Package: gcc (Debian 12.2.0-14) 12.2.0
OS: debian:stable-20240423-slim
When I build CET-enable binary by enabling '-fcf-protection' option, the
gcc compiler failed to generate the binary properly. The output binary
should ideally have IBT and SHSTK properties, but it does not have the
properties.
```
# gcc hello.c -fcf-protection=full -o hello
# readelf -n hello
Displaying notes found in: .note.gnu.property
Owner Data size Description
GNU 0x00000010 NT_GNU_PROPERTY_TYPE_0
Properties: x86 ISA needed: x86-64-baseline
...
```
If the output binary was properly compiled, it should have IBT and
SHSTK properties as follows.
```
Displaying notes found in: .note.gnu.property
Owner Data size Description
GNU 0x00000010 NT_GNU_PROPERTY_TYPE_0
Properties: x86 feature: IBT, SHSTK
````
Upon further investigation, I discovered that the C runtime in Debian lacks
the IBT and SHSTK properties, which led to the issue.
```
# gcc hello.c -fcf-protection=full -z cet-report=error
/usr/bin/ld:
/usr/lib/gcc/x86_64-linux-gnu/12/../../../x86_64-linux-gnu/Scrt1.o: error:
missing IBT and SHSTK properties
/usr/bin/ld:
/usr/lib/gcc/x86_64-linux-gnu/12/../../../x86_64-linux-gnu/crti.o: error:
missing IBT and SHSTK properties
/usr/bin/ld:
/usr/lib/gcc/x86_64-linux-gnu/12/../../../x86_64-linux-gnu/crtn.o: error:
missing IBT and SHSTK properties
collect2: error: ld returned 1 exit status
```
Furthermore, it was observed that none of the packages in Debian had IBT
and SHSTK properties, despite containing ENDBR instructions.
Given this situation, I would like to inquire about Debian's official
support for Intel CET. If Debian does not currently support Intel CET, I am
curious to know if there are any plans in place to provide support for
Intel CET in the future.
I appreciate your attention to this matter and look forward to hearing from
you soon.
Best regards,
Hyungseok Kim
