[gnutls-devel] GnuTLS | Library incompatible with x86_64 CET/shadow stack (#1658)
Read-only notification of GnuTLS library development activities
gnutls-devel at lists.gnutls.org
Fri Feb 7 00:14:08 CET 2025
Maciej S_ Szmigiero created an issue: https://gitlab.com/gnutls/gnutls/-/issues/1658
## Description of the feature:
The built `libgnutls.so.30.40.2` library lacks CET/shadow stack markings:
```
$ readelf -n /usr/lib64/libgnutls.so.30.40.2 | grep -a SHSTK
(empty)
```
Now that shadow stack-enabled CPUs are getting more common each program which links to `libgnutls` cannot benefit from shadow stack enforcement, since such enforcement requires that *all* of its library dependencies carry appropriate markings.
Tested on a distribution which enables `-fcf-protection` by default in GCC (Gentoo). This causes most of other libraries to get build with proper CET support.
I think the most likely reason that `libgnutls` is missing CET markings is that assembly source files in `lib/accelerated/x86/elf` are missing them.
## Is this feature implemented in other libraries (and which)
OpenSSL 3 has proper CET support:
```
$ readelf -n /usr/lib64/libssl.so.3 | grep -a SHSTK
Properties: x86 feature: IBT, SHSTK
```
--
Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1658
You're receiving this email because of your account on gitlab.com.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnutls-devel/attachments/20250206/f4fdde93/attachment.html>
More information about the Gnutls-devel
mailing list