On Fri, 2019-04-26 at 22:31 +0200, Niels Möller wrote:
> Simo Sorce <s...@redhat.com> writes:
>
> > I understand this is not a high bar, and I will fold the segment note
> > in if you think that is what we should do, but I wanted to make you
> > aware of why I did not do the same as what we do with the stack note.
>
> I think we should aim to make all files "cet-compliant" if we do it att
> all. After all, the common case is to have a libnettle.so, and then any
> single object file missing the annotation will make the linker disable
> the feature, if I've understood it correctly. I agree it should be
> disabled by default until we're more confident in test coverage.
Yes we should have all files CET compliant, the idea of having a
distinct macro was to make it easy to catch submissions of new files
that lack it.
> BTW, do you know how that works with late loading using dlopen? One
> could have a process running in CET-mode, which dynamically loads an
> so-file with code lacking endbr instructions and corresponding
> annotation.
Yes I had the same question so I asked to our glibc gurus. The only
protection that is problematic is IBT as it requires insertion of new
instructions, so there is a mode where you can mark specific pages so
that the CPU will ignore missing endbr instruction exclusively for
executable code on those pages. So you can load an entire library via
dlopen() on specially marked pages and code running on those will have
no protection while the rest of the code will do. It is an all-or
nothing at the library level at that point.
It is not clear to me if this is fully supported today in glibc yet.
I guess in theory this could be done for individual libraries brought
in at execution time by the dynamic linker, but I think that is not
done and instead the whole binary is either enabled or disabled
currently.
> If we think about it as an arch-specific thing, which I guess we should,
> then maybe the m4 divert should be in x86_64/machine.m4 and
> x86/machine.m4, not asm.m4.
Makes sense, I can move it, do you still want it to be automagically
added to all assembly files?
> > That is funny, I actually used CET_ENDBR to make it easier to find for
> > others grepping as binutils also uses a _CET_ENDBR macro, it sounded
> > more consistent
>
> I agree your name is better for readability, even if less amusing.
>
> > > I'd like to understand what's missing. Maybe we can fix it more
> > > explicitly?
> >
> > I do not think we can easily fix it manually, it is mostly other
> > section notes that the gcc compiler adds when it fortifies C code. But
> > those notes do not really apply to handcrafted assembly.
>
> [...]
> > So this flag
> > is basically just saying to the compiler that it should add whatever is
> > appropriate (which may change depending on compiler flags) because our
> > code is good as is.
>
> Since the command line flag is passed with -Wa, it tells the *assembler*
> to add notes.
True.
> Which ones? Is it based only on the command line, say,
> $(CFLAGS) contains -fharden-foo makes the assembler produces a "foo"
> note. Or is it based on what's actually in the assembly input file?
It is not based on what is in the assembly input file afaik.
It generates "GNU Build Attribute" notes.
readelf show a single additional Owner attribute named GA$<version>3a1
with Data size always set to 0x10 and applied to each section of the
library corresponding to assembly files that cover the memory range
occupied by said library.
I have no more information than that at the moment, but I can ask if
you want me to dig through it.
> Is there a risk that it automatically generates a note promising
> something about the assembly code which we don't actually fulfill?
I was told that's not the case, I think it just sets bare notes that
basically do not assert anything specific, it just makes the tools that
check for those notes happy.
> Is there any documentation? I see that it is mentioned in the binutils-2.31
> release announcement, but I've not found it mentioned in the Gas manual.
Couldn't find anything either. Only some fedora wiki change proposal
page that mentions them.
> > https://software.intel.com/sites/default/files/managed/4d/2a/control-flow-enforcement-technology-preview.pdf
> > (I do no have a better link)
>
> Looks like reasonable doc. (Closest on wikpedia seems to be
> https://en.wikipedia.org/wiki/Control-flow_integrity).
Yeah I found this page too on wikipedia but is is it too generic (it
also referenced the link above)
> > See above explanation and let me know if that changes your opinion,
> > otherwise I will do this.
> >
> > > > +ALIGN(8)
> > > > +.long 1f - 0f
> > > > +.long 4f - 1f
> > > > +.long 5
> > > > +0:
> > > > +.string "GNU"
> > > > +1:
> > > > +ALIGN(8)
> > > > +.long 0xc0000002
> > > > +.long 3f - 2f
> > > > +2:
> > > > +.long 0x03
> > > > +3:
> > > > +ALIGN(8)
> > > > +4:
> > >
> > > Are there no symbolic names for this note? Since we require assembler to
> > > suport endbr instructions, can we require that it know about these notes
> > > as well? What does it look like in gcc output?
> >
> > There are symbolic names to compose the 0x03 value and for the
> > 0xc0000002 values, the rest are just label arithmetic.
> >
> > I will change in next submission.
>
> I see, I was hoping for something more similar to
>
> .section .note.GNU-stack,"",TYPE_PROGBITS
Nope, no such thing.
> I'm still curious as to what it looks like in gcc output.
Exactly like the above.
You can see it appended in any .s file generated by gcc when you
compile with CFLAGS including -fcf-protection
Attached find a new patch that replaces the first one and moves the
section definition to be machine specific
The second is a WIP, to also move the new instructions and make the
section atumagic. It makes the configure.ac clearer but requires to add
macros to each machine.m4 file.
Given it is a amchine specific technology I did not think it made sense
to add CET_ENDBR name in non intel architectures, and allows us to use
CODEFROM :-)
The other patches are unchanged, but I changed the order to put them
first so they can be applied right away if you want.
--
Simo Sorce
Sr. Principal Software Engineer
Red Hat, Inc
From dcf9de29114bb4137b12787685cebfcfd962ad5f Mon Sep 17 00:00:00 2001
From: Simo Sorce <s...@redhat.com>
Date: Fri, 26 Apr 2019 13:12:53 -0400
Subject: [PATCH 1/4] Add missing EPILOGUEs in assembly files
Signed-off-by: Simo Sorce <s...@redhat.com>
---
x86_64/poly1305-internal.asm | 1 +
x86_64/serpent-decrypt.asm | 1 +
x86_64/serpent-encrypt.asm | 1 +
3 files changed, 3 insertions(+)
diff --git a/x86_64/poly1305-internal.asm b/x86_64/poly1305-internal.asm
index c780d122..98159ad3 100644
--- a/x86_64/poly1305-internal.asm
+++ b/x86_64/poly1305-internal.asm
@@ -182,4 +182,5 @@ define(<T1>, <%rax>)
mov XREG(%rax), P1305_H2 (CTX)
W64_EXIT(2, 0)
ret
+EPILOGUE(nettle_poly1305_digest)
diff --git a/x86_64/serpent-decrypt.asm b/x86_64/serpent-decrypt.asm
index ee4bf9ad..031c41c8 100644
--- a/x86_64/serpent-decrypt.asm
+++ b/x86_64/serpent-decrypt.asm
@@ -713,3 +713,4 @@ PROLOGUE(nettle_serpent_decrypt)
pop %rbx
W64_EXIT(4, 13)
ret
+EPILOGUE(nettle_serpent_decrypt)
diff --git a/x86_64/serpent-encrypt.asm b/x86_64/serpent-encrypt.asm
index d6636537..99cba00c 100644
--- a/x86_64/serpent-encrypt.asm
+++ b/x86_64/serpent-encrypt.asm
@@ -748,3 +748,4 @@ C parallell.
pop %rbx
W64_EXIT(4, 13)
ret
+EPILOGUE(nettle_serpent_encrypt)
--
2.20.1
From af9b9379fdad760589acddb186620dcc7d994e8e Mon Sep 17 00:00:00 2001
From: Simo Sorce <s...@redhat.com>
Date: Wed, 24 Apr 2019 16:13:59 -0400
Subject: [PATCH 2/4] Fix generation of build notes if supported
This is needed to build correctly on platfroms that use
hardening flags and build notes on .c files.
