[PATCH 24/24] Intel CET: Document --enable-cet

[PATCH 24/24] Intel CET: Document --enable-cet

[H.J. Lu]

[-- Attachment #1: Type: text/plain, Size: 395 bytes --]

On Tue, May 8, 2018 at 2:03 PM, Joseph Myers <joseph@codesourcery.com> wrote:
> On Tue, 8 May 2018, H.J. Lu wrote:
>
>>       * configure.ac: Add --enable-cet.
>
> A new configure option needs documenting in install.texi, with INSTALL
> regenerated.  I'd also expect such a new feature to have a NEWS entry
> added somewhere in the patch series.
>

Here is a separate patch for them.


-- 
H.J.

[-- Attachment #2: 0024-Intel-CET-Document-enable-cet.patch --]
[-- Type: text/x-patch, Size: 2731 bytes --]

From 86e85fcd5ca2a2f58b232f83dbbae93c8c6a0812 Mon Sep 17 00:00:00 2001
From: "H.J. Lu" <hjl.tools@gmail.com>
Date: Wed, 9 May 2018 08:28:29 -0700
Subject: [PATCH 24/24] Intel CET: Document --enable-cet

	* NEWS: Mention --enable-cet.
	* manual/install.texi: Document --enable-cet.
	* INSTALL: Regenerated.
---
 INSTALL             | 7 +++++++
 NEWS                | 7 +++++++
 manual/install.texi | 7 +++++++
 3 files changed, 21 insertions(+)

diff --git a/INSTALL b/INSTALL
index 052b1b6f89..8782c9607c 100644
--- a/INSTALL
+++ b/INSTALL
@@ -106,6 +106,13 @@ if 'CFLAGS' is specified it must enable optimization.  For example:
      programs and tests are created as dynamic position independent
      executables (PIE) by default.
 
+'--enable-cet'
+     Enable Intel Control-flow Enforcement Technology (CET) support.
+     When the library is built with -enable-cet, the resulting glibc is
+     protected with indirect branch tracking (IBT) and shadow stack
+     (SHSTK). This feature is currently supported on i386, x86_64 and
+     x32 with GCC 8 and binutils 2.29 or later.
+
 '--disable-profile'
      Don't build libraries with profiling information.  You may want to
      use this option if you don't plan to do profiling.
diff --git a/NEWS b/NEWS
index 5155c86318..7ed475dc4b 100644
--- a/NEWS
+++ b/NEWS
@@ -9,6 +9,13 @@ Version 2.28
 
 Major new features:
 
+* The GNU C Library can now be compiled with support for Intel CET, AKA
+  Intel Control-flow Enforcement Technology.  When the library is built
+  with --enable-cet, the resulting glibc is protected with indirect
+  branch tracking (IBT) and shadow stack (SHSTK).  This feature is
+  currently supported on i386, x86_64 and x32 with GCC 8 and binutils
+  2.29 or later.
+
 * <math.h> functions that round their results to a narrower type are added
   from TS 18661-1:2014 and TS 18661-3:2015:
 
diff --git a/manual/install.texi b/manual/install.texi
index 4bbbfcffa5..e8f1bbdb0a 100644
--- a/manual/install.texi
+++ b/manual/install.texi
@@ -137,6 +137,13 @@ with no-pie.  The resulting glibc can be used with the GCC option,
 PIE.  This option also implies that glibc programs and tests are created
 as dynamic position independent executables (PIE) by default.
 
+@item --enable-cet
+Enable Intel Control-flow Enforcement Technology (CET) support.  When
+the library is built with --enable-cet, the resulting glibc is protected
+with indirect branch tracking (IBT) and shadow stack (SHSTK).  This
+feature is currently supported on i386, x86_64 and x32 with GCC 8 and
+binutils 2.29 or later.
+
 @item --disable-profile
 Don't build libraries with profiling information.  You may want to use
 this option if you don't plan to do profiling.
-- 
2.17.0

Re: [PATCH 24/24] Intel CET: Document --enable-cet

[Florian Weimer]

On 05/09/2018 11:31 PM, H.J. Lu wrote:
> +* The GNU C Library can now be compiled with support for Intel CET, AKA
> +  Intel Control-flow Enforcement Technology.  When the library is built
> +  with --enable-cet, the resulting glibc is protected with indirect
> +  branch tracking (IBT) and shadow stack (SHSTK).  This feature is
> +  currently supported on i386, x86_64 and x32 with GCC 8 and binutils
> +  2.29 or later.

