforcement Technology (CET):
https://software.intel.com/en-us/articles/intel-sdm
contains shadow stack (SHSTK) and indirect branch tracking (IBT). When CET is enabled, ELF object files must be marked with .note.gnu.property section. Also when IBT is enabled, all indirect branch targets must start with ENDBR instruction.
This patch adds X86_ENDBR and the CET marker to config.m4.in when CET is enabled. It updates PROLOGUE with X86_ENDBR.
I'd like to have a look at what gcc produces. How is it enabled with gcc? In the docs, I find
-mshstk
The -mshstk option enables shadow stack built-in functions from x86 Control-flow Enforcement Technology (CET).
but when I try compiling a trivial function,
$ cat foo-cet.c int foo(void) {return 0;} $ gcc -save-temps -c -mshstk foo-cet.c
I get no endbr instruction and no note in the foo-cet.s. I'm using gcc-8.3. I do get an
.section .note.GNU-stack,"",@progbits
I use -fcf-protection=full -mcet to determine if CET is available in the compiler. (And subsequently run a test with the shadow stack enabled).
I have not used -mshstk, but I may be testing for CET incorrectly.
By the way, I think I lifted those flags from https://developers.redhat.com/blog/2018/03/21/compiler-and-linker-flags-gcc/ . I enabled it several years ago, so I could be mistaken.
Jeff