On Tue, Jan 18, 2022 at 3:22 AM Szabolcs Nagy <szabolcs.nagy@xxxxxxx> wrote: > > The 01/17/2022 11:01, H.J. Lu via Libc-alpha wrote: > > We are taking a different approach for CET enabling. CET will be > > changed to be enabled from user space: > > > > https://gitlab.com/x86-glibc/glibc/-/tree/users/hjl/cet/enable > > > > and the CET kernel no longer enables CET automatically: > > > > https://github.com/hjl-tools/linux/tree/hjl/cet%2F5.16.0-v4 > > we considered userspace handling of BTI in static exe > and ld.so too. at the time we wanted the protection to > be on whenever BTI marked code is executed, so it has > to be enabled at program entry. > > i no longer think that the entry code protection is very > important, but delaying mprotect for static exe does > not fix our mprotect(*|PROT_EXEC) problem with systemd. > > i also don't immediately see where you deal with shadow > stack allocation for the main stack if it is userspace > enabled, i expected that to require kernel assistance > if you want the main stack protected all the way up. We enable shadow stack in user space as soon as possible: https://gitlab.com/x86-glibc/glibc/-/commit/211abce607a9f6e4cd1cadefb87561413dd8fae9 -- H.J.
