[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Intel CET Support?

Ok, it turns out the quick test i spontaneously came up with is flawed,
sorry about that.

However, if you look at the disassembly, you can see that the
endbr instruction is not at the beginning of a function,
but rather directly after a nop instruction, so it seems to
me this is just used as another nop variant for alignment purposes.

Another file one can test that actually gives zero is


so the right command to test is

objdump -d /lib64/ld-linux-x86-64.so.2 | grep endbr | wc -l

On Mon, 2022-09-05 at 21:14 +0000, Jeremy Stanley wrote:
> On 2022-09-05 22:44:52 +0200 (+0200), Felix Potthast wrote:
> > i just stumbled upon the fact that debian doesn't yet make use of
> > the Intel CET security feature, while many other distributions
> > (Ubuntu, Fedora, Suse, Arch Linux) do.
> [...]
> Forgive me if this is a dumb question, but were you running on a
> Linux 5.18 kernel when you tested this? The default kernel on the
> current Debian release is too old to support it, but there is a 5.18
> kernel in the bullseye-backports suite. This is from my workstation
> running a relatively up to date Debian unstable booted on a 5.18.x
> kernel, as you can see:
>   fungi@dhole:~$ uname -v
>   #1 SMP PREEMPT_DYNAMIC Debian 5.18.14-1 (2022-07-23)
>   fungi@dhole:~$ objdump -d /bin/mv | grep endbr | wc -l
>   2
>   fungi@dhole:~$ objdump -d /bin/mv | grep endbr
>       4230:       f3 0f 1e fa             endbr64
>       4270:       f3 0f 1e fa             endbr64

Reply to: