Re: Intel CET Support?

[Felix Potthast <felix.potthast@student.uni-siegen.de>]

Ok, it turns out the quick test i spontaneously came up with is flawed,
sorry about that.

However, if you look at the disassembly, you can see that the
endbr instruction is not at the beginning of a function,
but rather directly after a nop instruction, so it seems to
me this is just used as another nop variant for alignment purposes.

Another file one can test that actually gives zero is

/lib64/ld-linux-x86-64.so.2

so the right command to test is

objdump -d /lib64/ld-linux-x86-64.so.2 | grep endbr | wc -l

On Mon, 2022-09-05 at 21:14 +0000, Jeremy Stanley wrote:
> On 2022-09-05 22:44:52 +0200 (+0200), Felix Potthast wrote:
> > i just stumbled upon the fact that debian doesn't yet make use of
> > the Intel CET security feature, while many other distributions
> > (Ubuntu, Fedora, Suse, Arch Linux) do.
> [...]
> 
> Forgive me if this is a dumb question, but were you running on a
> Linux 5.18 kernel when you tested this? The default kernel on the
> current Debian release is too old to support it, but there is a 5.18
> kernel in the bullseye-backports suite. This is from my workstation
> running a relatively up to date Debian unstable booted on a 5.18.x
> kernel, as you can see:
> 
>   fungi@dhole:~$ uname -v
>   #1 SMP PREEMPT_DYNAMIC Debian 5.18.14-1 (2022-07-23)
>   fungi@dhole:~$ objdump -d /bin/mv | grep endbr | wc -l
>   2
>   fungi@dhole:~$ objdump -d /bin/mv | grep endbr
>       4230:       f3 0f 1e fa             endbr64
>       4270:       f3 0f 1e fa             endbr64
>