commit 3ebc7bbf61dfd9b0fa2bc65d6484ea9a44adb3e4 · pyrox.dev/nixpkgs

pyrox.dev / nixpkgs

lol

glibc: add option enableCETRuntimeDefault to runtime-enable CET by default

this appears to have been added to glibc because of the number
of packages in some distributions that were built with CET enabled
before a CET enabled machine was available to test for breakage
with.

we don't have that problem to such an extent and users of hardened
systems will likely want to enable this by default.

Robert Scott 2 years ago 3ebc7bbf b207b6ef

+55 -2

3 changed files

expand all

unified split

pkgs

development

libraries

glibc

2.39-revert-cet-default-disable.patch

common.nix

default.nix

+49

pkgs/development/libraries/glibc/2.39-revert-cet-default-disable.patch

···

··· 1 + Revert 55d63e731253de82e96ed4ddca2e294076cd0bc5 2 + 3 + --- b/sysdeps/x86/cpu-features.c 4 + +++ a/sysdeps/x86/cpu-features.c 5 + @@ -110,7 +110,7 @@ 6 + if (!CPU_FEATURES_CPU_P (cpu_features, RTM_ALWAYS_ABORT)) 7 + CPU_FEATURE_SET_ACTIVE (cpu_features, RTM); 8 + 9 + +#if CET_ENABLED 10 + -#if CET_ENABLED && 0 11 + CPU_FEATURE_SET_ACTIVE (cpu_features, IBT); 12 + CPU_FEATURE_SET_ACTIVE (cpu_features, SHSTK); 13 + #endif 14 + reverted: 15 + --- b/sysdeps/x86/cpu-tunables.c 16 + +++ a/sysdeps/x86/cpu-tunables.c 17 + @@ -35,17 +35,6 @@ 18 + break; \ 19 + } 20 + 21 + -#define CHECK_GLIBC_IFUNC_CPU_BOTH(f, cpu_features, name, len) \ 22 + - _Static_assert (sizeof (#name) - 1 == len, #name " != " #len); \ 23 + - if (tunable_str_comma_strcmp_cte (&f, #name)) \ 24 + - { \ 25 + - if (f.disable) \ 26 + - CPU_FEATURE_UNSET (cpu_features, name) \ 27 + - else \ 28 + - CPU_FEATURE_SET_ACTIVE (cpu_features, name) \ 29 + - break; \ 30 + - } 31 + - 32 + /* Disable a preferred feature NAME. We don't enable a preferred feature 33 + which isn't available. */ 34 + #define CHECK_GLIBC_IFUNC_PREFERRED_OFF(f, cpu_features, name, len) \ 35 + @@ -142,13 +131,11 @@ 36 + } 37 + break; 38 + case 5: 39 + - { 40 + - CHECK_GLIBC_IFUNC_CPU_BOTH (n, cpu_features, SHSTK, 5); 41 + - } 42 + if (n.disable) 43 + { 44 + CHECK_GLIBC_IFUNC_CPU_OFF (n, cpu_features, LZCNT, 5); 45 + CHECK_GLIBC_IFUNC_CPU_OFF (n, cpu_features, MOVBE, 5); 46 + + CHECK_GLIBC_IFUNC_CPU_OFF (n, cpu_features, SHSTK, 5); 47 + CHECK_GLIBC_IFUNC_CPU_OFF (n, cpu_features, SSSE3, 5); 48 + CHECK_GLIBC_IFUNC_CPU_OFF (n, cpu_features, XSAVE, 5); 49 + }

+4 -1

pkgs/development/libraries/glibc/common.nix

··· 37 , profilingLibraries ? false 38 , withGd ? false 39 , enableCET ? false 40 , extraBuildInputs ? [] 41 , extraNativeBuildInputs ? [] 42 , ... ··· 50 51 assert withLinuxHeaders -> linuxHeaders != null; 52 assert withGd -> gd != null && libpng != null; 53 54 stdenv.mkDerivation ({ 55 version = version + patchSuffix; ··· 114 lib.optional (isAarch64 && isLinux) ./0001-aarch64-math-vector.h-add-NVCC-include-guard.patch 115 ) 116 ++ lib.optional stdenv.hostPlatform.isMusl ./fix-rpc-types-musl-conflicts.patch 117 - ++ lib.optional stdenv.buildPlatform.isDarwin ./darwin-cross-build.patch; 118 119 postPatch = 120 ''

··· 37 , profilingLibraries ? false 38 , withGd ? false 39 , enableCET ? false 40 + , enableCETRuntimeDefault ? false 41 , extraBuildInputs ? [] 42 , extraNativeBuildInputs ? [] 43 , ... ··· 51 52 assert withLinuxHeaders -> linuxHeaders != null; 53 assert withGd -> gd != null && libpng != null; 54 + assert enableCET == false -> !enableCETRuntimeDefault; 55 56 stdenv.mkDerivation ({ 57 version = version + patchSuffix; ··· 116 lib.optional (isAarch64 && isLinux) ./0001-aarch64-math-vector.h-add-NVCC-include-guard.patch 117 ) 118 ++ lib.optional stdenv.hostPlatform.isMusl ./fix-rpc-types-musl-conflicts.patch 119 + ++ lib.optional stdenv.buildPlatform.isDarwin ./darwin-cross-build.patch 120 + ++ lib.optional enableCETRuntimeDefault ./2.39-revert-cet-default-disable.patch; 121 122 postPatch = 123 ''

+2 -1

pkgs/development/libraries/glibc/default.nix

··· 3 , profilingLibraries ? false 4 , withGd ? false 5 , enableCET ? if stdenv.hostPlatform.isx86_64 then "permissive" else false 6 , pkgsBuildBuild 7 , libgcc 8 }: ··· 16 in 17 18 (callPackage ./common.nix { inherit stdenv; } { 19 - inherit withLinuxHeaders withGd profilingLibraries enableCET; 20 pname = "glibc" + lib.optionalString withGd "-gd" + lib.optionalString (stdenv.cc.isGNU && libgcc==null) "-nolibgcc"; 21 }).overrideAttrs(previousAttrs: { 22

··· 3 , profilingLibraries ? false 4 , withGd ? false 5 , enableCET ? if stdenv.hostPlatform.isx86_64 then "permissive" else false 6 + , enableCETRuntimeDefault ? false 7 , pkgsBuildBuild 8 , libgcc 9 }: ··· 17 in 18 19 (callPackage ./common.nix { inherit stdenv; } { 20 + inherit withLinuxHeaders withGd profilingLibraries enableCET enableCETRuntimeDefault; 21 pname = "glibc" + lib.optionalString withGd "-gd" + lib.optionalString (stdenv.cc.isGNU && libgcc==null) "-nolibgcc"; 22 }).overrideAttrs(previousAttrs: { 23