Package: gcc (Debian 12.2.0-14) 12.2.0 OS: debian:stable-20240423-slim When I build CET-enable binary by enabling '-fcf-protection' option, the gcc compiler failed to generate the binary properly. The output binary should ideally have IBT and SHSTK properties, but it does not have the properties.
``` # gcc hello.c -fcf-protection=full -o hello # readelf -n hello Displaying notes found in: .note.gnu.property Owner Data size Description GNU 0x00000010 NT_GNU_PROPERTY_TYPE_0 Properties: x86 ISA needed: x86-64-baseline ... ``` If the output binary was properly compiled, it should have IBT and SHSTK properties as follows. ``` Displaying notes found in: .note.gnu.property Owner Data size Description GNU 0x00000010 NT_GNU_PROPERTY_TYPE_0 Properties: x86 feature: IBT, SHSTK ```` Upon further investigation, I discovered that the C runtime in Debian lacks the IBT and SHSTK properties, which led to the issue. ``` # gcc hello.c -fcf-protection=full -z cet-report=error /usr/bin/ld: /usr/lib/gcc/x86_64-linux-gnu/12/../../../x86_64-linux-gnu/Scrt1.o: error: missing IBT and SHSTK properties /usr/bin/ld: /usr/lib/gcc/x86_64-linux-gnu/12/../../../x86_64-linux-gnu/crti.o: error: missing IBT and SHSTK properties /usr/bin/ld: /usr/lib/gcc/x86_64-linux-gnu/12/../../../x86_64-linux-gnu/crtn.o: error: missing IBT and SHSTK properties collect2: error: ld returned 1 exit status ``` Furthermore, it was observed that none of the packages in Debian had IBT and SHSTK properties, despite containing ENDBR instructions. Given this situation, I would like to inquire about Debian's official support for Intel CET. If Debian does not currently support Intel CET, I am curious to know if there are any plans in place to provide support for Intel CET in the future. I appreciate your attention to this matter and look forward to hearing from you soon. Best regards, Hyungseok Kim