Signed-off-by: Simo Sorce <s...@redhat.com>
---
Makefile.in | 4 +++-
configure.ac | 22 ++++++++++++++++++++++
2 files changed, 25 insertions(+), 1 deletion(-)
diff --git a/Makefile.in b/Makefile.in
index 440de9f7..4e603047 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -17,6 +17,8 @@ OPT_HOGWEED_OBJS = @OPT_HOGWEED_OBJS@
OPT_NETTLE_SOURCES = @OPT_NETTLE_SOURCES@
+ASM_GEN_BUILD_NOTES = @ASM_GEN_BUILD_NOTES@
+
SUBDIRS = tools testsuite examples
include config.make
@@ -396,7 +398,7 @@ ecc-25519.$(OBJEXT): ecc-25519.h
.asm.$(OBJEXT): $(srcdir)/asm.m4 machine.m4 config.m4
$(M4) $(srcdir)/asm.m4 machine.m4 config.m4 $< >$*.s
- $(COMPILE) -c $*.s
+ $(COMPILE) -c $*.s $(ASM_GEN_BUILD_NOTES)
@echo "$@ : $< $(srcdir)/asm.m4 machine.m4 config.m4" >$@.d
# Texinfo rules
diff --git a/configure.ac b/configure.ac
index 00d2bf5d..ac921df0 100644
--- a/configure.ac
+++ b/configure.ac
@@ -702,6 +702,7 @@ ASM_TYPE_FUNCTION='@function'
ASM_TYPE_PROGBITS='@progbits'
ASM_MARK_NOEXEC_STACK=''
ASM_ALIGN_LOG=''
+ASM_GEN_BUILD_NOTES=''
if test x$enable_assembler = xyes ; then
AC_CACHE_CHECK([if globals are prefixed by underscore],
@@ -812,6 +813,26 @@ EOF
[nettle_cv_asm_align_log=yes],
[nettle_cv_asm_align_log=no])])
ASM_ALIGN_LOG="$nettle_cv_asm_align_log"
+
+ AC_CACHE_CHECK([if --generate-missing-build-notes is supported],
+ nettle_cv_asm_build_notes,
+ [ # Default
+ nettle_cv_asm_build_notes=no
+
+ cat >conftest.s << EOF
+.text
+EOF
+ FLAG="-Wa,--generate-missing-build-notes=yes"
+ nettle_assemble="$CC $CFLAGS $CPPFLAGS -c conftest.s $FLAG >conftest.out 2>&1"
+ if AC_TRY_EVAL(nettle_assemble); then
+ nettle_cv_asm_build_notes=yes
+ else
+ nettle_cv_asm_build_notes=no
+ fi
+ rm -f conftest.*])
+ if test x$nettle_cv_asm_build_notes = xyes ; then
+ ASM_GEN_BUILD_NOTES='-Wa,--generate-missing-build-notes=yes'
+ fi
fi
AC_SUBST(ASM_SYMBOL_PREFIX)
@@ -823,6 +844,7 @@ AC_SUBST(ASM_MARK_NOEXEC_STACK)
AC_SUBST(ASM_ALIGN_LOG)
AC_SUBST(W64_ABI)
AC_SUBST(ASM_WORDS_BIGENDIAN)
+AC_SUBST(ASM_GEN_BUILD_NOTES)
AC_SUBST(EMULATOR)
AC_SUBST(LIBNETTLE_MAJOR)
--
2.20.1
From a11dd90fc89767609be7729973bf9be0f8809d20 Mon Sep 17 00:00:00 2001
From: Simo Sorce <s...@redhat.com>
Date: Tue, 23 Apr 2019 18:03:35 -0400
Subject: [PATCH 3/4] Add Intel CET protection support
In upcoming processors Intel will make available Control-Flow
Enforcement Technology, which is comprised of two hardware
countermeasures against Return-Oriented Programming attacks.
The first is called Shadow Stack and checks that return from function
calls are not tampered with by keeping a shadow stack that cannot be
modified by applications. This measure requires no code changes (except
for code that intentionally modifies the return pointer on the stack).
The second is called Indirect Branch Tracking and is used to insure only
targets of indirect jumps are actually jumped to. This requires
modification of code to insert a special instruction that identifies a
valid indirect jump target. When enforcement is turned on, if an indirect
jump does not end on this special instruction the cpu raises an exception.
These instructions are noops on older CPU models so it is safe to use
them in all x86(_64) code.
To enable these protections GCC also introduces a new GNU property note
section that marks a piece of code as CET ready.
If the note is in place the dynamic linker will be able to confirm that
all loaded libraries support CET and will turn on CET protection for the
binary.
The changes here consist mostly in adding the GNU property note section
to all x86(_64) assembly files and the proper ENDBRANCH instruction for
the function entrypoints which is where other code calls into via
indirect call.
