x86: Add ASM_X86_ENDBR and x86 CET marker to config.m4.in

Intel Control-flow Enforcement Technology (CET):

https://software.intel.com/en-us/articles/intel-sdm

contains shadow stack (SHSTK) and indirect branch tracking (IBT).  When
CET is enabled, ELF object files must be marked with .note.gnu.property
section.  Also when IBT is enabled, all indirect branch targets must
start with ENDBR instruction.

This patch adds ASM_X86_ENDBR and the x86 CET marker to config.m4.in when
CET is enabled.  It updates PROLOGUE with ASM_X86_ENDBR.

Tested on CET machine with i686 and x86-64.

Signed-off-by: H.J. Lu <hjl.tools@gmail.com>

diff --git a/asm.m4 b/asm.m4
index 8da472013cb8e04f73d5c5cec8cdd8d8fa054177..59d64098da03e614f0f2e2ac19e8319a73d74d83 100644 (file)
--- a/asm.m4
+++ b/asm.m4
@@ -32,7 +32,7 @@ define(<GMP_NUMB_BITS>,<>)dnl
 define(<PROLOGUE>,
 <.globl C_NAME($1)
 DECLARE_FUNC(C_NAME($1))
-C_NAME($1):>)
+C_NAME($1): ASM_X86_ENDBR>)
 
 define(<EPILOGUE>,
 <ifelse(ELF_STYLE,yes,

diff --git a/config.m4.in b/config.m4.in
index 11f90a4099e272dc7f77ebb5983514cc145441f3..f7f5f283f0312a3efc70cafc3e6e0c5c0e06bd11 100644 (file)
--- a/config.m4.in
+++ b/config.m4.in
@@ -8,6 +8,9 @@ define(<ALIGN_LOG>, <@ASM_ALIGN_LOG@>)dnl
 define(<W64_ABI>, <@W64_ABI@>)dnl
 define(<RODATA>, <@ASM_RODATA@>)dnl
 define(<WORDS_BIGENDIAN>, <@ASM_WORDS_BIGENDIAN@>)dnl
+define(<ASM_X86_ENDBR>,<@ASM_X86_ENDBR@>)dnl
+define(<ASM_X86_MARK_CET_ALIGN>,<@ASM_X86_MARK_CET_ALIGN@>)dnl
 divert(1)
+@ASM_X86_MARK_CET@
 @ASM_MARK_NOEXEC_STACK@
 divert

diff --git a/configure.ac b/configure.ac
index ba3ab7c6d992566ef00775905590dbfbfa805910..05849fb62be319d7f1f15c13cff70cdc693c7145 100644 (file)
--- a/configure.ac
+++ b/configure.ac
@@ -803,6 +803,68 @@ EOF
   ASM_ALIGN_LOG="$nettle_cv_asm_align_log"
 fi
 
+dnl  Define
+dnl  1. ASM_X86_ENDBR for endbr32/endbr64.
+dnl  2. ASM_X86_MARK_CET to add a .note.gnu.property section to mark
+dnl  Intel CET support if needed.
+dnl  3. ASM_X86_MARK_CET_ALIGN to align ASM_X86_MARK_CET.
+AC_CACHE_CHECK([if Intel CET is enabled],
+  [nettle_cv_asm_x86_intel_cet],
+  [AC_TRY_COMPILE([
+#ifndef __CET__
+#error Intel CET is not enabled
+#endif
+  ], [],
+  [nettle_cv_asm_x86_intel_cet=yes],
+  [nettle_cv_asm_x86_intel_cet=no])])
+if test "$nettle_cv_asm_x86_intel_cet" = yes; then
+  case $ABI in
+  32|standard)
+    ASM_X86_ENDBR=endbr32
+    ASM_X86_MARK_CET_ALIGN=2
+    ;;
+  64)
+    ASM_X86_ENDBR=endbr64
+    ASM_X86_MARK_CET_ALIGN=3
+    ;;
+  x32)
+    ASM_X86_ENDBR=endbr64
+    ASM_X86_MARK_CET_ALIGN=2
+    ;;
+  esac
+  AC_CACHE_CHECK([if .note.gnu.property section is needed],
+    [nettle_cv_asm_x86_gnu_property],
+    [AC_TRY_COMPILE([
+#if !defined __ELF__ || !defined __CET__
+#error GNU property is not needed
+#endif
+    ], [],
+    [nettle_cv_asm_x86_gnu_property=yes],
+    [nettle_cv_asm_x86_gnu_property=no])])
+else
+  nettle_cv_asm_x86_gnu_property=no
+fi
+if test "$nettle_cv_asm_x86_gnu_property" = yes; then
+  ASM_X86_MARK_CET='
+       .pushsection ".note.gnu.property", "a"
+       .p2align ASM_X86_MARK_CET_ALIGN
+       .long 1f - 0f
+       .long 4f - 1f
+       .long 5
+0:
+       .asciz "GNU"
+1:
+       .p2align ASM_X86_MARK_CET_ALIGN
+       .long 0xc0000002
+       .long 3f - 2f
+2:
+       .long 3
+3:
+       .p2align ASM_X86_MARK_CET_ALIGN
+4:
+       .popsection'
+fi
+
 AC_SUBST(ASM_SYMBOL_PREFIX)
 AC_SUBST(ASM_ELF_STYLE)
 AC_SUBST(ASM_COFF_STYLE)
@@ -813,6 +875,9 @@ AC_SUBST(ASM_ALIGN_LOG)
 AC_SUBST(W64_ABI)
 AC_SUBST(ASM_WORDS_BIGENDIAN)
 AC_SUBST(EMULATOR)
+AC_SUBST(ASM_X86_ENDBR)
+AC_SUBST(ASM_X86_MARK_CET)
+AC_SUBST(ASM_X86_MARK_CET_ALIGN)
 
 AC_SUBST(LIBNETTLE_MAJOR)
 AC_SUBST(LIBNETTLE_MINOR)