Re: [PATCH v14 01/26] Documentation/x86: Add CET description

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 11/6/2020 9:34 AM, Borislav Petkov wrote:
On Mon, Oct 12, 2020 at 08:38:25AM -0700, Yu-cheng Yu wrote:
+[1] Overview
+============
+
+Control-flow Enforcement Technology (CET) is an Intel processor feature
+that provides protection against return/jump-oriented programming (ROP)
+attacks.  It can be set up to protect both applications and the kernel.
+Only user-mode protection is implemented in the 64-bit kernel, including
+support for running legacy 32-bit applications.
+
+CET introduces Shadow Stack and Indirect Branch Tracking.  Shadow stack is
+a secondary stack allocated from memory and cannot be directly modified by
+applications.  When executing a CALL, the processor pushes the return
				       ^
				    . .. instruction ...


I will update it.

[...]

+
+[2] Application Enabling
+========================
+
+An application's CET capability is marked in its ELF header and can be
+verified from the following command output, in the NT_GNU_PROPERTY_TYPE_0
+field:
+
+    readelf -n <application>

Can be verified how? What does it say for a CET-enabled executable? Put
it here in the doc pls.


readelf -n <application> | grep SHSTK
	properties: x86 feature: IBT, SHSTK

I will add this.

[...]

+[3] Backward Compatibility
+==========================
+
+GLIBC provides a few tunables for backward compatibility.
+
+GLIBC_TUNABLES=glibc.tune.hwcaps=-SHSTK,-IBT
+    Turn off SHSTK/IBT for the current shell.

For the current shell? How?

You mean, you execute the kernel shell with that variable set? So you
set this variable in any executable's env which links with glibc in
order to disable CET?

In any case, this needs clarification.


In the current shell, if GLIBC_TUNABLES variable is set as such, applications started will have CET features disabled. I can put more details here, or maybe a reference to the GLIBC man pages.

Thanks,
Yu-cheng



[Index of Archives]     [Linux Kernel]     [Kernel Newbies]     [x86 Platform Driver]     [Netdev]     [Linux Wireless]     [Netfilter]     [Bugtraq]     [Linux Filesystems]     [Yosemite Discussion]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Device Mapper]

  Powered by Linux