[PATCH 0/4] x86: Enable Intel Control-flow Enforcement Technology (CET)

H.J. Lu hjl.tools at gmail.com
Fri Jan 17 18:29:52 CET 2020


Intel Control-flow Enforcement Technology (CET):

https://software.intel.com/en-us/articles/intel-sdm

contains shadow stack (SHSTK) and indirect branch tracking (IBT).  When
CET is enabled, ELF object files must be marked with .note.gnu.property
section.  CET enabled compiler provides <cet.h> which can be included
in assembly sources to automatically generate .note.gnu.property section.
Also when IBT is enabled, all indirect branch targets must start with
ENDBR instruction.  <cet.h> defines _CET_ENDBR to generate proper ENDBR
instruction.

Tested with

$ CC="gcc -Wl,-z,cet-report=error -fcf-protection" ./configure

in i686 and x86-64 modes on Linux CET machine.

H.J. Lu (4):
  x86: Add .note.gnu.property section for Intel CET
  mpi: Add .note.gnu.property section for Intel CET
  amd64: Always include <config.h> in cipher assembly codes
  i386: Add _CET_ENDBR to indirect jump targets

 cipher/camellia-aesni-avx-amd64.S  |  3 ++-
 cipher/camellia-aesni-avx2-amd64.S |  3 ++-
 cipher/serpent-avx2-amd64.S        |  3 ++-
 configure.ac                       |  6 +++++
 mpi/config.links                   | 10 +++++++++
 mpi/i386/mpih-add1.S               | 35 ++++++++++++++++++++++++++++++
 mpi/i386/mpih-sub1.S               | 35 ++++++++++++++++++++++++++++++
 7 files changed, 92 insertions(+), 3 deletions(-)

-- 
2.24.1




More information about the Gcrypt-devel mailing list