Bug 1788699 - Enable CET in openssl 1.1.1
Summary: Enable CET in openssl 1.1.1
Keywords:
Status: CLOSED RAWHIDE
Alias: None
Product: Fedora
Classification: Fedora
Component: openssl
Version: rawhide
Hardware: x86_64
OS: Linux
unspecified
unspecified
Target Milestone: ---
Assignee: Tomas Mraz
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks: 1802674
TreeView+ depends on / blocked
 
Reported: 2020-01-07 20:39 UTC by H.J. Lu
Modified: 2020-02-18 17:18 UTC (History)
2 users (show)

Fixed In Version: openssl-1.1.1d-7.fc32
Clone Of:
Environment:
Last Closed: 2020-02-18 17:17:33 UTC
Type: Bug
Embargoed:

Attachments (Terms of Use)

Description H.J. Lu 2020-01-07 20:39:28 UTC 
Here are patches to enable CET against

commit 5fe82100857ff194e5728bafe9af1a27c9d5475c (origin/OpenSSL_1_1_1-stable)
Author: kinichiro <kinichiro.inoguchi>
Date:   Wed Dec 11 21:12:53 2019 +0900

    Check return value after loading config file
    
    CLA: trivial
    
    Reviewed-by: Paul Yang <kaishen.yy>
    Reviewed-by: Paul Dale <paul.dale>
    (Merged from https://github.com/openssl/openssl/pull/10607)
    
    (cherry picked from commit dd0139f416257ec5632414ed3ad8c61d07ba07ec)

at

https://github.com/hjl-tools/openssl/tree/hjl/cet/OpenSSL_1_1_1-stable

commit 3ad120902038222ffa402f48815058b7dfd7f5e7
Author: H.J. Lu <hjl.tools>
Date:   Tue Jan 7 10:15:45 2020 -0800

    i386: Add endbr32 to jump table in BF_cbc_encrypt
    
    Verified with
    
    $ CC="gcc -fcf-protection -Wl,-z,cet-report=error" MACHINE=i686 ./config
    $ make
    $ make test

commit 178cee06af2f039af8aa037640a7cf7345f7928e
Author: H.J. Lu <hjl.tools>
Date:   Sat Dec 14 09:48:18 2019 -0800

    i386: Add .note.gnu.property section for Intel CET
    
    When Intel CET is enabled, add .note.gnu.property section to i386
    assembly codes to mark Intel CET support and add "endbr32" at function
    entries.  Verified with
    
    $ CC="gcc -fcf-protection -Wl,-z,cet-report=error" MACHINE=i686 ./config
    $ make

commit b56fe54a0cb0320d8992062c756e5b1918bc833e
Author: H.J. Lu <hjl.tools>
Date:   Fri Dec 13 16:46:07 2019 -0800

    Use swapcontext for Intel CET
    
    Use swapcontext for Intel CET to swap shadow stack when switching
    context.  Verified with
    
    $ CC="gcc -fcf-protection -Wl,-z,cet-report=error" ./config
    $ make
    $ make test
    
    and
    
    $ CC="gcc -mx32 -fcf-protection -Wl,-z,cet-report=error" ./config
    $ make
    $ make test

commit aca068a77b1d60591c20ad0925ce62203e3935ac
Author: H.J. Lu <hjl.tools>
Date:   Fri Dec 13 13:42:12 2019 -0800

    x86_64: Add endbr64 at function entries for Intel CET
    
    When Intel CET is enabled, add endbr64 at function entries for Intel
    CET if needed.

commit fc90a77dc1d030141fda7bd70284f5722a98a422
Author: H.J. Lu <hjl.tools>
Date:   Fri Dec 13 13:27:20 2019 -0800

    x86_64: Add .note.gnu.property section for Intel CET
    
    When Intel CET is enabled, add .note.gnu.property section to x86_64
    assembly codes to mark Intel CET support.  Verified with
    
    $ CC="gcc -fcf-protection -Wl,-z,cet-report=error" ./config
    $ make
    
    and
    
    $ CC="gcc -mx32 -fcf-protection -Wl,-z,cet-report=error" ./config
    $ make
Comment 1 Tomas Mraz 2020-01-08 07:46:17 UTC 
Please work with upstream OpenSSL project to get these patches merged to the master branch first.
Comment 2 H.J. Lu 2020-01-14 18:42:15 UTC 
I opened:

https://github.com/openssl/openssl/pull/10829
Comment 3 H.J. Lu 2020-02-16 15:01:35 UTC 
CET support has been merged into openssl master branch.  I backported it to OpenSSL_1_1_1-stable branch
on hjl/cet/OpenSSL_1_1_1-stable branch at

https://github.com/hjl-tools/openssl

Should I request backporting CET support to OpenSSL_1_1_1-stable branch?
Comment 4 Tomas Mraz 2020-02-17 09:57:55 UTC 
No, upstream will not merge CET support to 1.1.1 branch as 1.1.1 branch is only for bug fixes.
Note You need to log in before you can comment on or make changes to this bug.