On Tue, Apr 27, 2021 at 01:47:17PM -0700, Yu-cheng Yu wrote: > From: "H.J. Lu" <hjl.tools@xxxxxxxxx> > > When Indirect Branch Tracking (IBT) is enabled, vDSO functions may be > called indirectly, and must have ENDBR32 or ENDBR64 as the first > instruction. The compiler must support -fcf-protection=branch so that it > can be used to compile vDSO. If you respin this, you can maybe rephrase this since CONFIG_X86_IBT has already tested for the compiler support. > > Signed-off-by: H.J. Lu <hjl.tools@xxxxxxxxx> > Signed-off-by: Yu-cheng Yu <yu-cheng.yu@xxxxxxxxx> > Cc: Andy Lutomirski <luto@xxxxxxxxxx> > Cc: Kees Cook <keescook@xxxxxxxxxxxx> Reviewed-by: Kees Cook <keescook@xxxxxxxxxxxx> -Kees > --- > v24: > - Replace CONFIG_X86_CET with CONFIG_X86_IBT to reflect splitting of shadow > stack and ibt. > > arch/x86/entry/vdso/Makefile | 4 ++++ > 1 file changed, 4 insertions(+) > > diff --git a/arch/x86/entry/vdso/Makefile b/arch/x86/entry/vdso/Makefile > index 05c4abc2fdfd..a773a5f03b63 100644 > --- a/arch/x86/entry/vdso/Makefile > +++ b/arch/x86/entry/vdso/Makefile > @@ -93,6 +93,10 @@ endif > > $(vobjs): KBUILD_CFLAGS := $(filter-out $(CC_FLAGS_LTO) $(GCC_PLUGINS_CFLAGS) $(RETPOLINE_CFLAGS),$(KBUILD_CFLAGS)) $(CFL) > > +ifdef CONFIG_X86_IBT > +$(vobjs) $(vobjs32): KBUILD_CFLAGS += -fcf-protection=branch > +endif > + > # > # vDSO code runs in userspace and -pg doesn't help with profiling anyway. > # > -- > 2.21.0 > -- Kees Cook