Signed-off-by: Simo Sorce <s...@redhat.com>
---
asm.m4 | 3 ++-
config.m4.in | 2 ++
configure.ac | 17 +++++++++++++
x86/aes-decrypt-internal.asm | 1 +
x86/aes-encrypt-internal.asm | 1 +
x86/arcfour-crypt.asm | 1 +
x86/camellia-crypt-internal.asm | 1 +
x86/machine.m4 | 35 +++++++++++++++++++++++++++
x86/md5-compress.asm | 1 +
x86/sha1-compress.asm | 1 +
x86_64/aes-decrypt-internal.asm | 1 +
x86_64/aes-encrypt-internal.asm | 1 +
x86_64/aesni/aes-decrypt-internal.asm | 1 +
x86_64/aesni/aes-encrypt-internal.asm | 1 +
x86_64/camellia-crypt-internal.asm | 1 +
x86_64/chacha-core-internal.asm | 1 +
x86_64/fat/cpuid.asm | 2 +-
x86_64/gcm-hash8.asm | 1 +
x86_64/machine.m4 | 35 +++++++++++++++++++++++++++
x86_64/md5-compress.asm | 1 +
x86_64/memxor.asm | 1 +
x86_64/memxor3.asm | 1 +
x86_64/poly1305-internal.asm | 1 +
x86_64/salsa20-core-internal.asm | 1 +
x86_64/salsa20-crypt.asm | 1 +
x86_64/serpent-decrypt.asm | 1 +
x86_64/serpent-encrypt.asm | 1 +
x86_64/sha1-compress.asm | 1 +
x86_64/sha256-compress.asm | 1 +
x86_64/sha3-permute.asm | 1 +
x86_64/sha512-compress.asm | 1 +
x86_64/sha_ni/sha1-compress.asm | 1 +
x86_64/sha_ni/sha256-compress.asm | 1 +
x86_64/umac-nh-n.asm | 1 +
x86_64/umac-nh.asm | 1 +
35 files changed, 121 insertions(+), 2 deletions(-)
diff --git a/asm.m4 b/asm.m4
index 8da47201..5a5d4ac2 100644
--- a/asm.m4
+++ b/asm.m4
@@ -32,7 +32,8 @@ define(<GMP_NUMB_BITS>,<>)dnl
define(<PROLOGUE>,
<.globl C_NAME($1)
DECLARE_FUNC(C_NAME($1))
-C_NAME($1):>)
+C_NAME($1):
+CET_ENDBR>)
define(<EPILOGUE>,
<ifelse(ELF_STYLE,yes,
diff --git a/config.m4.in b/config.m4.in
index 11f90a40..c3ebad60 100644
--- a/config.m4.in
+++ b/config.m4.in
@@ -8,6 +8,8 @@ define(<ALIGN_LOG>, <@ASM_ALIGN_LOG@>)dnl
define(<W64_ABI>, <@W64_ABI@>)dnl
define(<RODATA>, <@ASM_RODATA@>)dnl
define(<WORDS_BIGENDIAN>, <@ASM_WORDS_BIGENDIAN@>)dnl
+define(<CET_PROTECTION>, <@ASM_CET_PROTECTION@>)dnl
+define(<CET_ENDBR>, <@ASM_CET_ENDBR@>)dnl
divert(1)
@ASM_MARK_NOEXEC_STACK@
divert
diff --git a/configure.ac b/configure.ac
index ac921df0..7beb35d9 100644
--- a/configure.ac
+++ b/configure.ac
@@ -93,6 +93,10 @@ AC_ARG_ENABLE(mini-gmp,
AC_HELP_STRING([--enable-mini-gmp], [Enable mini-gmp, used instead of libgmp.]),,
[enable_mini_gmp=no])
+AC_ARG_ENABLE(cet-protection,
+ AC_HELP_STRING([--enable-cet-protection], [Enable intel CET protection instructions. (default=no)]),,
+ [enable_cet_protection=no])
+
if test "x$enable_mini_gmp" = xyes ; then
NETTLE_USE_MINI_GMP=1
HOGWEED_EXTRA_SYMBOLS="mpz_*;gmp_*;mpn_*;mp_*;"
@@ -701,6 +705,8 @@ ASM_COFF_STYLE='no'
ASM_TYPE_FUNCTION='@function'
ASM_TYPE_PROGBITS='@progbits'
ASM_MARK_NOEXEC_STACK=''
+ASM_CET_PROTECTION='no'
+ASM_CET_ENDBR=''
ASM_ALIGN_LOG=''
ASM_GEN_BUILD_NOTES=''
@@ -833,6 +839,15 @@ EOF
if test x$nettle_cv_asm_build_notes = xyes ; then
ASM_GEN_BUILD_NOTES='-Wa,--generate-missing-build-notes=yes'
fi
+
+ if test "x$enable_cet_protection" = xyes ; then
+ ASM_CET_PROTECTION=yes
+ if test "$ABI" = 64 ; then
+ ASM_CET_ENDBR=endbr64
+ else
+ ASM_CET_ENDBR=endbr32
+ fi
+ fi
fi
AC_SUBST(ASM_SYMBOL_PREFIX)
@@ -845,6 +860,8 @@ AC_SUBST(ASM_ALIGN_LOG)
AC_SUBST(W64_ABI)
AC_SUBST(ASM_WORDS_BIGENDIAN)
AC_SUBST(ASM_GEN_BUILD_NOTES)
+AC_SUBST(ASM_CET_PROTECTION)
+AC_SUBST(ASM_CET_ENDBR)
AC_SUBST(EMULATOR)
AC_SUBST(LIBNETTLE_MAJOR)
diff --git a/x86/aes-decrypt-internal.asm b/x86/aes-decrypt-internal.asm
index ff535b6a..1d16f6db 100644
--- a/x86/aes-decrypt-internal.asm
+++ b/x86/aes-decrypt-internal.asm
@@ -175,3 +175,4 @@ PROLOGUE(_nettle_aes_decrypt)
popl %ebx
ret
EPILOGUE(_nettle_aes_decrypt)
+GNU_CET_SECTION()
diff --git a/x86/aes-encrypt-internal.asm b/x86/aes-encrypt-internal.asm
index 934158f7..d9579e04 100644
--- a/x86/aes-encrypt-internal.asm
+++ b/x86/aes-encrypt-internal.asm
@@ -175,3 +175,4 @@ PROLOGUE(_nettle_aes_encrypt)
popl %ebx
ret
EPILOGUE(_nettle_aes_encrypt)
+GNU_CET_SECTION()
diff --git a/x86/arcfour-crypt.asm b/x86/arcfour-crypt.asm
index df3fe869..11f592e7 100644
--- a/x86/arcfour-crypt.asm
+++ b/x86/arcfour-crypt.asm
@@ -123,3 +123,4 @@ C .Lloop_done:
popl %ebx
ret
EPILOGUE(nettle_arcfour_crypt)
+GNU_CET_SECTION()
diff --git a/x86/camellia-crypt-internal.asm b/x86/camellia-crypt-internal.asm
index ce8c57f0..afac1fcc 100644
--- a/x86/camellia-crypt-internal.asm
+++ b/x86/camellia-crypt-internal.asm
@@ -223,3 +223,4 @@ PROLOGUE(_nettle_camellia_crypt)
popl %ebx
ret
EPILOGUE(_nettle_camellia_crypt)
+GNU_CET_SECTION()
diff --git a/x86/machine.m4 b/x86/machine.m4
index 38bee366..1153c757 100644
--- a/x86/machine.m4
+++ b/x86/machine.m4
@@ -14,3 +14,38 @@ define(<HREG>,<ifelse(
