Enable building target run-time libraries with control-flow instrumentation, see -fcf-protection option. When –enable-cet is specified target libraries are configured to add -fcf-protection and, if needed, other target specific options to a set of building options.
--enable-cet=auto is default. CET is enabled on Linux/x86 if target binutils supports Intel CET instructions and disabled otherwise. In this case, the target libraries are configured to get additional -fcf-protection option.
DrahtBot
commented at 11:29 am on July 12, 2024:
contributor
The following sections might be updated with supplementary metadata relevant to reviewers and maintainers.
hebasto
commented at 9:44 am on August 21, 2024:
member
I don’t think that enabling CET for GCC alone will work. Shouldn’t binutils and glibc also be CET-enabled?
fanquake
commented at 9:51 am on August 21, 2024:
member
will work.
What do you mean by “work” here? This PR is just explicitly turning on one option in the compiler.
Shouldn’t binutils … also be CET-enabled?
What is a CET-enbled binutils? If you mean it supporting CET functionality, then it is new enough.
glibc also be CET-enabled?
Last time I looked, glibc will autodetect this based on the compiler (we could still enable it explictly, but it’s not clear that is required).
hebasto
commented at 10:18 am on August 21, 2024:
member
will work.
What do you mean by “work” here?
By “work” I mean producing x86_64 binaries with the IBT and SHSTK markers in the .note.gnu.property section.
hebasto
commented at 11:24 am on August 21, 2024:
member
Shouldn’t binutils … also be CET-enabled?
What is a CET-enbled binutils?
Configured with --enable-cet option.
If you mean it supporting CET functionality, then it is new enough.
As for commit 7bf1d7aeaffba15c4f680f93ae88fbef25427252, Guix provides binutils versions 2.38 and 2.33.1. According to the upstream commit history, both versions support Intel CET.
fanquake
commented at 11:32 am on August 21, 2024:
member
Configured with –enable-cet option.
Similar to glibc, I’m pretty sure this autodetected for some time, but has has been the default behaviour for at least the last ~5 years; so I don’t think we need to do anything here (further evidenced by the fact that there is no binutils such change in #30685).
hebasto
commented at 12:32 pm on August 21, 2024:
member
I don’t think we need to do anything here
In the current state, the statement from the PR description:
CET is enabled on Linux/x86
is not accurate.
fanquake
commented at 10:56 am on August 23, 2024:
member
the statement from the PR description:
is not accurate.
That text is from the GCC documentation, and in this context, of, the compiler being configured for CET, after configuring with --enable-cet, as far as I’m aware, it is accurate. If you think it isn’t, can you file an issue upstream, and link it here it?
The point of this PR has never been to add any additional metadata to the binaries/make any other changes, the point is just to explictly use the hardening option when configuring our compiler (like we do with other options).
hebasto
commented at 12:11 pm on August 26, 2024:
member
The point of this PR has never been to add any additional metadata to the binaries/make any other changes, the point is just to explictly use the hardening option when configuring our compiler (like we do with other options).
I see. Perhaps mention in the PR description that the resulting release binaries are not affected?
fanquake force-pushed
on Aug 28, 2024
fanquake marked this as a draft
on Aug 28, 2024
fanquake force-pushed
on Aug 30, 2024
fanquake force-pushed
on Aug 30, 2024
fanquake force-pushed
on Sep 3, 2024
fanquake marked this as ready for review
on Sep 3, 2024
fanquake added the label
DrahtBot Guix build requested
on Sep 3, 2024
DrahtBot
commented at 3:10 am on September 4, 2024:
contributor
Guix builds (on x86_64) [untrusted test-only build, possibly unsafe, not for production use]
DrahtBot removed the label
DrahtBot Guix build requested
on Sep 4, 2024
guix: build Linux GCC with --enable-cet
Similar to #29695, and in the same vein of explicitly configuring
hardening options in our release toolchain.
See https://gcc.gnu.org/install/configure.html:
> Enable building target run-time libraries with control-flow instrumentation,
> see `-fcf-protection option`. When --enable-cet is specified target
> libraries are configured to add `-fcf-protection` and, if needed,
> other target specific options to a set of building options.
> `--enable-cet=auto` is default. CET is enabled on Linux/x86 if target
> binutils supports Intel CET instructions and disabled otherwise.
> In this case, the target libraries are configured to get additional
> `-fcf-protection` option.
89bf11b807
fanquake force-pushed
on Sep 13, 2024
fanquake
commented at 12:05 pm on September 13, 2024:
member
This is a metadata mirror of the GitHub repository
bitcoin/bitcoin.
This site is not affiliated with GitHub.
Content is generated from a GitHub metadata backup.
generated: 2024-12-22 06:12 UTC
This site is hosted by @0xB10C More mirrored repositories can be found on mirror.b10c.me