From 3ebc7bbf61dfd9b0fa2bc65d6484ea9a44adb3e4 Mon Sep 17 00:00:00 2001 From: Robert Scott Date: Thu, 11 Jul 2024 22:52:23 +0100 Subject: [PATCH] glibc: add option enableCETRuntimeDefault to runtime-enable CET by default this appears to have been added to glibc because of the number of packages in some distributions that were built with CET enabled before a CET enabled machine was available to test for breakage with. we don't have that problem to such an extent and users of hardened systems will likely want to enable this by default. --- .../2.39-revert-cet-default-disable.patch | 49 +++++++++++++++++++ pkgs/development/libraries/glibc/common.nix | 5 +- pkgs/development/libraries/glibc/default.nix | 3 +- 3 files changed, 55 insertions(+), 2 deletions(-) create mode 100644 pkgs/development/libraries/glibc/2.39-revert-cet-default-disable.patch diff --git a/pkgs/development/libraries/glibc/2.39-revert-cet-default-disable.patch b/pkgs/development/libraries/glibc/2.39-revert-cet-default-disable.patch new file mode 100644 index 000000000000..8590581daf0b --- /dev/null +++ b/pkgs/development/libraries/glibc/2.39-revert-cet-default-disable.patch @@ -0,0 +1,49 @@ +Revert 55d63e731253de82e96ed4ddca2e294076cd0bc5 + +--- b/sysdeps/x86/cpu-features.c ++++ a/sysdeps/x86/cpu-features.c +@@ -110,7 +110,7 @@ + if (!CPU_FEATURES_CPU_P (cpu_features, RTM_ALWAYS_ABORT)) + CPU_FEATURE_SET_ACTIVE (cpu_features, RTM); + ++#if CET_ENABLED +-#if CET_ENABLED && 0 + CPU_FEATURE_SET_ACTIVE (cpu_features, IBT); + CPU_FEATURE_SET_ACTIVE (cpu_features, SHSTK); + #endif +reverted: +--- b/sysdeps/x86/cpu-tunables.c ++++ a/sysdeps/x86/cpu-tunables.c +@@ -35,17 +35,6 @@ + break; \ + } + +-#define CHECK_GLIBC_IFUNC_CPU_BOTH(f, cpu_features, name, len) \ +- _Static_assert (sizeof (#name) - 1 == len, #name " != " #len); \ +- if (tunable_str_comma_strcmp_cte (&f, #name)) \ +- { \ +- if (f.disable) \ +- CPU_FEATURE_UNSET (cpu_features, name) \ +- else \ +- CPU_FEATURE_SET_ACTIVE (cpu_features, name) \ +- break; \ +- } +- + /* Disable a preferred feature NAME. We don't enable a preferred feature + which isn't available. */ + #define CHECK_GLIBC_IFUNC_PREFERRED_OFF(f, cpu_features, name, len) \ +@@ -142,13 +131,11 @@ + } + break; + case 5: +- { +- CHECK_GLIBC_IFUNC_CPU_BOTH (n, cpu_features, SHSTK, 5); +- } + if (n.disable) + { + CHECK_GLIBC_IFUNC_CPU_OFF (n, cpu_features, LZCNT, 5); + CHECK_GLIBC_IFUNC_CPU_OFF (n, cpu_features, MOVBE, 5); ++ CHECK_GLIBC_IFUNC_CPU_OFF (n, cpu_features, SHSTK, 5); + CHECK_GLIBC_IFUNC_CPU_OFF (n, cpu_features, SSSE3, 5); + CHECK_GLIBC_IFUNC_CPU_OFF (n, cpu_features, XSAVE, 5); + } diff --git a/pkgs/development/libraries/glibc/common.nix b/pkgs/development/libraries/glibc/common.nix index 25a83b1dc6d2..382a1eea076d 100644 --- a/pkgs/development/libraries/glibc/common.nix +++ b/pkgs/development/libraries/glibc/common.nix @@ -37,6 +37,7 @@ , profilingLibraries ? false , withGd ? false , enableCET ? false +, enableCETRuntimeDefault ? false , extraBuildInputs ? [] , extraNativeBuildInputs ? [] , ... @@ -50,6 +51,7 @@ in assert withLinuxHeaders -> linuxHeaders != null; assert withGd -> gd != null && libpng != null; +assert enableCET == false -> !enableCETRuntimeDefault; stdenv.mkDerivation ({ version = version + patchSuffix; @@ -114,7 +116,8 @@ stdenv.mkDerivation ({ lib.optional (isAarch64 && isLinux) ./0001-aarch64-math-vector.h-add-NVCC-include-guard.patch ) ++ lib.optional stdenv.hostPlatform.isMusl ./fix-rpc-types-musl-conflicts.patch - ++ lib.optional stdenv.buildPlatform.isDarwin ./darwin-cross-build.patch; + ++ lib.optional stdenv.buildPlatform.isDarwin ./darwin-cross-build.patch + ++ lib.optional enableCETRuntimeDefault ./2.39-revert-cet-default-disable.patch; postPatch = '' diff --git a/pkgs/development/libraries/glibc/default.nix b/pkgs/development/libraries/glibc/default.nix index 96a08178637d..490f29e99cfb 100644 --- a/pkgs/development/libraries/glibc/default.nix +++ b/pkgs/development/libraries/glibc/default.nix @@ -3,6 +3,7 @@ , profilingLibraries ? false , withGd ? false , enableCET ? if stdenv.hostPlatform.isx86_64 then "permissive" else false +, enableCETRuntimeDefault ? false , pkgsBuildBuild , libgcc }: @@ -16,7 +17,7 @@ let in (callPackage ./common.nix { inherit stdenv; } { - inherit withLinuxHeaders withGd profilingLibraries enableCET; + inherit withLinuxHeaders withGd profilingLibraries enableCET enableCETRuntimeDefault; pname = "glibc" + lib.optionalString withGd "-gd" + lib.optionalString (stdenv.cc.isGNU && libgcc==null) "-nolibgcc"; }).overrideAttrs(previousAttrs: {