- 
                Notifications
    You must be signed in to change notification settings 
- Fork 8k
Enable Intel CET on Windows by default #8491
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Conversation
| 
 Sure, because it is highly unlikely that the hosted GH action runners do support CET. | 
| Can you please test it on a non-virtualized system? Also, is  | 
| The problem is that CET is only supported by pretty recent processors (can be checked with CoreInfo), and if it is not supported, adding the  
 Yes. | 
| yes, citing https://www.offensive-security.com/offsec/intel-cet-in-action/ 
 I do not have access to such CPU either, can someone test test? | 
| We shouldn't merge build configuration changes into released branches. If this is merged, it should be into master only. | 
| Generally, can you please stop submitting pull requests against non-master branches? If something requires a backport into a stable release branch, people will inform you. Your default assumption should be that everything goes into master only -- this is especially true for anything touching the build system or CI, as well as any changes that constitute "cleanup", such as improving tests. Basically, exactly the kind of changes you've been working on. You submitted a lot of PRs that cannot be merged because they currently all target the wrong branch. | 
| This must not be merged at all into any branch. Claiming that the binaries would be CET compatible, while they are most likely not (see #8339) would cause the binaries to crash on systems actually supporting CET, what appears to be highly undesireable. | 
| Great, let's close this then. | 
| 
 I did a lot of actual fixes and I belive I target them correctly. I do not agree submitting fixes that should go into PHP 8.0 should be targetted into master. Even if you will require it, and there will be any conflicts, CI will not run. I consider this a security feature so I targetted the lowest possible branch. If (and it seems there is) any BC break, I agree, it must target master. That is what this discussion brought. 
 I was not are of this on the submission time, however, the PR and discussion is valueable. I think this PR should be marked as dependent on #8339, which I belive will fix the CET issues, and finished/merged later. If and only if the mentioned PR intends to provide Windows support, this PR is redundant. | 
| Hi @mvorisek , 
 Because fiber are from boostorg/context, we need modify upstream as well. Although the community think such features can't be merged now, I think it's still nice to enable CET in PHP and use PR to track it. Maybe some day we can merge them. BTW, #8339 pass test on full CET environment. "full" means glibc/Linux/CPU have actual CET support. | 
| 
 To clarify: we should support CET, but we need a working implementation. Just linking with  | 
| can this be reopened and what changes in code are needed for Windows? | 
| Might I know if this PR can be landed now and what is the current support of CET on Windows? | 
| 
 
 So just setting the  On the other hand, users who compile PHP can set  We could roll out experimental builds with CET support, but I have some doubts, that these would be sufficiently tested by users. | 
based on #8339 (comment)
this is a security fix, so targetting PHP 8.0
tested with #8392, build & all tests on x64 & x86 passsee discussion below, it needs to be tested on CPU with actual CET supportthe security can be maybe improved even more, see https://airbus-seclab.github.io/c-compiler-security/msvc_compilation.html