Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. GnuPG>
  3. gcrypt
[PATCH 0/4] x86: Enable Intel Control-flow Enforcement Technology (CET)
gcrypt-devel at gnupg
Jan 17, 2020, 9:29 AM
Post #1 of 3 (389 views)
Permalink
Intel Control-flow Enforcement Technology (CET):

https://software.intel.com/en-us/articles/intel-sdm

contains shadow stack (SHSTK) and indirect branch tracking (IBT). When
CET is enabled, ELF object files must be marked with .note.gnu.property
section. CET enabled compiler provides <cet.h> which can be included
in assembly sources to automatically generate .note.gnu.property section.
Also when IBT is enabled, all indirect branch targets must start with
ENDBR instruction. <cet.h> defines _CET_ENDBR to generate proper ENDBR
instruction.

Tested with

$ CC="gcc -Wl,-z,cet-report=error -fcf-protection" ./configure

in i686 and x86-64 modes on Linux CET machine.

H.J. Lu (4):
x86: Add .note.gnu.property section for Intel CET
mpi: Add .note.gnu.property section for Intel CET
amd64: Always include <config.h> in cipher assembly codes
i386: Add _CET_ENDBR to indirect jump targets

cipher/camellia-aesni-avx-amd64.S | 3 ++-
cipher/camellia-aesni-avx2-amd64.S | 3 ++-
cipher/serpent-avx2-amd64.S | 3 ++-
configure.ac | 6 +++++
mpi/config.links | 10 +++++++++
mpi/i386/mpih-add1.S | 35 ++++++++++++++++++++++++++++++
mpi/i386/mpih-sub1.S | 35 ++++++++++++++++++++++++++++++
7 files changed, 92 insertions(+), 3 deletions(-)

--
2.24.1


_______________________________________________
Gcrypt-devel mailing list
Gcrypt-devel@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gcrypt-devel
Re: [PATCH 0/4] x86: Enable Intel Control-flow Enforcement Technology (CET) [ In reply to ]
gcrypt-devel at gnupg
Jan 19, 2020, 1:20 AM
Post #2 of 3 (388 views)
Permalink
Hello,

On 17.1.2020 19.29, H.J. Lu via Gcrypt-devel wrote:
> Intel Control-flow Enforcement Technology (CET):
>
> https://software.intel.com/en-us/articles/intel-sdm
>
> contains shadow stack (SHSTK) and indirect branch tracking (IBT). When
> CET is enabled, ELF object files must be marked with .note.gnu.property
> section. CET enabled compiler provides <cet.h> which can be included
> in assembly sources to automatically generate .note.gnu.property section.
> Also when IBT is enabled, all indirect branch targets must start with
> ENDBR instruction. <cet.h> defines _CET_ENDBR to generate proper ENDBR
> instruction.

Thanks for your contribution. I've few generic comments.

First, we need your signed DCO, please check 'License policy' in docs/HACKING.

In each patch, commit log should start with ChangeLog entries without leading
TABs followed by separator line with -- and then commit message. Check git
history for examples.

-Jussi


>
> Tested with
>
> $ CC="gcc -Wl,-z,cet-report=error -fcf-protection" ./configure
>
> in i686 and x86-64 modes on Linux CET machine.
>
> H.J. Lu (4):
> x86: Add .note.gnu.property section for Intel CET
> mpi: Add .note.gnu.property section for Intel CET
> amd64: Always include <config.h> in cipher assembly codes
> i386: Add _CET_ENDBR to indirect jump targets
>
> cipher/camellia-aesni-avx-amd64.S | 3 ++-
> cipher/camellia-aesni-avx2-amd64.S | 3 ++-
> cipher/serpent-avx2-amd64.S | 3 ++-
> configure.ac | 6 +++++
> mpi/config.links | 10 +++++++++
> mpi/i386/mpih-add1.S | 35 ++++++++++++++++++++++++++++++
> mpi/i386/mpih-sub1.S | 35 ++++++++++++++++++++++++++++++
> 7 files changed, 92 insertions(+), 3 deletions(-)
>


_______________________________________________
Gcrypt-devel mailing list
Gcrypt-devel@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gcrypt-devel
Re: [PATCH 0/4] x86: Enable Intel Control-flow Enforcement Technology (CET) [ In reply to ]
gcrypt-devel at gnupg
Jan 19, 2020, 6:42 AM
Post #3 of 3 (387 views)
Permalink
On Sun, Jan 19, 2020 at 1:20 AM Jussi Kivilinna <jussi.kivilinna@iki.fi> wrote:
>
> Hello,
>
> On 17.1.2020 19.29, H.J. Lu via Gcrypt-devel wrote:
> > Intel Control-flow Enforcement Technology (CET):
> >
> > https://software.intel.com/en-us/articles/intel-sdm
> >
> > contains shadow stack (SHSTK) and indirect branch tracking (IBT). When
> > CET is enabled, ELF object files must be marked with .note.gnu.property
> > section. CET enabled compiler provides <cet.h> which can be included
> > in assembly sources to automatically generate .note.gnu.property section.
> > Also when IBT is enabled, all indirect branch targets must start with
> > ENDBR instruction. <cet.h> defines _CET_ENDBR to generate proper ENDBR
> > instruction.
>
> Thanks for your contribution. I've few generic comments.
>
> First, we need your signed DCO, please check 'License policy' in docs/HACKING.

Done:

https://lists.gnupg.org/pipermail/gcrypt-devel/2020-January/004889.html

> In each patch, commit log should start with ChangeLog entries without leading
> TABs followed by separator line with -- and then commit message. Check git
> history for examples.
>

Done:

https://lists.gnupg.org/pipermail/gcrypt-devel/2020-January/004891.html

Thanks.

--
H.J.

_______________________________________________
Gcrypt-devel mailing list
Gcrypt-devel@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gcrypt-devel

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal