I just upgraded to Ubuntu 19.10 and noticed that they enable -fcf-protection by default in gcc which adds an endbr64 instruction in every function prologue. This seems strange for two reasons:
-
Show this thread
-
1) if you try to protect indirect branches, you really don't want to whitelist _all_ functions since that makes the mitigation pretty useless. 2) is there even hardware released that supports Intel CET? My understanding is that this is just a 4 byte NOP on all CPUs out there.
2 replies 0 retweets 3 likesShow this thread
Replying to @_tsuro
re 1: yeah... re 2: but this way, when you do get a new CPU that supports it and plug that into your machine, CET can work immediately - this is also one of the reasons why drivers are sometimes submitted to the kernel long before corresponding hardware release, AFAIK
6:44 AM - 27 Oct 2019
0 replies
0 retweets
2 likes
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.