[Kernel-packages] [Bug 1929889] Re: [TGL][ADL] Enable CET(Control-flow Enforcement Technology)
** Changed in: intel Status: New => Invalid ** Information type changed from Public to Private -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux-intel in Ubuntu. https://bugs.launchpad.net/bugs/1929889 Title: [TGL][ADL] Enable CET(Control-flow Enforcement Technology) Status in intel: Invalid Status in intel lookout-canyon series: Invalid Status in linux-intel package in Ubuntu: Invalid Status in linux-intel source package in Focal: Invalid Bug description: Description Enable Tiger Lake ROP CET(Control-flow Enforcement Technology) An upcoming Intel® processor family feature that counters return/jump-oriented programming (ROP) attacks Hardware: Tiger Lake & Alder Lake Target Release: 21.04 Target Kernel: TBD External links: https://github.com/intel/linux-intel-quilt/tree/mainline-tracking-v5.11-yocto-210223T083754Z To manage notifications about this bug go to: https://bugs.launchpad.net/intel/+bug/1929889/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1929889] Re: [TGL][ADL] Enable CET(Control-flow Enforcement Technology)
@Canonical, After speaking to CET experts at Intel, these CET kernel patches are not needed anymore since the feature is still in development and future directions might change. Hence closing this LP as Invalid ** Changed in: linux-intel (Ubuntu Focal) Status: New => Invalid ** Changed in: intel/lookout-canyon Status: New => Invalid ** Changed in: linux-intel (Ubuntu) Status: Triaged => Invalid -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux-intel in Ubuntu. https://bugs.launchpad.net/bugs/1929889 Title: [TGL][ADL] Enable CET(Control-flow Enforcement Technology) Status in intel: New Status in intel lookout-canyon series: Invalid Status in linux-intel package in Ubuntu: Invalid Status in linux-intel source package in Focal: Invalid Bug description: Description Enable Tiger Lake ROP CET(Control-flow Enforcement Technology) An upcoming Intel® processor family feature that counters return/jump-oriented programming (ROP) attacks Hardware: Tiger Lake & Alder Lake Target Release: 21.04 Target Kernel: TBD External links: https://github.com/intel/linux-intel-quilt/tree/mainline-tracking-v5.11-yocto-210223T083754Z To manage notifications about this bug go to: https://bugs.launchpad.net/intel/+bug/1929889/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1929889] Re: [TGL][ADL] Enable CET(Control-flow Enforcement Technology)
@Dimitri Intel has done a few experiments to enable CET on Ubuntu 20.04. Here are some details: As my experiment in ubuntu 20.04, the glibc should be update into 2.34. And busybox should be build on glibc 2.34 (to create initramfs during install kernel). Then ubuntu 20.04 can start, and cet enabled. Diff glibc 2.31 and glib 2.34 listed as below(20.04 basic glibc is 2.31, 21.04 is 2.34) ea26ff0322 x86: Copy IBT and SHSTK usable only if CET is enabled 04dff6fc0d x86: Properly set usable CET feature bits [BZ #26625] 2ef23b5205 x86: Set header.feature_1 in TCB for always-on CET [BZ #27177] c02695d776 x86/CET: Update vfork to prevent child return 9e38f455a6 x86: Add --enable-cet=permissive 674ea88294 x86: Move CET control to _dl_x86_feature_control [BZ #25887] 1fabdb9908 x86: Remove ARCH_CET_LEGACY_BITMAP [BZ #25397] 5d844e1b72 i386: Enable CET support in ucontext functions 0455f251f4 i386: Use ENTRY/END in assembly codes 825b58f3fb i386-mcount.S: Add _CET_ENDBR to _mcount and __fentry__ 4031d7484a i386/sub_n.S: Add a missing _CET_ENDBR to indirect jump target 15eab1e3e8 i386: Don't unnecessarily save and restore EAX, ECX and EDX [BZ# 25262] -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux-intel in Ubuntu. https://bugs.launchpad.net/bugs/1929889 Title: [TGL][ADL] Enable CET(Control-flow Enforcement Technology) Status in intel: New Status in intel lookout-canyon series: New Status in linux-intel package in Ubuntu: Triaged Status