Both texts should say something about compatibility.  AFAIK, an 
--enable-cet glibc supports all existing binaries, but requires CPUs 
which support long NOPs (so AMD Geode is out, for example).

Thanks,
Florian

Re: [PATCH 24/24] Intel CET: Document --enable-cet

[H.J. Lu]

[-- Attachment #1: Type: text/plain, Size: 738 bytes --]

On Mon, May 14, 2018 at 10:44 AM, Florian Weimer <fweimer@redhat.com> wrote:
> On 05/09/2018 11:31 PM, H.J. Lu wrote:
>>
>> +* The GNU C Library can now be compiled with support for Intel CET, AKA
>> +  Intel Control-flow Enforcement Technology.  When the library is built
>> +  with --enable-cet, the resulting glibc is protected with indirect
>> +  branch tracking (IBT) and shadow stack (SHSTK).  This feature is
>> +  currently supported on i386, x86_64 and x32 with GCC 8 and binutils
>> +  2.29 or later.
>
>
> Both texts should say something about compatibility.  AFAIK, an --enable-cet
> glibc supports all existing binaries, but requires CPUs which support long
> NOPs (so AMD Geode is out, for example).
>

Like this?

-- 
H.J.

[-- Attachment #2: 0001-Intel-CET-Document-enable-cet.patch --]
[-- Type: text/x-patch, Size: 3427 bytes --]

From 8a4e0709ee1c6c5d6c76b40966feebe3ad7e4c0a Mon Sep 17 00:00:00 2001
From: "H.J. Lu" <hjl.tools@gmail.com>
Date: Wed, 9 May 2018 08:28:29 -0700
Subject: [PATCH] Intel CET: Document --enable-cet

	* NEWS: Mention --enable-cet.
	* manual/install.texi: Document --enable-cet.
	* INSTALL: Regenerated.
---
 INSTALL             | 11 +++++++++++
 NEWS                | 10 ++++++++++
 manual/install.texi | 10 ++++++++++
 3 files changed, 31 insertions(+)

diff --git a/INSTALL b/INSTALL
index 052b1b6f89..625e7b1673 100644
--- a/INSTALL
+++ b/INSTALL
@@ -106,6 +106,17 @@ if 'CFLAGS' is specified it must enable optimization.  For example:
      programs and tests are created as dynamic position independent
      executables (PIE) by default.
 
+'--enable-cet'
+     Enable Intel Control-flow Enforcement Technology (CET) support.
+     When the library is built with -enable-cet, the resulting glibc is
+     protected with indirect branch tracking (IBT) and shadow stack
+     (SHSTK). CET-enabled glibc is compatible with all existing
+     executables and shared libraries.  This feature is currently
+     supported on i386, x86_64 and x32 with GCC 8 and binutils 2.29 or
+     later.  Note that CET-enabled glibc requires CPUs capable of
+     multi-byte NOPs, like x86-64 processors as well as Intel Pentium
+     Pro or newer.
+
 '--disable-profile'
      Don't build libraries with profiling information.  You may want to
      use this option if you don't plan to do profiling.
diff --git a/NEWS b/NEWS
index 5155c86318..8b23de4de8 100644
--- a/NEWS
+++ b/NEWS
@@ -9,6 +9,16 @@ Version 2.28
 
 Major new features:
 
+* The GNU C Library can now be compiled with support for Intel CET, AKA
+  Intel Control-flow Enforcement Technology.  When the library is built
+  with --enable-cet, the resulting glibc is protected with indirect
+  branch tracking (IBT) and shadow stack (SHSTK).  CET-enabled glibc is
+  compatible with all existing executables and shared libraries.  This
+  feature is currently supported on i386, x86_64 and x32 with GCC 8 and
+  binutils 2.29 or later.  Note that CET-enabled glibc requires CPUs
+  capable of multi-byte NOPs, like x86-64 processors as well as Intel
+  Pentium Pro or newer.
+
 * <math.h> functions that round their results to a narrower type are added
   from TS 18661-1:2014 and TS 18661-3:2015:
 
diff --git a/manual/install.texi b/manual/install.texi
index 4bbbfcffa5..b2ee748673 100644
--- a/manual/install.texi
+++ b/manual/install.texi
@@ -137,6 +137,16 @@ with no-pie.  The resulting glibc can be used with the GCC option,
 PIE.  This option also implies that glibc programs and tests are created
 as dynamic position independent executables (PIE) by default.
 
