-
Notifications
You must be signed in to change notification settings - Fork 136
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Runtime enable info for Intel CET shadow stack #563
Conversation
@@ -726,6 +726,10 @@ There are performance implications but they are typically mild due to hardware a | |||
|
|||
--- | |||
|
|||
#### Additional Considerations | |||
|
|||
Intel CET shadow stack requires Linux Kernel version 6.6 or higher and Glibc version 2.39 or higher. Shadow stack can be enabled by setting the environment variable at runtime with `export GLIBC_TUNABLES=glibc.cpu.hwcaps=SHSTK`. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nit: the guide uses all lowercase for "Glibc" → "glibc" and hyphenates "runtime" → "run-time"
The second sentence could be made clearer by explicitly adding a reference to the Glibc Tunables:
Shadow stack support must in addition be enabled at run-time by setting the corresponding hardware capability tunable for glibc via the
GLIBC_TUNABLES
environmental variable 1:export GLIBC_TUNABLES=glibc.cpu.hwcaps=SHSTK
.
Footnotes
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
lgtm
docs/Compiler-Hardening-Guides/Compiler-Options-Hardening-Guide-for-C-and-C++.md
Outdated
Show resolved
Hide resolved
@@ -726,6 +726,12 @@ There are performance implications but they are typically mild due to hardware a | |||
|
|||
--- | |||
|
|||
#### Additional Considerations | |||
|
|||
Intel CET shadow stack requires Linux Kernel version 6.6 or higher and glibc version 2.39 or higher. Shadow stack support must, in addition, be enabled at run-time by setting the corresponding hardware capability tunable for glibc via the `GLIBC_TUNABLES` environmental variable [^glibc-tunables]: `export GLIBC_TUNABLES=glibc.cpu.hwcaps=SHSTK`. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Maybe include IBT while at it? (https://www.gnu.org/software/libc/manual/html_node/Hardware-Capability-Tunables.html#index-glibc_002ecpu_002ex86_005fibt)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Took a look at this, verified that the versions and details listed are correct:
- Kernel 6.6 version: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=df57721f9a63e8a1fb9b9b2e70de4aa4c7e0cd2e
- glibc 2.39 version: https://lists.gnu.org/archive/html/info-gnu/2024-01/msg00017.html
Would recommend adding the glibc patch where disabled was set to be the default since it's non-obvious behavior: https://sourceware.org/git/?p=glibc.git;a=commit;h=55d63e731253de82e96ed4ddca2e294076cd0bc5
As for IBT, that's a separate feature so I would propose we make it its own issue. I'm also unclear whether that's supported in userland on Linux (per https://docs.kernel.org/next/arch/x86/shstk.html , it appears to be kernel only, see also golang/go#66054 ).
@@ -726,6 +726,12 @@ There are performance implications but they are typically mild due to hardware a | |||
|
|||
--- | |||
|
|||
#### Additional Considerations | |||
|
|||
Intel CET shadow stack requires Linux Kernel version 6.6 or higher and glibc version 2.39 or higher. Shadow stack support must, in addition, be enabled at run-time by setting the corresponding hardware capability tunable for glibc via the `GLIBC_TUNABLES` environmental variable [^glibc-tunables]: `export GLIBC_TUNABLES=glibc.cpu.hwcaps=SHSTK`. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Took a look at this, verified that the versions and details listed are correct:
- Kernel 6.6 version: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=df57721f9a63e8a1fb9b9b2e70de4aa4c7e0cd2e
- glibc 2.39 version: https://lists.gnu.org/archive/html/info-gnu/2024-01/msg00017.html
Would recommend adding the glibc patch where disabled was set to be the default since it's non-obvious behavior: https://sourceware.org/git/?p=glibc.git;a=commit;h=55d63e731253de82e96ed4ddca2e294076cd0bc5
As for IBT, that's a separate feature so I would propose we make it its own issue. I'm also unclear whether that's supported in userland on Linux (per https://docs.kernel.org/next/arch/x86/shstk.html , it appears to be kernel only, see also golang/go#66054 ).
|
||
Intel CET shadow stack requires Linux Kernel version 6.6 or higher and glibc version 2.39 or higher. Shadow stack support must, in addition, be enabled at run-time by setting the corresponding hardware capability tunable for glibc via the `GLIBC_TUNABLES` environmental variable [^glibc-tunables]: `export GLIBC_TUNABLES=glibc.cpu.hwcaps=SHSTK`. | ||
|
||
[^glibc-tunables]: GNU C Library team, [Tunables](https://www.gnu.org/software/libc/manual/html_node/Tunables.html), GNU C Library (glibc) manual, 2023-07-31. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is this date stamp correct? It looks to me that glibc 2.39 was released 2024-01-31, but I must confess I don't know how the versioning of the documentation differs from the library.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You are quite right. This is probably my oversight since I think I copied an existing citation to the glibc manual in my comment. The online glibc manual currently shows it was last updated July 22nd, 2024. Maybe we can use that date. I've usually given the last updated date at the time writing and not worried too much about going back and updating references unless the content has changed significantly.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I agree with creating a separate issue for the IBT. I tested the shadow stack with the mentioned version of kernel and libc. When we can test IBT in userspace, we can also include IBT.
Signed-off-by: Merve Gülmez <[email protected]>
No description provided.