in linux-intel source package in Focal: New Bug description: Description Enable Tiger Lake ROP CET(Control-flow Enforcement Technology) An upcoming Intel® processor family feature that counters return/jump-oriented programming (ROP) attacks Hardware: Tiger Lake & Alder Lake Target Release: 21.04 Target Kernel: TBD External links: https://github.com/intel/linux-intel-quilt/tree/mainline-tracking-v5.11-yocto-210223T083754Z To manage notifications about this bug go to: https://bugs.launchpad.net/intel/+bug/1929889/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1929889] Re: [TGL][ADL] Enable CET(Control-flow Enforcement Technology)
@Dimitri John Ledkov (xnox) I am working on the kernel side. @SACHIN MOKASHI Could you please provide info about glibc CET support? -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux-intel in Ubuntu. https://bugs.launchpad.net/bugs/1929889 Title: [TGL][ADL] Enable CET(Control-flow Enforcement Technology) Status in intel: New Status in intel lookout-canyon series: New Status in linux-intel package in Ubuntu: Triaged Status in linux-intel source package in Focal: New Bug description: Description Enable Tiger Lake ROP CET(Control-flow Enforcement Technology) An upcoming Intel® processor family feature that counters return/jump-oriented programming (ROP) attacks Hardware: Tiger Lake & Alder Lake Target Release: 21.04 Target Kernel: TBD External links: https://github.com/intel/linux-intel-quilt/tree/mainline-tracking-v5.11-yocto-210223T083754Z To manage notifications about this bug go to: https://bugs.launchpad.net/intel/+bug/1929889/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1929889] Re: [TGL][ADL] Enable CET(Control-flow Enforcement Technology)
I had a poke at this, and although the cet-backport.diff file is present in the source package, it is not actually applied and hasn't been since some time in Groovy's development cycle afaict. This makes sense because also afaict, this all went upstream in glibc 2.32, which was the version in groovy. So is what's needed a backport of this to focal? cet-backport.diff applies cleanly to the package I am preparing for upload to focal, so from that side of things it's all OK. We need a nice explicit glibc SRU bug clearly asking for this, complete with test case before that can happen though. I don't feel like I would be the best person to file this bug! (to put it mildly). -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux-intel in Ubuntu. https://bugs.launchpad.net/bugs/1929889 Title: [TGL][ADL] Enable CET(Control-flow Enforcement Technology) Status in intel: New Status in intel lookout-canyon series: New Status in linux-intel package in Ubuntu: Triaged Status in linux-intel source package in Focal: New Bug description: Description Enable Tiger Lake ROP CET(Control-flow Enforcement Technology) An upcoming Intel® processor family feature that counters return/jump-oriented programming (ROP) attacks Hardware: Tiger Lake & Alder Lake Target Release: 21.04 Target Kernel: TBD External links: https://github.com/intel/linux-intel-quilt/tree/mainline-tracking-v5.11-yocto-210223T083754Z To manage notifications about this bug go to: https://bugs.launchpad.net/intel/+bug/1929889/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1929889] Re: [TGL][ADL] Enable CET(Control-flow Enforcement Technology)
@chaoqin In https://bugs.launchpad.net/intel/+bug/1842239, the glibc patches point at https://gitlab.com/x86-glibc/glibc/-/commits/users/hjl/cet/2.31 which we have been applying. Currently we ship them as a backported patch see https://git.launchpad.net/ubuntu/+source/glibc/tree/debian/patches/ubuntu/cet- backport.diff in various branches. However I am noticing discrepancies. For example, it seems we don't apply patches from https://gitlab.com/x86-glibc/glibc/-/commits/users/hjl/cet/PROT_SHSTK specifically https://gitlab.com/x86-glibc/glibc/-/commit/d6848e331f1bc46824de38b520348fae8b0c4f99 But also I'm