Bug 1802674
| Summary: | Boot Fedora 33 with Intel CET enabled for Tiger Lake (Tracker) | ||||||
|---|---|---|---|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | H.J. Lu <hongjiu.lu> | ||||
| Component: | distribution | Assignee: | Josh Boyer <jwboyer> | ||||
| Status: | CLOSED CURRENTRELEASE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||
| Severity: | medium | Docs Contact: | |||||
| Priority: | unspecified | ||||||
| Version: | rawhide | CC: | codonell, jwboyer, kazen, kevin, mario_limonciello, quanxian.wang | ||||
| Target Milestone: | --- | Keywords: | Reopened, Tracking | ||||
| Target Release: | --- | ||||||
| Hardware: | x86_64 | ||||||
| OS: | Linux | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2022-03-23 20:19:08 UTC | Type: | Bug | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Bug Depends On: | 1802686, 1788699, 1789089, 1791906, 1795709, 1798776, 1802681, 1802689, 1802692, 1802693, 1804204, 1804416, 1804474, 1806061, 1807055, 1808484, 1808507, 1808559, 1808811, 1809799, 1809800, 1810205, 1839611, 1891308, 1910368 | ||||||
| Bug Blocks: | |||||||
| Attachments: |
|
||||||
|
Description
H.J. Lu
2020-02-13 17:10:49 UTC
Change proposals should be sent following the Fedora Changes process: https://docs.fedoraproject.org/en-US/program_management/changes_policy/ Closing this bug. Reopening under distribution component. This is a tracking bug for feature enablement for F33. We'll file a system-wide change request for this in the future when we're further ahead. Created attachment 1665648 [details]
Plan to enable CET in Fedora 33
CET is broken on Fedora 33 due to https://bugzilla.redhat.com/show_bug.cgi?id=1891308 All packages built after commit c18bafdecc821132b5ac33af001d79a6e0baab87 Author: Tom Stellard <tstellar> Date: Fri Aug 21 16:45:01 2020 +0000 Enable -fstack-clash-protection for clang on x86, s390x, and ppc64le This is supported with LLVM >= 11 dropped -fcf-protection from x86_64 optflags: -optflags: x86_64 %{__global_compiler_flags} -m64 -mtune=generic -fasynchronous-unwind-tables %[ "%{toolchain}" == "gcc" ? "-fstack-clash-p rotection" : "" ] -fcf-protection +optflags: x86_64 %{__global_compiler_flags} -m64 -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection dropped CET support: [hjl@gnu-cfl-1 libgcrypt]$ rpm -qfi /lib64/libgcrypt.so.20 Name : libgcrypt Version : 1.8.6 Release : 4.fc33 Architecture: x86_64 Install Date: Thu 29 Oct 2020 12:31:48 PM PDT Group : Unspecified Size : 1283686 License : LGPLv2+ Signature : RSA/SHA256, Fri 21 Aug 2020 03:41:47 PM PDT, Key ID 49fd77499570ff31 Source RPM : libgcrypt-1.8.6-4.fc33.src.rpm Build Date : Fri 21 Aug 2020 03:35:55 PM PDT Build Host : buildvm-x86-12.iad2.fedoraproject.org Packager : Fedora Project Vendor : Fedora Project URL : http://www.gnupg.org/ Bug URL : https://bugz.fedoraproject.org/libgcrypt Summary : A general-purpose cryptography library Description : Libgcrypt is a general purpose crypto library based on the code used in GNU Privacy Guard. This is a development version. [hjl@gnu-cfl-1 libgcrypt]$ readelf -n /lib64/libgcrypt.so.20 Displaying notes found in: .note.gnu.property Owner Data size Description GNU 0x00000010 NT_GNU_PROPERTY_TYPE_0 Properties: x86 ISA needed: SSE, SSE2 Displaying notes found in: .note.gnu.build-id Owner Data size Description GNU 0x00000014 NT_GNU_BUILD_ID (unique build ID bitstring) Build ID: ad8948aa7abb7204bd6e083acefe8d47a3e09e0f Displaying notes found in: .gnu.build.attributes Owner Data size Description GA$<version>3a1 0x00000010 OPEN Applies to region from 0xc000 to 0xe29dd [hjl@gnu-cfl-1 libgcrypt]$ Since CET is re-enabled in python3-3.9.1-1.fc33.x86_64, dnf no longer works on Tiger Lake
under CET enabled kernel:
[root@gnu-tgl-1 hjl]# dnf update -y --refresh
Traceback (most recent call last):
File "/usr/bin/dnf", line 57, in <module>
from dnf.cli import main
File "/usr/lib/python3.9/site-packages/dnf/__init__.py", line 30, in <module>
import dnf.base
File "/usr/lib/python3.9/site-packages/dnf/base.py", line 29, in <module>
import libdnf.transaction
File "/usr/lib64/python3.9/site-packages/libdnf/__init__.py", line 12, in <module>
from . import conf
File "/usr/lib64/python3.9/site-packages/libdnf/conf.py", line 13, in <module>
from . import _conf
ImportError: /lib64/libcom_err.so.2: rebuild shared object with IBT support enabled
Many dnf modules are CET disabled.
Many dnf dependencies are CET disabled: cyrus-sasl-lib-2.1.27-6.fc33.x86_64 file-libs-5.39-3.fc33.x86_64 gpgme-1.14.0-2.fc33.x86_64 krb5-libs-1.18.2-29.fc33.x86_64 libacl-2.2.53-9.fc33.x86_64 libassuan-2.5.3-4.fc33.x86_64 libattr-2.4.48-10.fc33.x86_64 libblkid-2.36-3.fc33.x86_64 libbrotli-1.0.9-3.fc33.x86_64 libcap-ng-0.8-1.fc33.x86_64 libcom_err-1.45.6-4.fc33.x86_64 libffi-3.1-26.fc33.x86_64 libidn2-2.3.0-4.fc33.x86_64 libmount-2.36-3.fc33.x86_64 libnghttp2-1.41.0-3.fc33.x86_64 libpsl-0.21.1-2.fc33.x86_64 librepo-1.12.1-1.fc33.x86_64 libsmartcols-2.36-3.fc33.x86_64 libsolv-0.7.15-1.fc33.x86_64 libssh-0.9.5-1.fc33.x86_64 libunistring-0.9.10-9.fc33.x86_64 libxcrypt-4.4.17-1.fc33.x86_64 libyaml-0.2.5-3.fc33.x86_64 openldap-2.4.50-5.fc33.x86_64 pcre-8.44-2.fc33.x86_64 popt-1.18-2.fc33.x86_64 xz-libs-5.2.5-3.fc33.x86_64 I only enabled CET in pcre2. Does pcre have a JIT? Since libffi-3.1-26.fc33.x86_64 isn't CET enabled, dnf modules aren't CET enabled. (In reply to H.J. Lu from comment #7) > Since libffi-3.1-26.fc33.x86_64 isn't CET enabled, dnf modules aren't CET > enabled. DJ and I have libffi3.1 ready now to deploy as the compatibility package, and we're working with upstream to release an official libffi 3.4 with CET support. Closing this again. F33 is long released and the last comment was over a year ago. |