$1, %ebx, %bh,
$1, %ecx, %ch,
$1, %edx, %dh)>)dnl
+
+dnl GNU properties section to enable CET protections macros
+dnl For more info on the technology:
+dnl https://software.intel.com/sites/default/files/managed/4d/2a/control-flow-enforcement-technology-preview.pdf
+
+dnl GNU Poperty type
+define(<NT_GNU_PROPERTY_TYPE_0>, <5>)
+dnl GNU Program Property Type range
+define(GNU_PROPERTY_X86_UINT32_AND_LO, <0xc0000002>)
+dnl Indirect Branch Tracking
+define(<GNU_PROPERTY_X86_FEATURE_1_IBT>, <0x01>)
+dnl Shadow Stack
+define(<GNU_PROPERTY_X86_FEATURE_1_SHSTK>, <0x02>)
+
+dnl NOTE: GNU Property sections MUST have alignment of 8
+define(<GNU_CET_SECTION>,
+<ifelse(CET_PROTECTION,yes,
+<.pushsection .note.gnu.property,"a"
+ALIGN(8)
+.long 1f - 0f
+.long 4f - 1f
+.long NT_GNU_PROPERTY_TYPE_0()
+0:
+.string "GNU"
+1:
+ALIGN(8)
+.long GNU_PROPERTY_X86_UINT32_AND_LO()
+.long 3f - 2f
+2:
+.long eval(GNU_PROPERTY_X86_FEATURE_1_IBT() | GNU_PROPERTY_X86_FEATURE_1_SHSTK())
+3:
+ALIGN(8)
+4:
+.popsection
+>,<>)>)
diff --git a/x86/md5-compress.asm b/x86/md5-compress.asm
index c849c082..6293f052 100644
--- a/x86/md5-compress.asm
+++ b/x86/md5-compress.asm
@@ -185,3 +185,4 @@ PROLOGUE(nettle_md5_compress)
popl %ebx
ret
EPILOGUE(nettle_md5_compress)
+GNU_CET_SECTION()
diff --git a/x86/sha1-compress.asm b/x86/sha1-compress.asm
index 03bdcdc9..4e1f121c 100644
--- a/x86/sha1-compress.asm
+++ b/x86/sha1-compress.asm
@@ -1541,6 +1541,7 @@ C ROUND_F2(SB, SC, SD, SE, SA, 79, K4VALUE)
popl %ebx
ret
EPILOGUE(nettle_sha1_compress)
+GNU_CET_SECTION()
C TODO:
diff --git a/x86_64/aes-decrypt-internal.asm b/x86_64/aes-decrypt-internal.asm
index 43f2f394..eedfaaf0 100644
--- a/x86_64/aes-decrypt-internal.asm
+++ b/x86_64/aes-decrypt-internal.asm
@@ -150,3 +150,4 @@ PROLOGUE(_nettle_aes_decrypt)
W64_EXIT(6, 0)
ret
EPILOGUE(_nettle_aes_decrypt)
+GNU_CET_SECTION()
diff --git a/x86_64/aes-encrypt-internal.asm b/x86_64/aes-encrypt-internal.asm
index dfb498f5..3a5a1e86 100644
--- a/x86_64/aes-encrypt-internal.asm
+++ b/x86_64/aes-encrypt-internal.asm
@@ -151,3 +151,4 @@ PROLOGUE(_nettle_aes_encrypt)
W64_EXIT(6, 0)
ret
EPILOGUE(_nettle_aes_encrypt)
+GNU_CET_SECTION()
diff --git a/x86_64/aesni/aes-decrypt-internal.asm b/x86_64/aesni/aes-decrypt-internal.asm
index 3d6d6e30..1b1a1a4d 100644
--- a/x86_64/aesni/aes-decrypt-internal.asm
+++ b/x86_64/aesni/aes-decrypt-internal.asm
@@ -132,3 +132,4 @@ PROLOGUE(_nettle_aes_decrypt)
W64_EXIT(6, 16)
ret
EPILOGUE(_nettle_aes_decrypt)
+GNU_CET_SECTION()
diff --git a/x86_64/aesni/aes-encrypt-internal.asm b/x86_64/aesni/aes-encrypt-internal.asm
index 99caf1f8..f7338ef6 100644
--- a/x86_64/aesni/aes-encrypt-internal.asm
+++ b/x86_64/aesni/aes-encrypt-internal.asm
@@ -132,3 +132,4 @@ PROLOGUE(_nettle_aes_encrypt)
W64_EXIT(6, 16)
ret
EPILOGUE(_nettle_aes_encrypt)
+GNU_CET_SECTION()
diff --git a/x86_64/camellia-crypt-internal.asm b/x86_64/camellia-crypt-internal.asm
index 040e030f..71750172 100644
--- a/x86_64/camellia-crypt-internal.asm
+++ b/x86_64/camellia-crypt-internal.asm
@@ -200,3 +200,4 @@ PROLOGUE(_nettle_camellia_crypt)
W64_EXIT(6, 0)
ret
EPILOGUE(_nettle_camellia_crypt)
+GNU_CET_SECTION()
diff --git a/x86_64/chacha-core-internal.asm b/x86_64/chacha-core-internal.asm
index 9e5dc394..3125dee7 100644
--- a/x86_64/chacha-core-internal.asm
+++ b/x86_64/chacha-core-internal.asm
@@ -126,3 +126,4 @@ PROLOGUE(_nettle_chacha_core)
W64_EXIT(3, 6)
ret
EPILOGUE(_nettle_chacha_core)
+GNU_CET_SECTION()
diff --git a/x86_64/fat/cpuid.asm b/x86_64/fat/cpuid.asm
index f317d56e..c4a5b538 100644
--- a/x86_64/fat/cpuid.asm
+++ b/x86_64/fat/cpuid.asm
@@ -56,4 +56,4 @@ PROLOGUE(_nettle_cpuid)
W64_EXIT(2)
ret
EPILOGUE(_nettle_cpuid)
-
+GNU_CET_SECTION()
diff --git a/x86_64/gcm-hash8.asm b/x86_64/gcm-hash8.asm
index bfaa6ef8..54608ae8 100644
--- a/x86_64/gcm-hash8.asm
+++ b/x86_64/gcm-hash8.asm
@@ -199,6 +199,7 @@ ALIGN(16)
jnz .Lread_loop
ret
EPILOGUE(_nettle_gcm_hash8)
+GNU_CET_SECTION()
define(<W>, <0x$2$1>)
RODATA
diff --git a/x86_64/machine.m4 b/x86_64/machine.m4
index 397e9b25..a64241ce 100644
--- a/x86_64/machine.m4
+++ b/x86_64/machine.m4
@@ -171,3 +171,38 @@ define(<W64_EXIT>, <
])
changequote(<,>)dnl
>)
+
+dnl GNU properties section to enable CET protections macros
+dnl For more info on the technology:
+dnl https://software.intel.com/sites/default/files/managed/4d/2a/control-flow-enforcement-technology-preview.pdf
+
+dnl GNU Poperty type
+define(<NT_GNU_PROPERTY_TYPE_0>, <5>)
+dnl GNU Program Property Type range
+define(GNU_PROPERTY_X86_UINT32_AND_LO, <0xc0000002>)
+dnl Indirect Branch Tracking
