From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id EA065158041 for ; Sat, 16 Mar 2024 12:12:15 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 525AEE29F4; Sat, 16 Mar 2024 12:12:11 +0000 (UTC) Received: from ciao.gmane.io (ciao.gmane.io [116.202.254.214]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (prime256v1) server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id F195CE29B5 for ; Sat, 16 Mar 2024 12:12:10 +0000 (UTC) Received: from list by ciao.gmane.io with local (Exim 4.92) (envelope-from ) id 1rlStV-0005Lh-BX for gentoo-dev@lists.gentoo.org; Sat, 16 Mar 2024 13:12:09 +0100 X-Injected-Via-Gmane: http://gmane.org/ To: gentoo-dev@lists.gentoo.org From: Duncan <1i5t5.duncan@cox.net> Subject: [gentoo-dev] Re: Profile 23.0 testing with stages and binhost (part 2 of 2) Date: Sat, 16 Mar 2024 12:12:04 -0000 (UTC) Message-ID: References: <23517098.6Emhk5qWAg@noumea> Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-dev@lists.gentoo.org Reply-to: gentoo-dev@lists.gentoo.org X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply Mime-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit User-Agent: Pan/0.155 (Kherson; 2d0b7843d) X-Archives-Salt: 842bec62-ac1c-4187-8475-c19eaa1db227 X-Archives-Hash: b9bd580bd95b3266e0422fabd189cd3d Andreas K. Huettel posted on Fri, 15 Mar 2024 19:12:54 +0100 as excerpted: > Note 3: amd64 now has CET turned on by default. > https://docs.kernel.org/next/x86/shstk.html If you have already used the > unannounced 23.0 profiles, you should wipe your package cache and emerge > -ev world now. There's not much about CET in any of the links. While the kernel.org link describes what it does (in a line, "yese": yet another security enhancement) a bit, it doesn't say how to actually find whether your hardware supports it, and the gentoo wiki and bug links say even less -- in particular, unless I missed it, the changes and update instructions links don't appear to mention CET or shadow-stacks AT ALL. What I ended up doing here after some DDG googling, was emerging cpuid, then doing: $$ cpuid -1 | grep -i 'cet\|shadow' CET_SS: CET shadow stack = false CET_IBT: CET indirect branch tracking = false CET_U user state = false CET_S supervisor state = false supervisor shadow stack = false With all of those false it would seem CET can't work here in any case so there's no point rebuilding again, which is what I already suspected but wanted to /know/. (I've been on a 23.0 merged-usr profile[1] for some time now as I already had much of what it does already enabled before the new profiles were announced here, so it /would/ be "rebuilding again" to get that, but as it seems it won't do anything useful anyway...) Clearer instructions for finding that out (and preferably what actually has to be true, I still don't know that for sure) so others don't have to google it, could be useful. --- [1] Already on a merged-usr profile: Of course including developing an auto-applied-on-update patch to do s:[[ ! -h "${EROOT%/}/bin" ]]:false: to the profile bashrc after that test was added, because I am indeed usr- merged (on systemd) here but that test fails because the operating symlink is /usr -> . instead, aka reverse-usrmerge. Tho making the canonical path /realbin and doing /bin -> /realbin would appear to satisfy the test too, and would allow me to avoid patching the profile bashrc, but at least here, having /bin be the system's real bin location is part of the _point_ of a reverse-usrmerge. -- Duncan - List replies preferred. No HTML msgs. "Every nonfree program has a lord, a master -- and if you use the program, he is your master." Richard Stallman