On Sat, Mar 7, 2020 at 12:29 PM Jeffrey Walton <noloa...@gmail.com> wrote: > > On Sat, Mar 7, 2020 at 11:49 AM Niels Möller <ni...@lysator.liu.se> wrote: > > > > "H.J. Lu" <hjl.to...@gmail.com> writes: > > > > > Intel Control-flow Enforcement Technology (CET): > > > > > > https://software.intel.com/en-us/articles/intel-sdm > > > > > > contains shadow stack (SHSTK) and indirect branch tracking (IBT). When > > > CET is enabled, ELF object files must be marked with .note.gnu.property > > > section. Also when IBT is enabled, all indirect branch targets must > > > start with ENDBR instruction. > > > > > > This patch adds X86_ENDBR and the CET marker to config.m4.in when CET > > > is enabled. It updates PROLOGUE with X86_ENDBR. > > > > I'd like to have a look at what gcc produces. How is it enabled with > > gcc? In the docs, I find > > > > -mshstk > > > > The -mshstk option enables shadow stack built-in functions from x86 > > Control-flow Enforcement Technology (CET). > > > > but when I try compiling a trivial function, > > > > $ cat foo-cet.c > > int foo(void) {return 0;} > > $ gcc -save-temps -c -mshstk foo-cet.c > > > > I get no endbr instruction and no note in the foo-cet.s. I'm using > > gcc-8.3. I do get an > > > > .section .note.GNU-stack,"",@progbits > > I use -fcf-protection=full -mcet to determine if CET is available in > the compiler. (And subsequently run a test with the shadow stack > enabled). > > I have not used -mshstk, but I may be testing for CET incorrectly.
By the way, I think I lifted those flags from https://developers.redhat.com/blog/2018/03/21/compiler-and-linker-flags-gcc/ . I enabled it several years ago, so I could be mistaken. Jeff _______________________________________________ nettle-bugs mailing list nettle-bugs@lists.lysator.liu.se http://lists.lysator.liu.se/mailman/listinfo/nettle-bugs