+define(<GNU_PROPERTY_X86_FEATURE_1_IBT>, <0x01>)
+dnl Shadow Stack
+define(<GNU_PROPERTY_X86_FEATURE_1_SHSTK>, <0x02>)
+
+dnl NOTE: GNU Property sections MUST have alignment of 8
+define(<GNU_CET_SECTION>,
+<ifelse(CET_PROTECTION,yes,
+<.pushsection .note.gnu.property,"a"
+ALIGN(8)
+.long 1f - 0f
+.long 4f - 1f
+.long NT_GNU_PROPERTY_TYPE_0()
+0:
+.string "GNU"
+1:
+ALIGN(8)
+.long GNU_PROPERTY_X86_UINT32_AND_LO()
+.long 3f - 2f
+2:
+.long eval(GNU_PROPERTY_X86_FEATURE_1_IBT() | GNU_PROPERTY_X86_FEATURE_1_SHSTK())
+3:
+ALIGN(8)
+4:
+.popsection
+>,<>)>)
diff --git a/x86_64/md5-compress.asm b/x86_64/md5-compress.asm
index 182b8f18..ef1fcb89 100644
--- a/x86_64/md5-compress.asm
+++ b/x86_64/md5-compress.asm
@@ -174,3 +174,4 @@ PROLOGUE(nettle_md5_compress)
ret
EPILOGUE(nettle_md5_compress)
+GNU_CET_SECTION()
diff --git a/x86_64/memxor.asm b/x86_64/memxor.asm
index f07f0017..a0ea94b4 100644
--- a/x86_64/memxor.asm
+++ b/x86_64/memxor.asm
@@ -171,3 +171,4 @@ ifdef(<USE_SSE2>, <
>)
EPILOGUE(nettle_memxor)
+GNU_CET_SECTION()
diff --git a/x86_64/memxor3.asm b/x86_64/memxor3.asm
index 8ff3e79c..b0c0e35c 100644
--- a/x86_64/memxor3.asm
+++ b/x86_64/memxor3.asm
@@ -261,3 +261,4 @@ ifelse(USE_SSE2, yes, <
EPILOGUE(nettle_memxor3)
+GNU_CET_SECTION()
diff --git a/x86_64/poly1305-internal.asm b/x86_64/poly1305-internal.asm
index 98159ad3..3737450f 100644
--- a/x86_64/poly1305-internal.asm
+++ b/x86_64/poly1305-internal.asm
@@ -184,3 +184,4 @@ define(<T1>, <%rax>)
ret
EPILOGUE(nettle_poly1305_digest)
+GNU_CET_SECTION()
diff --git a/x86_64/salsa20-core-internal.asm b/x86_64/salsa20-core-internal.asm
index 4ef07be0..c1690880 100644
--- a/x86_64/salsa20-core-internal.asm
+++ b/x86_64/salsa20-core-internal.asm
@@ -109,3 +109,4 @@ PROLOGUE(_nettle_salsa20_core)
W64_EXIT(3, 9)
ret
EPILOGUE(_nettle_salsa20_core)
+GNU_CET_SECTION()
diff --git a/x86_64/salsa20-crypt.asm b/x86_64/salsa20-crypt.asm
index cc1d58ca..e0348956 100644
--- a/x86_64/salsa20-crypt.asm
+++ b/x86_64/salsa20-crypt.asm
@@ -245,3 +245,4 @@ PROLOGUE(nettle_salsa20_crypt)
ret
EPILOGUE(nettle_salsa20_crypt)
+GNU_CET_SECTION()
diff --git a/x86_64/serpent-decrypt.asm b/x86_64/serpent-decrypt.asm
index 031c41c8..5f03fa4b 100644
--- a/x86_64/serpent-decrypt.asm
+++ b/x86_64/serpent-decrypt.asm
@@ -714,3 +714,4 @@ PROLOGUE(nettle_serpent_decrypt)
W64_EXIT(4, 13)
ret
EPILOGUE(nettle_serpent_decrypt)
+GNU_CET_SECTION()
diff --git a/x86_64/serpent-encrypt.asm b/x86_64/serpent-encrypt.asm
index 99cba00c..6bee5d18 100644
--- a/x86_64/serpent-encrypt.asm
+++ b/x86_64/serpent-encrypt.asm
@@ -749,3 +749,4 @@ C parallell.
W64_EXIT(4, 13)
ret
EPILOGUE(nettle_serpent_encrypt)
+GNU_CET_SECTION()
diff --git a/x86_64/sha1-compress.asm b/x86_64/sha1-compress.asm
index dd48de0e..54dfa313 100644
--- a/x86_64/sha1-compress.asm
+++ b/x86_64/sha1-compress.asm
@@ -305,3 +305,4 @@ PROLOGUE(nettle_sha1_compress)
W64_EXIT(2, 0)
ret
EPILOGUE(nettle_sha1_compress)
+GNU_CET_SECTION()
diff --git a/x86_64/sha256-compress.asm b/x86_64/sha256-compress.asm
index 5b7d0dcd..8dbccc5b 100644
--- a/x86_64/sha256-compress.asm
+++ b/x86_64/sha256-compress.asm
@@ -208,3 +208,4 @@ PROLOGUE(_nettle_sha256_compress)
W64_EXIT(3, 0)
ret
EPILOGUE(_nettle_sha256_compress)
+GNU_CET_SECTION()
diff --git a/x86_64/sha3-permute.asm b/x86_64/sha3-permute.asm
index 805b59af..a4d0cf0b 100644
--- a/x86_64/sha3-permute.asm
+++ b/x86_64/sha3-permute.asm
@@ -107,6 +107,7 @@ define(<ROTL64>, <
C sha3_permute(struct sha3_state *ctx)
.text
+GNU_CET_SECTION()
ALIGN(16)
PROLOGUE(nettle_sha3_permute)
W64_ENTRY(1, 16)
diff --git a/x86_64/sha512-compress.asm b/x86_64/sha512-compress.asm
index 4ff1f32a..37563e93 100644
--- a/x86_64/sha512-compress.asm
+++ b/x86_64/sha512-compress.asm
@@ -208,3 +208,4 @@ PROLOGUE(_nettle_sha512_compress)
W64_EXIT(3, 0)
ret
EPILOGUE(_nettle_sha512_compress)
+GNU_CET_SECTION()
diff --git a/x86_64/sha_ni/sha1-compress.asm b/x86_64/sha_ni/sha1-compress.asm
index ab848fdd..3cbca5e2 100644
--- a/x86_64/sha_ni/sha1-compress.asm
+++ b/x86_64/sha_ni/sha1-compress.asm
@@ -146,3 +146,4 @@ PROLOGUE(nettle_sha1_compress)
W64_EXIT(2, 10)
ret
EPILOGUE(nettle_sha1_compress)
+GNU_CET_SECTION()
diff --git a/x86_64/sha_ni/sha256-compress.asm b/x86_64/sha_ni/sha256-compress.asm
index f2a4bd32..f9fe3757 100644
--- a/x86_64/sha_ni/sha256-compress.asm
+++ b/x86_64/sha_ni/sha256-compress.asm
@@ -173,3 +173,4 @@ PROLOGUE(_nettle_sha256_compress)
W64_EXIT(3, 10)
ret
EPILOGUE(_nettle_sha256_compress)
+GNU_CET_SECTION()
diff --git a/x86_64/umac-nh-n.asm b/x86_64/umac-nh-n.asm
index ecb6396a..195d5886 100644
