[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Bug#1113864: Replace -fcf-protection=full with -fcf-protection=return

On Tue, Sep 16, 2025 at 10:41:50AM +0200, Emanuele Rocca wrote:
> On arm64, ELF files supporting what in Debian we call the "branch"
> hardening features (PAC, BTI, GCS) are marked with a special ELF note.
> 
> $ readelf -n a.out | grep Properties
>       Properties: AArch64 feature: BTI, PAC, GCS

GCC 15 got code to emit related information on x86-64:

| void
| file_end_indicate_exec_stack_and_gnu_property (void)
| {
|   file_end_indicate_exec_stack ();
| 
|   if (flag_cf_protection == CF_NONE
|       && !ix86_needed
|       && !ix86_has_no_direct_extern_access)
|     return;
| 
|   unsigned int feature_1 = 0;
| 
|   if (flag_cf_protection & CF_BRANCH)
|     /* GNU_PROPERTY_X86_FEATURE_1_IBT.  */
|     feature_1 |= 0x1;
| 
|   if (flag_cf_protection & CF_RETURN)
|     /* GNU_PROPERTY_X86_FEATURE_1_SHSTK.  */
|     feature_1 |= 0x2;
| 
|   /* Generate GNU_PROPERTY_X86_FEATURE_1_AND.  */
|   if (feature_1)
|     emit_gnu_property (0xc0000002, feature_1);

I have not seen this in binaries however.

Bastian

-- 
Prepare for tomorrow -- get ready.
		-- Edith Keeler, "The City On the Edge of Forever",
		   stardate unknown
Reply to: