diff options
| author | H.J. Lu <hjl.tools@gmail.com> | 2018-07-18 11:34:35 -0700 |
|---|---|---|
| committer | H.J. Lu <hjl.tools@gmail.com> | 2018-07-18 11:35:03 -0700 |
| commit | 6d90776dff7e70e08fa46f9cd7576dd0eeb06da2 (patch) | |
| tree | d7e1a50c8b2f4e1b48dd20f6440e244de2ee56d7 | |
| parent | e6c695099b7894bce72de04009c889c8f6e674ae (diff) | |
x86/CET: Document glibc.tune.x86_ibt and glibc.tune.x86_shstk
* manual/tunables.texi: Document glibc.tune.x86_ibt and
glibc.tune.x86_shstk.
| -rw-r--r-- | ChangeLog | 5 | ||||
| -rw-r--r-- | manual/tunables.texi | 28 |
2 files changed, 33 insertions, 0 deletions
@@ -1,5 +1,10 @@ 2018-07-18 H.J. Lu <hongjiu.lu@intel.com> + * manual/tunables.texi: Document glibc.tune.x86_ibt and + glibc.tune.x86_shstk. + +2018-07-18 H.J. Lu <hongjiu.lu@intel.com> + * NEWS: Mention --enable-cet. * manual/install.texi: Document --enable-cet. * INSTALL: Regenerated. diff --git a/manual/tunables.texi b/manual/tunables.texi index be33c9fc79..bb4819bdf1 100644 --- a/manual/tunables.texi +++ b/manual/tunables.texi @@ -356,3 +356,31 @@ to set threshold in bytes for non temporal store. This tunable is specific to i386 and x86-64. @end deftp + +@deftp Tunable glibc.tune.x86_ibt +The @code{glibc.tune.x86_ibt} tunable allows the user to control how +indirect branch tracking (IBT) should be enabled. Accepted values are +@code{on}, @code{off}, and @code{permissive}. @code{on} always turns +on IBT regardless of whether IBT is enabled in the executable and its +dependent shared libraries. @code{off} always turns off IBT regardless +of whether IBT is enabled in the executable and its dependent shared +libraries. @code{permissive} is the same as the default which disables +IBT on non-CET executables and shared libraries. + +This tunable is specific to i386 and x86-64. +@end deftp + +@deftp Tunable glibc.tune.x86_shstk +The @code{glibc.tune.x86_shstk} tunable allows the user to control how +the shadow stack (SHSTK) should be enabled. Accepted values are +@code{on}, @code{off}, and @code{permissive}. @code{on} always turns on +SHSTK regardless of whether SHSTK is enabled in the executable and its +dependent shared libraries. @code{off} always turns off SHSTK regardless +of whether SHSTK is enabled in the executable and its dependent shared +libraries. @code{permissive} changes how dlopen works on non-CET shared +libraries. By default, when SHSTK is enabled, dlopening a non-CET shared +library returns an error. With @code{permissive}, it turns off SHSTK +instead. + +This tunable is specific to i386 and x86-64. +@end deftp |