--- a/x86_64/umac-nh-n.asm
+++ b/x86_64/umac-nh-n.asm
@@ -273,3 +273,4 @@ PROLOGUE(_nettle_umac_nh_n)
W64_EXIT(5, 14)
ret
EPILOGUE(_nettle_umac_nh_n)
+GNU_CET_SECTION()
diff --git a/x86_64/umac-nh.asm b/x86_64/umac-nh.asm
index a6938e02..7bfc87ba 100644
--- a/x86_64/umac-nh.asm
+++ b/x86_64/umac-nh.asm
@@ -79,3 +79,4 @@ PROLOGUE(_nettle_umac_nh)
W64_EXIT(3, 7)
ret
EPILOGUE(_nettle_umac_nh)
+GNU_CET_SECTION()
--
2.20.1
From aab5f9215cb23da631c3c988c7765b1790079f41 Mon Sep 17 00:00:00 2001
From: Simo Sorce <s...@redhat.com>
Date: Sat, 27 Apr 2019 10:44:27 -0400
Subject: [PATCH 4/4] WIP
---
arm/machine.m4 | 3 +++
asm.m4 | 2 +-
config.m4.in | 2 +-
configure.ac | 7 -------
sparc32/machine.m4 | 2 ++
sparc64/machine.m4 | 3 +++
x86/aes-decrypt-internal.asm | 1 -
x86/aes-encrypt-internal.asm | 1 -
x86/arcfour-crypt.asm | 1 -
x86/camellia-crypt-internal.asm | 1 -
x86/machine.m4 | 4 +++-
x86/md5-compress.asm | 1 -
x86/sha1-compress.asm | 1 -
x86_64/aes-decrypt-internal.asm | 1 -
x86_64/aes-encrypt-internal.asm | 1 -
x86_64/aesni/aes-decrypt-internal.asm | 1 -
x86_64/aesni/aes-encrypt-internal.asm | 1 -
x86_64/camellia-crypt-internal.asm | 1 -
x86_64/chacha-core-internal.asm | 1 -
x86_64/fat/cpuid.asm | 2 +-
x86_64/gcm-hash8.asm | 1 -
x86_64/machine.m4 | 4 +++-
x86_64/md5-compress.asm | 1 -
x86_64/memxor.asm | 1 -
x86_64/memxor3.asm | 1 -
x86_64/poly1305-internal.asm | 1 -
x86_64/salsa20-core-internal.asm | 1 -
x86_64/salsa20-crypt.asm | 1 -
x86_64/serpent-decrypt.asm | 1 -
x86_64/serpent-encrypt.asm | 1 -
x86_64/sha1-compress.asm | 1 -
x86_64/sha256-compress.asm | 1 -
x86_64/sha3-permute.asm | 1 -
x86_64/sha512-compress.asm | 1 -
x86_64/sha_ni/sha1-compress.asm | 1 -
x86_64/sha_ni/sha256-compress.asm | 1 -
x86_64/umac-nh-n.asm | 1 -
x86_64/umac-nh.asm | 1 -
38 files changed, 17 insertions(+), 41 deletions(-)
diff --git a/arm/machine.m4 b/arm/machine.m4
index f982a66a..6c4801ef 100644
--- a/arm/machine.m4
+++ b/arm/machine.m4
@@ -54,3 +54,6 @@ define(<D1REG>, <ifelse(
$1, q14, d29,
$1, q15, d31,
<NO REGISTER>)>)dnl
+
+define(<GNU_PROPERTY_NOTES>, <>)
+define(<CODEFROM>, <>)
diff --git a/asm.m4 b/asm.m4
index 5a5d4ac2..cc31d97c 100644
--- a/asm.m4
+++ b/asm.m4
@@ -33,7 +33,7 @@ define(<PROLOGUE>,
<.globl C_NAME($1)
DECLARE_FUNC(C_NAME($1))
C_NAME($1):
-CET_ENDBR>)
+CODEFROM()>)
define(<EPILOGUE>,
<ifelse(ELF_STYLE,yes,
diff --git a/config.m4.in b/config.m4.in
index c3ebad60..90796f26 100644
--- a/config.m4.in
+++ b/config.m4.in
@@ -9,7 +9,7 @@ define(<W64_ABI>, <@W64_ABI@>)dnl
define(<RODATA>, <@ASM_RODATA@>)dnl
define(<WORDS_BIGENDIAN>, <@ASM_WORDS_BIGENDIAN@>)dnl
define(<CET_PROTECTION>, <@ASM_CET_PROTECTION@>)dnl
-define(<CET_ENDBR>, <@ASM_CET_ENDBR@>)dnl
divert(1)
@ASM_MARK_NOEXEC_STACK@
+GNU_PROPERTY_NOTES()
divert
diff --git a/configure.ac b/configure.ac
index 7beb35d9..aba942ce 100644
--- a/configure.ac
+++ b/configure.ac
@@ -706,7 +706,6 @@ ASM_TYPE_FUNCTION='@function'
ASM_TYPE_PROGBITS='@progbits'
ASM_MARK_NOEXEC_STACK=''
ASM_CET_PROTECTION='no'
-ASM_CET_ENDBR=''
ASM_ALIGN_LOG=''
ASM_GEN_BUILD_NOTES=''
@@ -842,11 +841,6 @@ EOF
if test "x$enable_cet_protection" = xyes ; then
ASM_CET_PROTECTION=yes
- if test "$ABI" = 64 ; then
- ASM_CET_ENDBR=endbr64
- else
- ASM_CET_ENDBR=endbr32
- fi
fi
fi
@@ -861,7 +855,6 @@ AC_SUBST(W64_ABI)
AC_SUBST(ASM_WORDS_BIGENDIAN)
AC_SUBST(ASM_GEN_BUILD_NOTES)
AC_SUBST(ASM_CET_PROTECTION)
-AC_SUBST(ASM_CET_ENDBR)
AC_SUBST(EMULATOR)
AC_SUBST(LIBNETTLE_MAJOR)
diff --git a/sparc32/machine.m4 b/sparc32/machine.m4
index e69de29b..59b43f8a 100644
--- a/sparc32/machine.m4
+++ b/sparc32/machine.m4
@@ -0,0 +1,2 @@
+define(<GNU_PROPERTY_NOTES>, <>)
+define(<CODEFROM>, <>)
diff --git a/sparc64/machine.m4 b/sparc64/machine.m4
index 4c1c0e5a..fe5cf5ef 100644
--- a/sparc64/machine.m4
+++ b/sparc64/machine.m4
@@ -2,3 +2,6 @@ define(<BIAS>, 2047) C Magic stack bias for the Sparc64 ABI
.register %g2,#scratch
.register %g3,#scratch
+
+define(<GNU_PROPERTY_NOTES>, <>)
+define(<CODEFROM>, <>)
diff --git a/x86/aes-decrypt-internal.asm b/x86/aes-decrypt-internal.asm
index 1d16f6db..ff535b6a 100644
--- a/x86/aes-decrypt-internal.asm
+++ b/x86/aes-decrypt-internal.asm
@@ -175,4 +175,3 @@ PROLOGUE(_nettle_aes_decrypt)
popl %ebx
ret
EPILOGUE(_nettle_aes_decrypt)
-GNU_CET_SECTION()
diff --git a/x86/aes-encrypt-internal.asm b/x86/aes-encrypt-internal.asm
index d9579e04..934158f7 100644
--- a/x86/aes-encrypt-internal.asm
+++ b/x86/aes-encrypt-internal.asm
@@ -175,4 +175,3 @@ PROLOGUE(_nettle_aes_encrypt)
popl %ebx
ret
EPILOGUE(_nettle_aes_encrypt)
-GNU_CET_SECTION()
