The 01/17/2022 11:01, H.J. Lu via Libc-alpha wrote: > We are taking a different approach for CET enabling. CET will be > changed to be enabled from user space: > > https://gitlab.com/x86-glibc/glibc/-/tree/users/hjl/cet/enable > > and the CET kernel no longer enables CET automatically: > > https://github.com/hjl-tools/linux/tree/hjl/cet%2F5.16.0-v4 we considered userspace handling of BTI in static exe and ld.so too. at the time we wanted the protection to be on whenever BTI marked code is executed, so it has to be enabled at program entry. i no longer think that the entry code protection is very important, but delaying mprotect for static exe does not fix our mprotect(*|PROT_EXEC) problem with systemd. i also don't immediately see where you deal with shadow stack allocation for the main stack if it is userspace enabled, i expected that to require kernel assistance if you want the main stack protected all the way up.