+@item --enable-cet
+Enable Intel Control-flow Enforcement Technology (CET) support.  When
+the library is built with --enable-cet, the resulting glibc is protected
+with indirect branch tracking (IBT) and shadow stack (SHSTK).  CET-enabled
+glibc is compatible with all existing executables and shared libraries.
+This feature is currently supported on i386, x86_64 and x32 with GCC 8 and
+binutils 2.29 or later.  Note that CET-enabled glibc requires CPUs capable
+of multi-byte NOPs, like x86-64 processors as well as Intel Pentium Pro or
+newer.
+
 @item --disable-profile
 Don't build libraries with profiling information.  You may want to use
 this option if you don't plan to do profiling.
-- 
2.17.0

Re: [PATCH 24/24] Intel CET: Document --enable-cet

[Florian Weimer]

On 05/14/2018 09:45 PM, H.J. Lu wrote:
> Like this?

Looks good, with one nit:

> +     (SHSTK). CET-enabled glibc is compatible with all existing

Missing space after period.

> +with indirect branch tracking (IBT) and shadow stack (SHSTK).  CET-enabled

You need to write “(SHSTK)@.” to add the missing space.

Thanks,
Florian

Re: [PATCH 24/24] Intel CET: Document --enable-cet

[H.J. Lu]

[-- Attachment #1: Type: text/plain, Size: 505 bytes --]

On Mon, May 14, 2018 at 12:48 PM, Florian Weimer <fweimer@redhat.com> wrote:
> On 05/14/2018 09:45 PM, H.J. Lu wrote:
>>
>> Like this?
>
>
> Looks good, with one nit:
>
>> +     (SHSTK). CET-enabled glibc is compatible with all existing
>
>
> Missing space after period.
>
>> +with indirect branch tracking (IBT) and shadow stack (SHSTK).
>> CET-enabled
>
>
> You need to write “(SHSTK)@.” to add the missing space.
>

Thanks for the tip.  Here is the updated patch.

-- 
H.J.

[-- Attachment #2: 0001-Intel-CET-Document-enable-cet.patch --]
[-- Type: text/x-patch, Size: 3429 bytes --]

From 9b15e68f8d6b2217c56fcd66ed454ff78c5c1114 Mon Sep 17 00:00:00 2001
From: "H.J. Lu" <hjl.tools@gmail.com>
Date: Wed, 9 May 2018 08:28:29 -0700
Subject: [PATCH] Intel CET: Document --enable-cet

	* NEWS: Mention --enable-cet.
	* manual/install.texi: Document --enable-cet.
	* INSTALL: Regenerated.
---
 INSTALL             | 11 +++++++++++
 NEWS                | 10 ++++++++++
 manual/install.texi | 10 ++++++++++
 3 files changed, 31 insertions(+)

diff --git a/INSTALL b/INSTALL
index 052b1b6f89..5e6d80480b 100644
--- a/INSTALL
+++ b/INSTALL
@@ -106,6 +106,17 @@ if 'CFLAGS' is specified it must enable optimization.  For example:
      programs and tests are created as dynamic position independent
      executables (PIE) by default.
 
+'--enable-cet'
+     Enable Intel Control-flow Enforcement Technology (CET) support.
+     When the library is built with -enable-cet, the resulting glibc is
+     protected with indirect branch tracking (IBT) and shadow stack
+     (SHSTK).  CET-enabled glibc is compatible with all existing
+     executables and shared libraries.  This feature is currently
+     supported on i386, x86_64 and x32 with GCC 8 and binutils 2.29 or
+     later.  Note that CET-enabled glibc requires CPUs capable of
+     multi-byte NOPs, like x86-64 processors as well as Intel Pentium
+     Pro or newer.
+
 '--disable-profile'
      Don't build libraries with profiling information.  You may want to
      use this option if you don't plan to do profiling.
diff --git a/NEWS b/NEWS
index 5155c86318..8b23de4de8 100644
--- a/NEWS
+++ b/NEWS
@@ -9,6 +9,16 @@ Version 2.28
 
 Major new features:
 
