x86: Add ASM_X86_ENDBR and x86 CET marker to config.m4.in

Intel Control-flow Enforcement Technology (CET):

https://software.intel.com/en-us/articles/intel-sdm

contains shadow stack (SHSTK) and indirect branch tracking (IBT).  When
CET is enabled, ELF object files must be marked with .note.gnu.property
section.  Also when IBT is enabled, all indirect branch targets must
start with ENDBR instruction.

This patch adds ASM_X86_ENDBR and the x86 CET marker to config.m4.in when
CET is enabled.  It updates PROLOGUE with ASM_X86_ENDBR.

Tested on CET machine with i686 and x86-64.

Signed-off-by: H.J. Lu <hjl.tools@gmail.com>

3 files changed, 69 insertions, 1 deletions

diff --git a/asm.m4 b/asm.m4
index 8da47201..59d64098 100644
--- a/asm.m4
+++ b/asm.m4
@@ -32,7 +32,7 @@ define(<GMP_NUMB_BITS>,<>)dnl
 define(<PROLOGUE>,
 <.globl C_NAME($1)
 DECLARE_FUNC(C_NAME($1))
-C_NAME($1):>)
+C_NAME($1): ASM_X86_ENDBR>)
 
 define(<EPILOGUE>,
 <ifelse(ELF_STYLE,yes,
diff --git a/config.m4.in b/config.m4.in
index 11f90a40..f7f5f283 100644
--- a/config.m4.in
+++ b/config.m4.in
@@ -8,6 +8,9 @@ define(<ALIGN_LOG>, <@ASM_ALIGN_LOG@>)dnl
 define(<W64_ABI>, <@W64_ABI@>)dnl
 define(<RODATA>, <@ASM_RODATA@>)dnl
 define(<WORDS_BIGENDIAN>, <@ASM_WORDS_BIGENDIAN@>)dnl
+define(<ASM_X86_ENDBR>,<@ASM_X86_ENDBR@>)dnl
+define(<ASM_X86_MARK_CET_ALIGN>,<@ASM_X86_MARK_CET_ALIGN@>)dnl
 divert(1)
+@ASM_X86_MARK_CET@
 @ASM_MARK_NOEXEC_STACK@
 divert
diff --git a/configure.ac b/configure.ac
index ba3ab7c6..05849fb6 100644
--- a/configure.ac
+++ b/configure.ac
@@ -803,6 +803,68 @@ EOF
   ASM_ALIGN_LOG="$nettle_cv_asm_align_log"
 fi
 
+dnl  Define
+dnl  1. ASM_X86_ENDBR for endbr32/endbr64.
+dnl  2. ASM_X86_MARK_CET to add a .note.gnu.property section to mark
+dnl  Intel CET support if needed.
+dnl  3. ASM_X86_MARK_CET_ALIGN to align ASM_X86_MARK_CET.
+AC_CACHE_CHECK([if Intel CET is enabled],
+  [nettle_cv_asm_x86_intel_cet],
+  [AC_TRY_COMPILE([
+#ifndef __CET__
+#error Intel CET is not enabled
+#endif
+  ], [],
+  [nettle_cv_asm_x86_intel_cet=yes],
+  [nettle_cv_asm_x86_intel_cet=no])])
+if test "$nettle_cv_asm_x86_intel_cet" = yes; then
+  case $ABI in
+  32|standard)
+    ASM_X86_ENDBR=endbr32
+    ASM_X86_MARK_CET_ALIGN=2
+    ;;
+  64)
+    ASM_X86_ENDBR=endbr64
+    ASM_X86_MARK_CET_ALIGN=3
+    ;;
+  x32)
+    ASM_X86_ENDBR=endbr64
+    ASM_X86_MARK_CET_ALIGN=2
+    ;;
+  esac
+  AC_CACHE_CHECK([if .note.gnu.property section is needed],
+    [nettle_cv_asm_x86_gnu_property],
+    [AC_TRY_COMPILE([
+#if !defined __ELF__ || !defined __CET__
+#error GNU property is not needed
+#endif
+    ], [],
+    [nettle_cv_asm_x86_gnu_property=yes],
+    [nettle_cv_asm_x86_gnu_property=no])])
+else
+  nettle_cv_asm_x86_gnu_property=no
+fi
+if test "$nettle_cv_asm_x86_gnu_property" = yes; then
+  ASM_X86_MARK_CET='
+	.pushsection ".note.gnu.property", "a"
+	.p2align ASM_X86_MARK_CET_ALIGN
+	.long 1f - 0f
+	.long 4f - 1f
+	.long 5
+0:
+	.asciz "GNU"
+1:
+	.p2align ASM_X86_MARK_CET_ALIGN
+	.long 0xc0000002
+	.long 3f - 2f
+2:
+	.long 3
+3:
+	.p2align ASM_X86_MARK_CET_ALIGN
+4:
+	.popsection'
+fi
+
 AC_SUBST(ASM_SYMBOL_PREFIX)
 AC_SUBST(ASM_ELF_STYLE)
 AC_SUBST(ASM_COFF_STYLE)
@@ -813,6 +875,9 @@ AC_SUBST(ASM_ALIGN_LOG)
 AC_SUBST(W64_ABI)
 AC_SUBST(ASM_WORDS_BIGENDIAN)
 AC_SUBST(EMULATOR)
+AC_SUBST(ASM_X86_ENDBR)
+AC_SUBST(ASM_X86_MARK_CET)
+AC_SUBST(ASM_X86_MARK_CET_ALIGN)
 
 AC_SUBST(LIBNETTLE_MAJOR)
 AC_SUBST(LIBNETTLE_MINOR)