not sure if we need it. I see that in the CET enabled kernel we did use ARCH_X86_CET_STATUS but our glibc is still using ARCH_CET_STATUS. Also the patch that switches to using ARCH_X86_CET_STATUS starts to use PROT_SHSTK which I cannot find in the kernel patches. Are ubuntu glibc cet patches out of date w.r.t. kernel CET patches we have tried to enable? Do you have CET patches for glibc 2.34 and for 2.31 that match the latest revisions of the kernel patches? Hoping to see something that is compatible between the two, because at the moment it looks like our glibc does not match the proposed kernel patches. -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux-intel in Ubuntu. https://bugs.launchpad.net/bugs/1929889 Title: [TGL][ADL] Enable CET(Control-flow Enforcement Technology) Status in intel: New Status in intel lookout-canyon series: New Status in linux-intel package in Ubuntu: Triaged Status in linux-intel source package in Focal: New Bug description: Description Enable Tiger Lake ROP CET(Control-flow Enforcement Technology) An upcoming Intel® processor family feature that counters return/jump-oriented programming (ROP) attacks Hardware: Tiger Lake & Alder Lake Target Release: 21.04 Target Kernel: TBD External links: https://github.com/intel/linux-intel-quilt/tree/mainline-tracking-v5.11-yocto-210223T083754Z To manage notifications about this bug go to: https://bugs.launchpad.net/intel/+bug/1929889/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1929889] Re: [TGL][ADL] Enable CET(Control-flow Enforcement Technology)
@Dimitri John Ledkov (xnox) Yes, it needs to patch glibc for CET support as in bug https://bugs.launchpad.net/intel/+bug/1842239 Could you please share the commit ID that is still needed? These patches listed in the bug are based on v5.13. -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux-intel in Ubuntu. https://bugs.launchpad.net/bugs/1929889 Title: [TGL][ADL] Enable CET(Control-flow Enforcement Technology) Status in intel: New Status in intel lookout-canyon series: New Status in linux-intel package in Ubuntu: Triaged Status in linux-intel source package in Focal: New Bug description: Description Enable Tiger Lake ROP CET(Control-flow Enforcement Technology) An upcoming Intel® processor family feature that counters return/jump-oriented programming (ROP) attacks Hardware: Tiger Lake & Alder Lake Target Release: 21.04 Target Kernel: TBD External links: https://github.com/intel/linux-intel-quilt/tree/mainline-tracking-v5.11-yocto-210223T083754Z To manage notifications about this bug go to: https://bugs.launchpad.net/intel/+bug/1929889/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1929889] Re: [TGL][ADL] Enable CET(Control-flow Enforcement Technology)
@ Chao Qin (chaoqin) @anthonywong Do we also need to patch glibc to turn on CET support? Most of Ubuntu binaries have CET enabled, but I thought there was still a patch needed to turn the CET support on due to changes in the CET patches done as per kernel upstream feedback. Or is this patch series compatible with Ubuntu userspace glibc and hence CET will work with this kernel and existing ubuntu binaries? -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux-intel in Ubuntu. https://bugs.launchpad.net/bugs/1929889 Title: [TGL][ADL] Enable CET(Control-flow Enforcement Technology) Status in intel: New Status in intel lookout-canyon series: New Status in linux-intel package in Ubuntu: Triaged Status in linux-intel source package in Focal: New Bug description: Description Enable Tiger Lake ROP CET(Control-flow Enforcement Technology) An upcoming Intel® processor family feature that counters return/jump-oriented programming (ROP) attacks Hardware: Tiger Lake & Alder Lake Target Release: 21.04 Target Kernel: TBD External links: https://github.com/intel/linux-intel-quilt/tree/mainline-tracking-v5.11-yocto-210223T083754Z To manage notifications about this bug go to: https://bugs.launchpad.net/intel/+bug/1929889/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1929889] Re: [TGL][ADL] Enable CET(Control-flow Enforcement Technology)