+* The GNU C Library can now be compiled with support for Intel CET, AKA
+  Intel Control-flow Enforcement Technology.  When the library is built
+  with --enable-cet, the resulting glibc is protected with indirect
+  branch tracking (IBT) and shadow stack (SHSTK).  CET-enabled glibc is
+  compatible with all existing executables and shared libraries.  This
+  feature is currently supported on i386, x86_64 and x32 with GCC 8 and
+  binutils 2.29 or later.  Note that CET-enabled glibc requires CPUs
+  capable of multi-byte NOPs, like x86-64 processors as well as Intel
+  Pentium Pro or newer.
+
 * <math.h> functions that round their results to a narrower type are added
   from TS 18661-1:2014 and TS 18661-3:2015:
 
diff --git a/manual/install.texi b/manual/install.texi
index 4bbbfcffa5..62aec719d7 100644
--- a/manual/install.texi
+++ b/manual/install.texi
@@ -137,6 +137,16 @@ with no-pie.  The resulting glibc can be used with the GCC option,
 PIE.  This option also implies that glibc programs and tests are created
 as dynamic position independent executables (PIE) by default.
 
+@item --enable-cet
+Enable Intel Control-flow Enforcement Technology (CET) support.  When
+the library is built with --enable-cet, the resulting glibc is protected
+with indirect branch tracking (IBT) and shadow stack (SHSTK)@.  CET-enabled
+glibc is compatible with all existing executables and shared libraries.
+This feature is currently supported on i386, x86_64 and x32 with GCC 8 and
+binutils 2.29 or later.  Note that CET-enabled glibc requires CPUs capable
+of multi-byte NOPs, like x86-64 processors as well as Intel Pentium Pro or
+newer.
+
 @item --disable-profile
 Don't build libraries with profiling information.  You may want to use
 this option if you don't plan to do profiling.
-- 
2.17.0

[PATCH-V2: 00/24] CET: Prepare for CET enabling

[H.J. Lu]

This is the first set of patches to enable CET, excluding changes which
use the new CET system calls.  The complete set of patches is available
on hjl/cet/master branch at:

https://github.com/hjl-tools/glibc/tree/hjl/cet/master

I will submit the second set of patches with the new CET system calls,
which are on Linux kernel CET branch:

https://github.com/yyu168/linux_cet

later.


H.J. Lu (24):
  x86: Rename __glibc_reserved1 to feature_1 in tcbhead_t [BZ #22563]
  x86: Support shadow stack pointer in setjmp/longjmp
  x86: Support IBT and SHSTK in Intel CET [BZ #21598]
  x86: Add _CET_ENDBR to functions in crti.S
  x86: Add _CET_ENDBR to functions in dl-tlsdesc.S
  x86-64: Add _CET_ENDBR to STRCMP_SSE42
  i386: Add _CET_ENDBR to indirect jump targets in add_n.S/sub_n.S
  x86: Update vfork to pop shadow stack
  x86_64: Use _CET_NOTRACK in strcmp.S
  x86-64: Use _CET_NOTRACK in strcpy-sse2-unaligned.S
  x86-64: Use _CET_NOTRACK in strcmp-sse42.S
  x86-64: Use _CET_NOTRACK in memcpy-ssse3-back.S
  x86-64: Use _CET_NOTRACK in memcmp-sse4.S
  x86-64: Use _CET_NOTRACK in memcpy-ssse3.S
  i386: Use _CET_NOTRACK in i686/memcmp.S
  i386: Use _CET_NOTRACK in memset-sse2.S
  i386: Use _CET_NOTRACK in memcmp-sse4.S
  i386: Use _CET_NOTRACK in memcpy-ssse3-rep.S
  i386: Use _CET_NOTRACK in memcpy-ssse3.S
  i386: Use _CET_NOTRACK in strcpy-sse2.S
  i386: Use _CET_NOTRACK in strcat-sse2.S
  i386: Use _CET_NOTRACK in memset-sse2-rep.S
  x86-64: Add endbr64 to tst-quadmod[12].S
  Intel CET: Document --enable-cet

