"H.J. Lu" hjl.tools@gmail.com writes:
Here is the patch.
-- H.J.
From 6ba393c2e4eafc90d4e50365e740a1eeb04522d3 Mon Sep 17 00:00:00 2001 From: "H.J. Lu" hjl.tools@gmail.com Date: Mon, 16 Mar 2020 05:17:34 -0700 Subject: [PATCH] x86: Build with -z ibt -z shstk if possible
On Linux/x86, -fcf-protection must be used with GCC to enabele CET. In assembly sources, which must be properly marked wuth .note.gnu.property section, all indirect branch targets must start with ENDBR instruction. Linker can enable CET support in executable and shared library with -z ibt -z shstk option even if CET isn't properly enabled in all input files. This has no impact on non-CET Linux OS. On CET Linux OS, tests will fail if any sources aren't properly CET enabled.
Hi, this confuses me a bit, in two ways:
1. Why do we need to pass linker flags with -Wl,...? Isn't it enough to pass appropriate flags to the gcc frontend, and let it pass them through?
2. What I tried to ask about in the message you reply to, was how to write a test within the Nettle testsuite, to verify that enabling CET really has effect on a test executable (on systems where it is expected to have effect). It's not obvious to me if and how the patch improves that.
Regards, /Niels
On Mon, Mar 16, 2020 at 2:50 PM Niels Möller nisse@lysator.liu.se wrote:
... 2. What I tried to ask about in the message you reply to, was how to write a test within the Nettle testsuite, to verify that enabling CET really has effect on a test executable (on systems where it is expected to have effect). It's not obvious to me if and how the patch improves that.
One more time to the list this time....
For the CET patch on Linux, use objdump -d to disassemble a file built with CET. Then grep for ENDBR:
count=$(objdump -d some_source.o | grep -i -c endbr) if [ "$count" -eq 0 ]; then echo "Failed to enable CET" else echo "CET is enabled" fi
You need a modern Binutils that supports ENDBR and ENDBR64.
There are other instructions you can search for. See https://i.blackhat.com/asia-19/Thu-March-28/bh-asia-Sun-How-to-Survive-the-H.... For example to search for ENDBR, RDSSP and WRSSP"
count=$(objdump -d some_source.o | grep -i -c -E 'endbr|rdssp|wrssp')
I don't know if/how to check for CET on other platforms, like the BSDs, OS X or Solaris. I know the tools to perform the disassembly, but I don't know the other details.
Also see https://stackoverflow.com/q/56120231.
Jeff
On Mon, Mar 16, 2020 at 3:12 PM Jeffrey Walton noloader@gmail.com wrote:
On Mon, Mar 16, 2020 at 2:50 PM Niels Möller nisse@lysator.liu.se wrote:
... 2. What I tried to ask about in the message you reply to, was how to write a test within the Nettle testsuite, to verify that enabling CET really has effect on a test executable (on systems where it is expected to have effect). It's not obvious to me if and how the patch improves that.
One more time to the list this time....
For the CET patch on Linux, use objdump -d to disassemble a file built with CET. Then grep for ENDBR:
count=$(objdump -d some_source.o | grep -i -c endbr) if [ "$count" -eq 0 ]; then echo "Failed to enable CET" else echo "CET is enabled" fiYou need a modern Binutils that supports ENDBR and ENDBR64.
There are other instructions you can search for. See https://i.blackhat.com/asia-19/Thu-March-28/bh-asia-Sun-How-to-Survive-the-H.... For example to search for ENDBR, RDSSP and WRSSP"
count=$(objdump -d some_source.o | grep -i -c -E 'endbr|rdssp|wrssp')I don't know if/how to check for CET on other platforms, like the BSDs, OS X or Solaris. I know the tools to perform the disassembly, but I don't know the other details.
I just came across this from Checksec. There may be an elf section named '.cfi' to inspect, too. Also see https://github.com/slimm609/checksec.sh/issues/118 .
Jeff
nettle-bugs@lists.lysator.liu.se
-
Jeffrey Walton -
nisse@lysator.liu.se