Properly add .note.gnu.property section to assembly codes

1. Revert "x86: Generate .note.gnu.property section for ELF output" This reverts commit 8074e3f, which is a hack to work around the old nasm which doesn't support section .note.gnu.property note alloc noexec align=8 This hack doesn't work for downstream, like: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=2040091 2. If Intel CET is enabled, require nasm with note section support to add section .note.gnu.property note alloc noexec align=N to assembly codes. Verified with $ CC="gcc -Wl,-z,cet-report=error -fcf-protection" CXX="g++ -Wl,-z,cet-report=error -fcf-protection" .../configure x86_64-linux $ make -j8 on Tiger Lake. Change-Id: I6d66fe6fd054420d7fde35b1508ca9f09defdeca Signed-off-by: H.J. Lu <[email protected]>
intel · Jan 20, 2022 · 57846f4 · 57846f4
1 parent e3783f2
commit 57846f4
Show file tree

Hide file tree

Showing 5 changed files with 20 additions and 127 deletions.
diff --git a/Makefile.am b/Makefile.am
@@ -118,23 +118,12 @@ test: $(addsuffix .run,$(unit_tests))
 	@echo Completed run: $<
 
 # Support for yasm/nasm/gas
-if INTEL_CET_ENABLED
-export CET_LD=$(LD)
-endif
 if USE_YASM
-if INTEL_CET_ENABLED
-  as_filter = ${srcdir}/tools/yasm-cet-filter.sh
-else
   as_filter = ${srcdir}/tools/yasm-filter.sh
 endif
-endif
 if USE_NASM
-if INTEL_CET_ENABLED
-  as_filter = ${srcdir}/tools/nasm-cet-filter.sh
-else
   as_filter = ${srcdir}/tools/nasm-filter.sh
 endif
-endif
 if CPU_AARCH64
   as_filter = $(CC) -D__ASSEMBLY__
 endif

diff --git a/configure.ac b/configure.ac
@@ -51,7 +51,6 @@ fi
 
 # Check for programs
 AC_PROG_CC_STDC
-AC_PROG_LD
 AC_USE_SYSTEM_EXTENSIONS
 AM_SILENT_RULES([yes])
 LT_INIT
@@ -78,6 +77,9 @@ if test x"$is_x86" = x"yes"; then
 		   intel_cet_enabled=yes],
 		  [AC_MSG_RESULT([no])
 		   intel_cet_enabled=no])
+AS_IF([test "x$intel_cet_enabled" = "xyes"], [
+        AC_DEFINE(INTEL_CET_ENABLED, [1], [Intel CET enabled.])
+])
 
 
   # Pick an assembler yasm or nasm
@@ -261,8 +263,6 @@ else
   AM_CONDITIONAL(DARWIN, test "x" = "y")
 fi
 
-AM_CONDITIONAL(INTEL_CET_ENABLED, [test x"$intel_cet_enabled" = x"yes"])
-
 # Check for header files
 AC_CHECK_HEADERS([limits.h stdint.h stdlib.h string.h])
 

diff --git a/include/reg_sizes.asm b/include/reg_sizes.asm
@@ -195,6 +195,23 @@
 
 %define XWORD(reg) reg %+ x
 
+%ifdef INTEL_CET_ENABLED
+ %ifdef __NASM_VER__
+  %if AS_FEATURE_LEVEL >= 10
+   %ifidn __OUTPUT_FORMAT__,elf32
+section .note.gnu.property  note  alloc noexec align=4
+DD 0x00000004,0x0000000c,0x00000005,0x00554e47
+DD 0xc0000002,0x00000004,0x00000003
+   %endif
+   %ifidn __OUTPUT_FORMAT__,elf64
+section .note.gnu.property  note  alloc noexec align=8
+DD 0x00000004,0x00000010,0x00000005,0x00554e47
+DD 0xc0000002,0x00000004,0x00000003,0x00000000
+   %endif
+  %endif
+ %endif
+%endif
+
 %ifidn __OUTPUT_FORMAT__,elf32
 section .note.GNU-stack noalloc noexec nowrite progbits
 section .text

diff --git a/tools/nasm-cet-filter.sh b/tools/nasm-cet-filter.sh
diff --git a/tools/yasm-cet-filter.sh b/tools/yasm-cet-filter.sh