On Thu, 2018-06-07 at 11:48 -0700, Andy Lutomirski wrote: > On Thu, Jun 7, 2018 at 7:41 AM Yu-cheng Yu <yu-cheng.yu@xxxxxxxxx> wrote: > > > > The following operations are provided. > > > > ARCH_CET_STATUS: > > return the current CET status > > > > ARCH_CET_DISABLE: > > disable CET features > > > > ARCH_CET_LOCK: > > lock out CET features > > > > ARCH_CET_EXEC: > > set CET features for exec() > > > > ARCH_CET_ALLOC_SHSTK: > > allocate a new shadow stack > > > > ARCH_CET_PUSH_SHSTK: > > put a return address on shadow stack > > > > ARCH_CET_ALLOC_SHSTK and ARCH_CET_PUSH_SHSTK are intended only for > > the implementation of GLIBC ucontext related APIs. > > Please document exactly what these all do and why. I don't understand > what purpose ARCH_CET_LOCK and ARCH_CET_EXEC serve. CET is opt in for > each ELF program, so I think there should be no need for a magic > override. CET is initially enabled if the loader has CET capability. Then the loader decides if the application can run with CET. If the application cannot run with CET (e.g. a dependent library does not have CET), then the loader turns off CET before passing to the application. When the loader is done, it locks out CET and the feature cannot be turned off anymore until the next exec() call. When the next exec() is called, CET feature is turned on/off based on the values set by ARCH_CET_EXEC. I will put more details in Documentation/x86/intel_cet.txt.
