Runtime enable info for Intel CET shadow stack #563
Conversation
|
|
||
| #### Additional Considerations | ||
|
|
||
| Intel CET shadow stack requires Linux Kernel version 6.6 or higher and Glibc version 2.39 or higher. Shadow stack can be enabled by setting the environment variable at runtime with `export GLIBC_TUNABLES=glibc.cpu.hwcaps=SHSTK`. |
There was a problem hiding this comment.
Nit: the guide uses all lowercase for "Glibc" → "glibc" and hyphenates "runtime" → "run-time"
The second sentence could be made clearer by explicitly adding a reference to the Glibc Tunables:
Shadow stack support must in addition be enabled at run-time by setting the corresponding hardware capability tunable for glibc via the
GLIBC_TUNABLESenvironmental variable 1:export GLIBC_TUNABLES=glibc.cpu.hwcaps=SHSTK.
Footnotes
docs/Compiler-Hardening-Guides/Compiler-Options-Hardening-Guide-for-C-and-C++.md
Outdated
Show resolved
Hide resolved
|
|
||
| #### Additional Considerations | ||
|
|
||
| Intel CET shadow stack requires Linux Kernel version 6.6 or higher and glibc version 2.39 or higher. Shadow stack support must, in addition, be enabled at run-time by setting the corresponding hardware capability tunable for glibc via the `GLIBC_TUNABLES` environmental variable [^glibc-tunables]: `export GLIBC_TUNABLES=glibc.cpu.hwcaps=SHSTK`. |
There was a problem hiding this comment.
Maybe include IBT while at it? (https://www.gnu.org/software/libc/manual/html_node/Hardware-Capability-Tunables.html#index-glibc_002ecpu_002ex86_005fibt)
There was a problem hiding this comment.
Took a look at this, verified that the versions and details listed are correct:
- Kernel 6.6 version: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=df57721f9a63e8a1fb9b9b2e70de4aa4c7e0cd2e
- glibc 2.39 version: https://lists.gnu.org/archive/html/info-gnu/2024-01/msg00017.html
Would recommend adding the glibc patch where disabled was set to be the default since it's non-obvious behavior: https://sourceware.org/git/?p=glibc.git;a=commit;h=55d63e731253de82e96ed4ddca2e294076cd0bc5
As for IBT, that's a separate feature so I would propose we make it its own issue. I'm also unclear whether that's supported in userland on Linux (per https://docs.kernel.org/next/arch/x86/shstk.html , it appears to be kernel only, see also golang/go#66054 ).
|
|
||
| #### Additional Considerations | ||
|
|
||
| Intel CET shadow stack requires Linux Kernel version 6.6 or higher and glibc version 2.39 or higher. Shadow stack support must, in addition, be enabled at run-time by setting the corresponding hardware capability tunable for glibc via the `GLIBC_TUNABLES` environmental variable [^glibc-tunables]: `export GLIBC_TUNABLES=glibc.cpu.hwcaps=SHSTK`. |
There was a problem hiding this comment.
Took a look at this, verified that the versions and details listed are correct:
- Kernel 6.6 version: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=df57721f9a63e8a1fb9b9b2e70de4aa4c7e0cd2e
- glibc 2.39 version: https://lists.gnu.org/archive/html/info-gnu/2024-01/msg00017.html
Would recommend adding the glibc patch where disabled was set to be the default since it's non-obvious behavior: https://sourceware.org/git/?p=glibc.git;a=commit;h=55d63e731253de82e96ed4ddca2e294076cd0bc5
As for IBT, that's a separate feature so I would propose we make it its own issue. I'm also unclear whether that's supported in userland on Linux (per https://docs.kernel.org/next/arch/x86/shstk.html , it appears to be kernel only, see also golang/go#66054 ).
|
|
||
| Intel CET shadow stack requires Linux Kernel version 6.6 or higher and glibc version 2.39 or higher. Shadow stack support must, in addition, be enabled at run-time by setting the corresponding hardware capability tunable for glibc via the `GLIBC_TUNABLES` environmental variable [^glibc-tunables]: `export GLIBC_TUNABLES=glibc.cpu.hwcaps=SHSTK`. | ||
|
|
||
| [^glibc-tunables]: GNU C Library team, [Tunables](https://www.gnu.org/software/libc/manual/html_node/Tunables.html), GNU C Library (glibc) manual, 2023-07-31. |
There was a problem hiding this comment.
Is this date stamp correct? It looks to me that glibc 2.39 was released 2024-01-31, but I must confess I don't know how the versioning of the documentation differs from the library.
There was a problem hiding this comment.
You are quite right. This is probably my oversight since I think I copied an existing citation to the glibc manual in my comment. The online glibc manual currently shows it was last updated July 22nd, 2024. Maybe we can use that date. I've usually given the last updated date at the time writing and not worried too much about going back and updating references unless the content has changed significantly.
There was a problem hiding this comment.
I agree with creating a separate issue for the IBT. I tested the shadow stack with the mentioned version of kernel and libc. When we can test IBT in userspace, we can also include IBT.
Signed-off-by: Merve Gülmez <[email protected]>
5 participants
No description provided.