diff --git a/x86/arcfour-crypt.asm b/x86/arcfour-crypt.asm
index 11f592e7..df3fe869 100644
--- a/x86/arcfour-crypt.asm
+++ b/x86/arcfour-crypt.asm
@@ -123,4 +123,3 @@ C .Lloop_done:
popl %ebx
ret
EPILOGUE(nettle_arcfour_crypt)
-GNU_CET_SECTION()
diff --git a/x86/camellia-crypt-internal.asm b/x86/camellia-crypt-internal.asm
index afac1fcc..ce8c57f0 100644
--- a/x86/camellia-crypt-internal.asm
+++ b/x86/camellia-crypt-internal.asm
@@ -223,4 +223,3 @@ PROLOGUE(_nettle_camellia_crypt)
popl %ebx
ret
EPILOGUE(_nettle_camellia_crypt)
-GNU_CET_SECTION()
diff --git a/x86/machine.m4 b/x86/machine.m4
index 1153c757..9341d837 100644
--- a/x86/machine.m4
+++ b/x86/machine.m4
@@ -29,7 +29,7 @@ dnl Shadow Stack
define(<GNU_PROPERTY_X86_FEATURE_1_SHSTK>, <0x02>)
dnl NOTE: GNU Property sections MUST have alignment of 8
-define(<GNU_CET_SECTION>,
+define(<GNU_PROPERTY_NOTES>,
<ifelse(CET_PROTECTION,yes,
<.pushsection .note.gnu.property,"a"
ALIGN(8)
@@ -49,3 +49,5 @@ ALIGN(8)
4:
.popsection
>,<>)>)
+
+define(<CODEFROM>, <ifelse(CET_PROTECTION,yes,<endbr32>,<>)>)
diff --git a/x86/md5-compress.asm b/x86/md5-compress.asm
index 6293f052..c849c082 100644
--- a/x86/md5-compress.asm
+++ b/x86/md5-compress.asm
@@ -185,4 +185,3 @@ PROLOGUE(nettle_md5_compress)
popl %ebx
ret
EPILOGUE(nettle_md5_compress)
-GNU_CET_SECTION()
diff --git a/x86/sha1-compress.asm b/x86/sha1-compress.asm
index 4e1f121c..03bdcdc9 100644
--- a/x86/sha1-compress.asm
+++ b/x86/sha1-compress.asm
@@ -1541,7 +1541,6 @@ C ROUND_F2(SB, SC, SD, SE, SA, 79, K4VALUE)
popl %ebx
ret
EPILOGUE(nettle_sha1_compress)
-GNU_CET_SECTION()
C TODO:
diff --git a/x86_64/aes-decrypt-internal.asm b/x86_64/aes-decrypt-internal.asm
index eedfaaf0..43f2f394 100644
--- a/x86_64/aes-decrypt-internal.asm
+++ b/x86_64/aes-decrypt-internal.asm
@@ -150,4 +150,3 @@ PROLOGUE(_nettle_aes_decrypt)
W64_EXIT(6, 0)
ret
EPILOGUE(_nettle_aes_decrypt)
-GNU_CET_SECTION()
diff --git a/x86_64/aes-encrypt-internal.asm b/x86_64/aes-encrypt-internal.asm
index 3a5a1e86..dfb498f5 100644
--- a/x86_64/aes-encrypt-internal.asm
+++ b/x86_64/aes-encrypt-internal.asm
@@ -151,4 +151,3 @@ PROLOGUE(_nettle_aes_encrypt)
W64_EXIT(6, 0)
ret
EPILOGUE(_nettle_aes_encrypt)
-GNU_CET_SECTION()
diff --git a/x86_64/aesni/aes-decrypt-internal.asm b/x86_64/aesni/aes-decrypt-internal.asm
index 1b1a1a4d..3d6d6e30 100644
--- a/x86_64/aesni/aes-decrypt-internal.asm
+++ b/x86_64/aesni/aes-decrypt-internal.asm
@@ -132,4 +132,3 @@ PROLOGUE(_nettle_aes_decrypt)
W64_EXIT(6, 16)
ret
EPILOGUE(_nettle_aes_decrypt)
-GNU_CET_SECTION()
diff --git a/x86_64/aesni/aes-encrypt-internal.asm b/x86_64/aesni/aes-encrypt-internal.asm
index f7338ef6..99caf1f8 100644
--- a/x86_64/aesni/aes-encrypt-internal.asm
+++ b/x86_64/aesni/aes-encrypt-internal.asm
@@ -132,4 +132,3 @@ PROLOGUE(_nettle_aes_encrypt)
W64_EXIT(6, 16)
ret
EPILOGUE(_nettle_aes_encrypt)
-GNU_CET_SECTION()
diff --git a/x86_64/camellia-crypt-internal.asm b/x86_64/camellia-crypt-internal.asm
index 71750172..040e030f 100644
--- a/x86_64/camellia-crypt-internal.asm
+++ b/x86_64/camellia-crypt-internal.asm
@@ -200,4 +200,3 @@ PROLOGUE(_nettle_camellia_crypt)
W64_EXIT(6, 0)
ret
EPILOGUE(_nettle_camellia_crypt)
-GNU_CET_SECTION()
diff --git a/x86_64/chacha-core-internal.asm b/x86_64/chacha-core-internal.asm
index 3125dee7..9e5dc394 100644
--- a/x86_64/chacha-core-internal.asm
+++ b/x86_64/chacha-core-internal.asm
@@ -126,4 +126,3 @@ PROLOGUE(_nettle_chacha_core)
W64_EXIT(3, 6)
ret
EPILOGUE(_nettle_chacha_core)
-GNU_CET_SECTION()
diff --git a/x86_64/fat/cpuid.asm b/x86_64/fat/cpuid.asm
index c4a5b538..f317d56e 100644
--- a/x86_64/fat/cpuid.asm
+++ b/x86_64/fat/cpuid.asm
@@ -56,4 +56,4 @@ PROLOGUE(_nettle_cpuid)
W64_EXIT(2)
ret
EPILOGUE(_nettle_cpuid)
-GNU_CET_SECTION()
+
diff --git a/x86_64/gcm-hash8.asm b/x86_64/gcm-hash8.asm
index 54608ae8..bfaa6ef8 100644
--- a/x86_64/gcm-hash8.asm
+++ b/x86_64/gcm-hash8.asm
@@ -199,7 +199,6 @@ ALIGN(16)
jnz .Lread_loop
ret
EPILOGUE(_nettle_gcm_hash8)
-GNU_CET_SECTION()
define(<W>, <0x$2$1>)
RODATA
diff --git a/x86_64/machine.m4 b/x86_64/machine.m4
index a64241ce..1c07665d 100644
--- a/x86_64/machine.m4
+++ b/x86_64/machine.m4
@@ -186,7 +186,7 @@ dnl Shadow Stack
define(<GNU_PROPERTY_X86_FEATURE_1_SHSTK>, <0x02>)
dnl NOTE: GNU Property sections MUST have alignment of 8
-define(<GNU_CET_SECTION>,
+define(<GNU_PROPERTY_NOTES>,
<ifelse(CET_PROTECTION,yes,
<.pushsection .note.gnu.property,"a"
ALIGN(8)
@@ -206,3 +206,5 @@ ALIGN(8)
4:
.popsection
>,<>)>)
+
+define(<CODEFROM>, <ifelse(CET_PROTECTION,yes,<endbr64>,<>)>)