** Tags removed: verification-failed-focal ** Tags added: verification-done-focal -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux-intel in Ubuntu. https://bugs.launchpad.net/bugs/1929889 Title: [TGL][ADL] Enable CET(Control-flow Enforcement Technology) Status in intel: New Status in intel lookout-canyon series: New Status in linux-intel package in Ubuntu: Triaged Status in linux-intel source package in Focal: New Bug description: Description Enable Tiger Lake ROP CET(Control-flow Enforcement Technology) An upcoming Intel® processor family feature that counters return/jump-oriented programming (ROP) attacks Hardware: Tiger Lake & Alder Lake Target Release: 21.04 Target Kernel: TBD External links: https://github.com/intel/linux-intel-quilt/tree/mainline-tracking-v5.11-yocto-210223T083754Z To manage notifications about this bug go to: https://bugs.launchpad.net/intel/+bug/1929889/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1929889] Re: [TGL][ADL] Enable CET(Control-flow Enforcement Technology)
** Also affects: intel/lookout-canyon Importance: Undecided Status: New -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux-intel in Ubuntu. https://bugs.launchpad.net/bugs/1929889 Title: [TGL][ADL] Enable CET(Control-flow Enforcement Technology) Status in intel: New Status in intel lookout-canyon series: New Status in linux-intel package in Ubuntu: Triaged Status in linux-intel source package in Focal: New Bug description: Description Enable Tiger Lake ROP CET(Control-flow Enforcement Technology) An upcoming Intel® processor family feature that counters return/jump-oriented programming (ROP) attacks Hardware: Tiger Lake & Alder Lake Target Release: 21.04 Target Kernel: TBD External links: https://github.com/intel/linux-intel-quilt/tree/mainline-tracking-v5.11-yocto-210223T083754Z To manage notifications about this bug go to: https://bugs.launchpad.net/intel/+bug/1929889/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1929889] Re: [TGL][ADL] Enable CET(Control-flow Enforcement Technology)
** Tags removed: verification-done-focal ** Tags added: verification-failed-focal ** Changed in: linux-intel (Ubuntu Focal) Assignee: Alex Hung (alexhung) => (unassigned) ** Changed in: linux-intel (Ubuntu) Assignee: Alex Hung (alexhung) => (unassigned) -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux-intel in Ubuntu. https://bugs.launchpad.net/bugs/1929889 Title: [TGL][ADL] Enable CET(Control-flow Enforcement Technology) Status in intel: New Status in linux-intel package in Ubuntu: Triaged Status in linux-intel source package in Focal: New Bug description: Description Enable Tiger Lake ROP CET(Control-flow Enforcement Technology) An upcoming Intel® processor family feature that counters return/jump-oriented programming (ROP) attacks Hardware: Tiger Lake & Alder Lake Target Release: 21.04 Target Kernel: TBD External links: https://github.com/intel/linux-intel-quilt/tree/mainline-tracking-v5.11-yocto-210223T083754Z To manage notifications about this bug go to: https://bugs.launchpad.net/intel/+bug/1929889/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1929889] Re: [TGL][ADL] Enable CET(Control-flow Enforcement Technology)
** Tags removed: verification-needed-focal ** Tags added: verification-done-focal -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux-intel in Ubuntu. https://bugs.launchpad.net/bugs/1929889 Title: [TGL][ADL] Enable CET(Control-flow Enforcement Technology) Status in intel: New Status in linux-intel package in Ubuntu: Triaged Status in linux-intel source package in Focal: New Bug description: Description Enable Tiger Lake ROP CET(Control-flow Enforcement Technology) An upcoming Intel® processor family feature that counters return/jump-oriented programming (ROP) attacks Hardware: Tiger Lake & Alder