On Mon, Mar 16, 2020 at 3:12 PM Jeffrey Walton <noloa...@gmail.com> wrote: > > On Mon, Mar 16, 2020 at 2:50 PM Niels Möller <ni...@lysator.liu.se> wrote: > > > > ... > > 2. What I tried to ask about in the message you reply to, was how to > > write a test within the Nettle testsuite, to verify that enabling CET > > really has effect on a test executable (on systems where it is > > expected to have effect). It's not obvious to me if and how the patch > > improves that. > > One more time to the list this time.... > > For the CET patch on Linux, use objdump -d to disassemble a file built > with CET. Then grep for ENDBR: > > count=$(objdump -d some_source.o | grep -i -c endbr) > if [ "$count" -eq 0 ]; then > echo "Failed to enable CET" > else > echo "CET is enabled" > fi > > You need a modern Binutils that supports ENDBR and ENDBR64. > > There are other instructions you can search for. See > https://i.blackhat.com/asia-19/Thu-March-28/bh-asia-Sun-How-to-Survive-the-Hardware-Assisted-Control-Flow-Integrity-Enforcement.pdf. > For example to search for ENDBR, RDSSP and WRSSP" > > count=$(objdump -d some_source.o | grep -i -c -E 'endbr|rdssp|wrssp') > > I don't know if/how to check for CET on other platforms, like the > BSDs, OS X or Solaris. I know the tools to perform the disassembly, > but I don't know the other details.
I just came across this from Checksec. There may be an elf section named '.cfi' to inspect, too. Also see https://github.com/slimm609/checksec.sh/issues/118 . Jeff _______________________________________________ nettle-bugs mailing list nettle-bugs@lists.lysator.liu.se http://lists.lysator.liu.se/mailman/listinfo/nettle-bugs