Enable Intel CET support in assembler sources#56
Conversation
nefigtut
requested review from
ElenaTyuleneva,
gbtucker,
nmizonov,
paveldyakov and
tizmajlo
as code owners
|
hi, i'm adding the intel-qpl package to RedHat Linux per Intel request. RHEL (and probably other distributions) requires security features like Intel CET to be enabled for the executables shipped. This PR suggests enabling Intel CET for the resulting libqpl.so binary. could you please consider this PR for a possible inclusion? thank you. |
gbtucker
left a comment
gbtucker
left a comment
There was a problem hiding this comment.
Thanks @nefigtut. I confirmed with the cet link checker that no objects are missing the cet flags after this is added
cmake -S . -B build -DCMAKE_C_FLAGS="-fcf-protection=full" -DCMAKE_CXX_FLAGS="-fcf-protection=full" -DCMAKE_EXE_LINKER_FLAGS="-Wl,-z,cet-report=error" -DCMAKE_SHARED_LINKER_FLAGS="-Wl,-z,cet-report=error"
I'll run with internal CI and push through.
Can you add git sign-off to the commit? (sorry it's not listed in the Contributing doc yet)
|
sob added, thank you for a review, @gbtucker! |
If Intel CET is enabled, add .note.gnu.property section with x86 assembly code which indicates IBT and SHSTK presence. This is required for ELF outputs to mark Intel CET support when Intel CET is enabled since all input files must be marked with Intel CET support in order for linker to mark output with Intel CET support. The required ENDBR instructions were added by the upsteream ISA-L commit cd888f01 (intel/isa-l@cd888f01) included in this copy of ISA-L code. The ISA-L upstream commit 57846f41 (https://github.com/intel/isa-l/commit/ 57846f41) which added a section needed is missing here, so add it. The object files with an assembly code and the resulting library have proper flags in the proper section as a result: $ readelf -n sources/isal/igzip/encode_df.c.o sources/libqpl.so.1.9.0 File: sources/isal/igzip/encode_df.c.o Displaying notes found in: .note.gnu.property Owner Data size Description GNU 0x00000010 NT_GNU_PROPERTY_TYPE_0 Properties: x86 feature: IBT, SHSTK File: sources/libqpl.so.1.9.0 Displaying notes found in: .note.gnu.property Owner Data size Description GNU 0x00000010 NT_GNU_PROPERTY_TYPE_0 Properties: x86 feature: IBT, SHSTK Signed-off-by: Vladislav Dronov <vdronov@redhat.com>
|
hi @gbtucker a small really minor syntax fix added, could you please re-review. i'm sorry for the noise. |
gbtucker
left a comment
gbtucker
left a comment
There was a problem hiding this comment.
Looks fine. Waiting for internal CI tests.
2 participants
If Intel CET is enabled, add
.note.gnu.propertysection with x86 assembly code which indicates IBT and SHSTK presence. This is required for ELF outputs to mark Intel CET support when Intel CET is enabled since all input files must be marked with Intel CET support in order for linker to mark output with Intel CET support.The required ENDBR instructions were added by the upsteream ISA-L commit cd888f01 included in this copy of ISA-L code. The ISA-L upstream commit 57846f41 which added a section needed is missing here, so add it.
The object files with an assembly code and the resulting library have proper flags in the proper section as a result: