From: H.J. Lu <hjl.tools@gmail.com>
Date: Wed, 18 Jul 2018 18:34:35 +0000 (-0700)
Subject: x86/CET: Document glibc.tune.x86_ibt and glibc.tune.x86_shstk
X-Git-Tag: glibc-2.28~72
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=6d90776dff7e70e08fa46f9cd7576dd0eeb06da2;p=thirdparty%2Fglibc.git

x86/CET: Document glibc.tune.x86_ibt and glibc.tune.x86_shstk

	* manual/tunables.texi: Document glibc.tune.x86_ibt and
	glibc.tune.x86_shstk.
---

diff --git a/ChangeLog b/ChangeLog
index 6d1229ca975..b489ce06add 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,8 @@
+2018-07-18  H.J. Lu  <hongjiu.lu@intel.com>
+
+	* manual/tunables.texi: Document glibc.tune.x86_ibt and
+	glibc.tune.x86_shstk.
+
 2018-07-18  H.J. Lu  <hongjiu.lu@intel.com>
 
 	* NEWS: Mention --enable-cet.
diff --git a/manual/tunables.texi b/manual/tunables.texi
index be33c9fc796..bb4819bdf1d 100644
--- a/manual/tunables.texi
+++ b/manual/tunables.texi
@@ -356,3 +356,31 @@ to set threshold in bytes for non temporal store.
 
 This tunable is specific to i386 and x86-64.
 @end deftp
+
+@deftp Tunable glibc.tune.x86_ibt
+The @code{glibc.tune.x86_ibt} tunable allows the user to control how
+indirect branch tracking (IBT) should be enabled.  Accepted values are
+@code{on}, @code{off}, and @code{permissive}.  @code{on} always turns
+on IBT regardless of whether IBT is enabled in the executable and its
+dependent shared libraries.  @code{off} always turns off IBT regardless
+of whether IBT is enabled in the executable and its dependent shared
+libraries.  @code{permissive} is the same as the default which disables
+IBT on non-CET executables and shared libraries.
+
+This tunable is specific to i386 and x86-64.
+@end deftp
+
+@deftp Tunable glibc.tune.x86_shstk
+The @code{glibc.tune.x86_shstk} tunable allows the user to control how
+the shadow stack (SHSTK) should be enabled.  Accepted values are
+@code{on}, @code{off}, and @code{permissive}.  @code{on} always turns on
+SHSTK regardless of whether SHSTK is enabled in the executable and its
+dependent shared libraries.  @code{off} always turns off SHSTK regardless
+of whether SHSTK is enabled in the executable and its dependent shared
+libraries.  @code{permissive} changes how dlopen works on non-CET shared
+libraries.  By default, when SHSTK is enabled, dlopening a non-CET shared
+library returns an error.  With @code{permissive}, it turns off SHSTK
+instead.
+
+This tunable is specific to i386 and x86-64.
+@end deftp