Re: Bug#1113864: Replace -fcf-protection=full with -fcf-protection=return

[Florian Weimer <fw@deneb.enyo.de>]

* Emanuele Rocca:

> Hi,
>
> On 2025-09-06 06:50, Guillem Jover wrote:
>> Someone would need to check which shared objects are still not marked,
>> in a similar way as what Emanuele Rocca has been doing for arm64 (with
>> its PAC and BTI counterparts).
>
> On arm64, ELF files supporting what in Debian we call the "branch"
> hardening features (PAC, BTI, GCS) are marked with a special ELF note.
>
> $ readelf -n a.out | grep Properties
>       Properties: AArch64 feature: BTI, PAC, GCS
>
> The checks mentioned by Guillem are based on that note. They are
> performed daily on the whole archive, and the results are available
> here: https://people.debian.org/~ema/pac-bti/
>
> Is there a similar test that can be performed on x86 ELF files to find
> out if fcf-protection is enabled properly?

readelf -nw would print something like this:

Displaying notes found in: .note.gnu.property
  Owner                Data size        Description
  GNU                  0x00000040       NT_GNU_PROPERTY_TYPE_0
      Properties: x86 feature: IBT, SHSTK
        x86 ISA needed: x86-64-baseline
        x86 feature used: x86, XMM
        x86 ISA used: x86-64-baseline

With elfutils, it's:

Note section [19] '.note.gnu.property' of 80 bytes at offset 0x5a48:
  Owner          Data size  Type
  GNU                   64  GNU_PROPERTY_TYPE_0
    X86 FEATURE_1_AND: 00000003 IBT SHSTK
    X86 0xc0008002 data: 01 00 00 00
    X86 0xc0010001 data: 09 00 00 00
    X86 0xc0010002 data: 01 00 00 00

The Intel CET features are IBT and SHSTK.  The other subthread
discusses enabling SHSTK only, in which case IBT would not show up.