[PATCH 07/22] Enable building libgcc with CET options.

Wed Nov 8 23:25:00 GMT 2017

On Wed, Nov 8, 2017 at 3:04 PM, Jeff Law <law@redhat.com> wrote:
> On 11/08/2017 03:06 PM, Tsimbalist, Igor V wrote:
> So the question I have WRT this patch is the default setting.  If I
>>> understand it correctly, if the assembler supports the appropriate
>>> insns, then we enable building target libraries with CET by default.
>>
>> That's right.
>>
>>> These libraries continue to work on older systems without CET
>>> capabilities because the CET specific instructions are interpreted as
>>> NOPs on older hardware, right?
>>
>> That's correct. One specific note though. The endbr and rdssp instructions
>> will be treated as NOPs. Incssp instruction generated by the compiler or
>> used in the library will be guarded not to be executed if CET features are
>> not enabled.
> OK.
>
>>
>>> What about cases where we're running on CET capable hardware, the main
>>> program gets compiled without CET, but links against a libgcc with CET.
>>> What happens in that case?
>>
>> All object files and libraries must have CET property set to make the whole
>> application to be CET capable. In your case the program will not be CET
>> capable.
> Doesn't this imply that other components (linker, dynamic linker) are
> working together to verify that the entire application and DSO are
> compiled with CET?  What happens when a CET capable application dl-opens
> a DSO which is not CET safe?  Does the dynamic linker disable CET at
> that point?

GNU_PROPERTY_X86_FEATURE_1_IBT is added to GNU program property to
indicate that all executable sections are compatible with IBT when
ENDBR instruction starts each valid target where an indirect branch
instruction can land.  GNU_PROPERTY_X86_FEATURE_1_IBT is set on output
only if it is set on all relocatable inputs.

On an IBT capable processor, the following steps should be taken:

1. When loading an executable without an interpreter, enable IBT and
lock IBT if GNU_PROPERTY_X86_FEATURE_1_IBT is set on the executable.
2. When loading an executable with an interpreter, enable IBT if
GNU_PROPERTY_X86_FEATURE_1_IBT is set on the interpreter.
  a. If GNU_PROPERTY_X86_FEATURE_1_IBT isn't set on the executable,
     disable IBT.
  b. Lock IBT.
3. If IBT is enabled, when loading a shared object without
GNU_PROPERTY_X86_FEATURE_1_IBT:
  a. If legacy interwork is allowed, then mark all pages in executable
     PT_LOAD segments in legacy code page bitmap.  Failure of legacy code
     page bitmap allocation causes an error.
  b. If legacy interwork isn't allowed, it causes an error.

GNU_PROPERTY_X86_FEATURE_1_SHSTK is added to GNU program property to
indicate that all executable sections are compatible with SHSTK where
return address popped from shadow stack always matches return address
popped from normal stack.  GNU_PROPERTY_X86_FEATURE_1_SHSTK is set on
output only if it is set on all relocatable inputs.

On a SHSTK capable processor, the following steps should be taken:

1. When loading an executable without an interpreter, enable SHSTK if
GNU_PROPERTY_X86_FEATURE_1_SHSTK is set on the executable.
2. When loading an executable with an interpreter, enable SHSTK if
GNU_PROPERTY_X86_FEATURE_1_SHSTK is set on interpreter.
  a. If GNU_PROPERTY_X86_FEATURE_1_SHSTK isn't set on the executable
     or any shared objects loaded via the DT_NEEDED tag, disable SHSTK.
  b. Otherwise lock SHSTK.
3. After SHSTK is enabled, it is an error to load a shared object
without GNU_PROPERTY_X86_FEATURE_1_SHSTK.

When glibc is built with a CET-enabled compiler, CET is enabled by
default, unless --disable-cet is used to configure glibc.  When CET is
enabled, both compiler and assembler must support CET.  Otherwise, it
is a configure-time error.

-- 
H.J.