1791906 – With CET enabled: /lib64/libgcrypt.so.20: shadow stack isn't enabled: Invalid argument

Bug 1791906 - With CET enabled: /lib64/libgcrypt.so.20: shadow stack isn't enabled: Invalid argument

Summary: With CET enabled: /lib64/libgcrypt.so.20: shadow stack isn't enabled: Invalid...

Keywords:
Status:	CLOSED RAWHIDE
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	libgcrypt
Sub Component:
Version:	rawhide
Hardware:	x86_64
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Tomas Mraz
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1802674
TreeView+	depends on / blocked

Reported:	2020-01-16 16:49 UTC by H.J. Lu
Modified:	2020-04-24 13:09 UTC (History)
CC List:	1 user (show)
Fixed In Version:	libgcrypt-1.8.5-3.fc32
Clone Of:
Environment:
Last Closed:	2020-02-18 17:13:26 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description H.J. Lu 2020-01-16 16:49:58 UTC

On CET machine, I got

Jan 07 13:44:23 gnu-tgl-1.sc.intel.com su[1687]: PAM unable to dlopen(/usr/lib64/security/pam_fprintd.so): /lib64/libgcrypt.so.20: shadow stack isn't enabled: Invalid argument

Comment 1 H.J. Lu 2020-01-16 20:33:06 UTC

hjl/cet/LIBGCRYPT-1.8-BRANCH and hjl/cet/master branches at

https://gitlab.com/cet-software/libgcrypt

have patches to enable CET.  Can someone from Fedora work with me to upstream them?

Comment 2 Tomas Mraz 2020-01-21 16:15:13 UTC

Unfortunately I do not have much influence on what upstream accepts or not. I'd suggest opening a task on https://dev.gnupg.org/ with a pointer to your gitlab repository.

Comment 3 H.J. Lu 2020-01-22 22:40:03 UTC

(In reply to Tomas Mraz from comment #2)
> Unfortunately I do not have much influence on what upstream accepts or not.
> I'd suggest opening a task on https://dev.gnupg.org/ with a pointer to your
> gitlab repository.

My patches have been checked into master branch.  Will Fedora take master branch?

Comment 4 Tomas Mraz 2020-01-23 12:21:03 UTC

No, but I can try to backport them myself, or if you want to help, please provide a backported patch.

Comment 5 H.J. Lu 2020-01-23 12:55:10 UTC

(In reply to Tomas Mraz from comment #4)
> No, but I can try to backport them myself, or if you want to help, please
> provide a backported patch.

See:

https://gitlab.com/cet-software/libgcrypt/tree/hjl/cet/LIBGCRYPT-1.8-BRANCH

Comment 6 Tomas Mraz 2020-04-24 12:50:47 UTC

As I've backported some AES related improvements from master in rawhide build https://koji.fedoraproject.org/koji/buildinfo?buildID=1497377, it would be nice if you could please verify that I did not break the CET support with this backport.

Comment 7 H.J. Lu 2020-04-24 13:09:24 UTC

It is OK:

$ readelf -n libgcrypt.so.20 2>&1 | grep IBT
      Properties: x86 feature: IBT, SHSTK

Note You need to log in before you can comment on or make changes to this bug.