Lake Target Release: 21.04 Target Kernel: TBD External links: https://github.com/intel/linux-intel-quilt/tree/mainline-tracking-v5.11-yocto-210223T083754Z To manage notifications about this bug go to: https://bugs.launchpad.net/intel/+bug/1929889/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1929889] Re: [TGL][ADL] Enable CET(Control-flow Enforcement Technology)
This bug is awaiting verification that the linux- intel-5.13/5.13.0-1006.6 kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-focal' to 'verification- done-focal'. If the problem still exists, change the tag 'verification- needed-focal' to 'verification-failed-focal'. If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you! ** Tags added: verification-needed-focal -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux-intel in Ubuntu. https://bugs.launchpad.net/bugs/1929889 Title: [TGL][ADL] Enable CET(Control-flow Enforcement Technology) Status in intel: New Status in linux-intel package in Ubuntu: Triaged Status in linux-intel source package in Focal: New Bug description: Description Enable Tiger Lake ROP CET(Control-flow Enforcement Technology) An upcoming Intel® processor family feature that counters return/jump-oriented programming (ROP) attacks Hardware: Tiger Lake & Alder Lake Target Release: 21.04 Target Kernel: TBD External links: https://github.com/intel/linux-intel-quilt/tree/mainline-tracking-v5.11-yocto-210223T083754Z To manage notifications about this bug go to: https://bugs.launchpad.net/intel/+bug/1929889/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1929889] Re: [TGL][ADL] Enable CET(Control-flow Enforcement Technology)
** Description changed: Description Enable Tiger Lake ROP CET(Control-flow Enforcement Technology) An upcoming Intel® processor family feature that counters return/jump-oriented programming (ROP) attacks - Hardware: Tiger Lake + Hardware: Tiger Lake & Alder Lake Target Release: 21.04 Target Kernel: TBD External links: https://github.com/intel/linux-intel-quilt/tree/mainline-tracking-v5.11-yocto-210223T083754Z -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux-intel in Ubuntu. https://bugs.launchpad.net/bugs/1929889 Title: [TGL][ADL] Enable CET(Control-flow Enforcement Technology) Status in intel: New Status in linux-intel package in Ubuntu: Triaged Status in linux-intel source package in Focal: New Bug description: Description Enable Tiger Lake ROP CET(Control-flow Enforcement Technology) An upcoming Intel® processor family feature that counters return/jump-oriented programming (ROP) attacks Hardware: Tiger Lake & Alder Lake Target Release: 21.04 Target Kernel: TBD External links: https://github.com/intel/linux-intel-quilt/tree/mainline-tracking-v5.11-yocto-210223T083754Z To manage notifications about this bug go to: https://bugs.launchpad.net/intel/+bug/1929889/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1929889] Re: [TGL][ADL] Enable CET(Control-flow Enforcement Technology)
** Summary changed: - [TGL] Enable Tiger Lake ROP CET(Control-flow Enforcement Technology) + [TGL][ADL] Enable CET(Control-flow Enforcement Technology) ** Tags added: iotg-adl -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux-intel in Ubuntu. https://bugs.launchpad.net/bugs/1929889 Title: [TGL][ADL] Enable CET(Control-flow Enforcement Technology) Status in intel: New Status in linux-intel package in Ubuntu: Triaged Status in linux-intel source package in Focal: New Bug description: Description Enable Tiger Lake ROP CET(Control-flow Enforcement Technology) An upcoming Intel® processor family feature that counters return/jump-oriented programming (ROP) attacks Hardware: Tiger Lake Target Release: 21.04 Target Kernel: TBD External links: https://github.com/intel/linux-intel-quilt/tree/mainline-tracking-v5.11-yocto-210223T083754Z To manage notifications about this bug go to: https://bugs.launchpad.net/intel/+bug/1929889/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