diff --git a/x86_64/md5-compress.asm b/x86_64/md5-compress.asm
index ef1fcb89..182b8f18 100644
--- a/x86_64/md5-compress.asm
+++ b/x86_64/md5-compress.asm
@@ -174,4 +174,3 @@ PROLOGUE(nettle_md5_compress)
ret
EPILOGUE(nettle_md5_compress)
-GNU_CET_SECTION()
diff --git a/x86_64/memxor.asm b/x86_64/memxor.asm
index a0ea94b4..f07f0017 100644
--- a/x86_64/memxor.asm
+++ b/x86_64/memxor.asm
@@ -171,4 +171,3 @@ ifdef(<USE_SSE2>, <
>)
EPILOGUE(nettle_memxor)
-GNU_CET_SECTION()
diff --git a/x86_64/memxor3.asm b/x86_64/memxor3.asm
index b0c0e35c..8ff3e79c 100644
--- a/x86_64/memxor3.asm
+++ b/x86_64/memxor3.asm
@@ -261,4 +261,3 @@ ifelse(USE_SSE2, yes, <
EPILOGUE(nettle_memxor3)
-GNU_CET_SECTION()
diff --git a/x86_64/poly1305-internal.asm b/x86_64/poly1305-internal.asm
index 3737450f..98159ad3 100644
--- a/x86_64/poly1305-internal.asm
+++ b/x86_64/poly1305-internal.asm
@@ -184,4 +184,3 @@ define(<T1>, <%rax>)
ret
EPILOGUE(nettle_poly1305_digest)
-GNU_CET_SECTION()
diff --git a/x86_64/salsa20-core-internal.asm b/x86_64/salsa20-core-internal.asm
index c1690880..4ef07be0 100644
--- a/x86_64/salsa20-core-internal.asm
+++ b/x86_64/salsa20-core-internal.asm
@@ -109,4 +109,3 @@ PROLOGUE(_nettle_salsa20_core)
W64_EXIT(3, 9)
ret
EPILOGUE(_nettle_salsa20_core)
-GNU_CET_SECTION()
diff --git a/x86_64/salsa20-crypt.asm b/x86_64/salsa20-crypt.asm
index e0348956..cc1d58ca 100644
--- a/x86_64/salsa20-crypt.asm
+++ b/x86_64/salsa20-crypt.asm
@@ -245,4 +245,3 @@ PROLOGUE(nettle_salsa20_crypt)
ret
EPILOGUE(nettle_salsa20_crypt)
-GNU_CET_SECTION()
diff --git a/x86_64/serpent-decrypt.asm b/x86_64/serpent-decrypt.asm
index 5f03fa4b..031c41c8 100644
--- a/x86_64/serpent-decrypt.asm
+++ b/x86_64/serpent-decrypt.asm
@@ -714,4 +714,3 @@ PROLOGUE(nettle_serpent_decrypt)
W64_EXIT(4, 13)
ret
EPILOGUE(nettle_serpent_decrypt)
-GNU_CET_SECTION()
diff --git a/x86_64/serpent-encrypt.asm b/x86_64/serpent-encrypt.asm
index 6bee5d18..99cba00c 100644
--- a/x86_64/serpent-encrypt.asm
+++ b/x86_64/serpent-encrypt.asm
@@ -749,4 +749,3 @@ C parallell.
W64_EXIT(4, 13)
ret
EPILOGUE(nettle_serpent_encrypt)
-GNU_CET_SECTION()
diff --git a/x86_64/sha1-compress.asm b/x86_64/sha1-compress.asm
index 54dfa313..dd48de0e 100644
--- a/x86_64/sha1-compress.asm
+++ b/x86_64/sha1-compress.asm
@@ -305,4 +305,3 @@ PROLOGUE(nettle_sha1_compress)
W64_EXIT(2, 0)
ret
EPILOGUE(nettle_sha1_compress)
-GNU_CET_SECTION()
diff --git a/x86_64/sha256-compress.asm b/x86_64/sha256-compress.asm
index 8dbccc5b..5b7d0dcd 100644
--- a/x86_64/sha256-compress.asm
+++ b/x86_64/sha256-compress.asm
@@ -208,4 +208,3 @@ PROLOGUE(_nettle_sha256_compress)
W64_EXIT(3, 0)
ret
EPILOGUE(_nettle_sha256_compress)
-GNU_CET_SECTION()
diff --git a/x86_64/sha3-permute.asm b/x86_64/sha3-permute.asm
index a4d0cf0b..805b59af 100644
--- a/x86_64/sha3-permute.asm
+++ b/x86_64/sha3-permute.asm
@@ -107,7 +107,6 @@ define(<ROTL64>, <
C sha3_permute(struct sha3_state *ctx)
.text
-GNU_CET_SECTION()
ALIGN(16)
PROLOGUE(nettle_sha3_permute)
W64_ENTRY(1, 16)
diff --git a/x86_64/sha512-compress.asm b/x86_64/sha512-compress.asm
index 37563e93..4ff1f32a 100644
--- a/x86_64/sha512-compress.asm
+++ b/x86_64/sha512-compress.asm
@@ -208,4 +208,3 @@ PROLOGUE(_nettle_sha512_compress)
W64_EXIT(3, 0)
ret
EPILOGUE(_nettle_sha512_compress)
-GNU_CET_SECTION()
diff --git a/x86_64/sha_ni/sha1-compress.asm b/x86_64/sha_ni/sha1-compress.asm
index 3cbca5e2..ab848fdd 100644
--- a/x86_64/sha_ni/sha1-compress.asm
+++ b/x86_64/sha_ni/sha1-compress.asm
@@ -146,4 +146,3 @@ PROLOGUE(nettle_sha1_compress)
W64_EXIT(2, 10)
ret
EPILOGUE(nettle_sha1_compress)
-GNU_CET_SECTION()
diff --git a/x86_64/sha_ni/sha256-compress.asm b/x86_64/sha_ni/sha256-compress.asm
index f9fe3757..f2a4bd32 100644
--- a/x86_64/sha_ni/sha256-compress.asm
+++ b/x86_64/sha_ni/sha256-compress.asm
@@ -173,4 +173,3 @@ PROLOGUE(_nettle_sha256_compress)
W64_EXIT(3, 10)
ret
EPILOGUE(_nettle_sha256_compress)
-GNU_CET_SECTION()
diff --git a/x86_64/umac-nh-n.asm b/x86_64/umac-nh-n.asm
index 195d5886..ecb6396a 100644
--- a/x86_64/umac-nh-n.asm
+++ b/x86_64/umac-nh-n.asm
@@ -273,4 +273,3 @@ PROLOGUE(_nettle_umac_nh_n)
W64_EXIT(5, 14)
ret
EPILOGUE(_nettle_umac_nh_n)
-GNU_CET_SECTION()
diff --git a/x86_64/umac-nh.asm b/x86_64/umac-nh.asm
index 7bfc87ba..a6938e02 100644
--- a/x86_64/umac-nh.asm
+++ b/x86_64/umac-nh.asm
@@ -79,4 +79,3 @@ PROLOGUE(_nettle_umac_nh)
W64_EXIT(3, 7)
ret
EPILOGUE(_nettle_umac_nh)
-GNU_CET_SECTION()
--
2.20.1
_______________________________________________
nettle-bugs mailing list
nettle-bugs@lists.lysator.liu.se
http://lists.lysator.liu.se/mailman/listinfo/nettle-bugs