 INSTALL                                       |  11 ++
 NEWS                                          |  10 +
 configure                                     |  11 ++
 configure.ac                                  |   6 +
 elf/dl-load.c                                 |  61 +++---
 elf/dl-open.c                                 |   4 +
 elf/rtld.c                                    |  12 ++
 manual/install.texi                           |  10 +
 nptl/pthread_create.c                         |   5 +
 sysdeps/i386/__longjmp.S                      |  78 ++++++++
 sysdeps/i386/add_n.S                          |  27 ++-
 sysdeps/i386/bsd-_setjmp.S                    |  21 ++
 sysdeps/i386/bsd-setjmp.S                     |  21 ++
 sysdeps/i386/crti.S                           |   2 +
 sysdeps/i386/dl-tlsdesc.S                     |   7 +
 sysdeps/i386/dl-trampoline.S                  |  72 +++++++
 sysdeps/i386/i686/add_n.S                     |  27 ++-
 sysdeps/i386/i686/memcmp.S                    |   4 +-
 sysdeps/i386/i686/multiarch/memcmp-sse4.S     |   4 +-
 .../i386/i686/multiarch/memcpy-ssse3-rep.S    |   8 +-
 sysdeps/i386/i686/multiarch/memcpy-ssse3.S    |   4 +-
 sysdeps/i386/i686/multiarch/memset-sse2-rep.S |   4 +-
 sysdeps/i386/i686/multiarch/memset-sse2.S     |   4 +-
 sysdeps/i386/i686/multiarch/strcat-sse2.S     |   4 +-
 sysdeps/i386/i686/multiarch/strcpy-sse2.S     |   4 +-
 sysdeps/i386/nptl/tcb-offsets.sym             |   1 +
 sysdeps/i386/nptl/tls.h                       |   5 +-
 sysdeps/i386/setjmp.S                         |  21 ++
 sysdeps/i386/sub_n.S                          |  26 ++-
 .../unix/sysv/linux/i386/____longjmp_chk.S    |  40 ++++
 sysdeps/unix/sysv/linux/i386/dl-cet.c         |  67 +++++++
 sysdeps/unix/sysv/linux/i386/dl-machine.h     |  23 +++
 sysdeps/unix/sysv/linux/i386/vfork.S          |  54 +++++
 sysdeps/unix/sysv/linux/x86/Makefile          |  43 +++-
 sysdeps/unix/sysv/linux/x86/check-cet.awk     |  53 +++++
 sysdeps/unix/sysv/linux/x86/configure         |  69 +++++++
 sysdeps/unix/sysv/linux/x86/configure.ac      |  46 +++++
 sysdeps/unix/sysv/linux/x86/dl-cet.c          | 186 ++++++++++++++++++
 sysdeps/unix/sysv/linux/x86/dl-cet.h          | 138 +++++++++++++
 sysdeps/unix/sysv/linux/x86/dl-procruntime.c  |  57 ++++++
 sysdeps/unix/sysv/linux/x86/ldsodefs.h        |  29 +++
 sysdeps/unix/sysv/linux/x86/link_map.h        |  26 +++
 sysdeps/unix/sysv/linux/x86/pthreaddef.h      |  24 +++
 .../unix/sysv/linux/x86_64/____longjmp_chk.S  |  41 ++++
 sysdeps/unix/sysv/linux/x86_64/dl-machine.h   |  27 +++
 sysdeps/unix/sysv/linux/x86_64/vfork.S        |  35 ++++
 sysdeps/x86/Makefile                          |   1 +
 sysdeps/x86/cpu-features.h                    |   5 +
 sysdeps/x86/jmp_buf-ssp.sym                   |   1 +
 sysdeps/x86/sysdep.h                          |   8 +
 sysdeps/x86_64/__longjmp.S                    |  45 +++++
 sysdeps/x86_64/crti.S                         |   2 +
 sysdeps/x86_64/dl-tlsdesc.S                   |   5 +
 sysdeps/x86_64/dl-trampoline.h                |   2 +
 sysdeps/x86_64/multiarch/memcmp-sse4.S        |   2 +-
 sysdeps/x86_64/multiarch/memcpy-ssse3-back.S  |   6 +-
 sysdeps/x86_64/multiarch/memcpy-ssse3.S       | 124 ++++++------
 sysdeps/x86_64/multiarch/strcmp-sse42.S       |   3 +-
 .../x86_64/multiarch/strcpy-sse2-unaligned.S  |   2 +-
 sysdeps/x86_64/nptl/tcb-offsets.sym           |   1 +
 sysdeps/x86_64/nptl/tls.h                     |   5 +-
 sysdeps/x86_64/setjmp.S                       |  21 ++
 sysdeps/x86_64/strcmp.S                       |   2 +-
 sysdeps/x86_64/tst-quadmod1.S                 |   6 +
 sysdeps/x86_64/tst-quadmod2.S                 |   6 +
 65 files changed, 1561 insertions(+), 118 deletions(-)
 create mode 100644 sysdeps/unix/sysv/linux/i386/dl-cet.c
 create mode 100644 sysdeps/unix/sysv/linux/i386/dl-machine.h
 create mode 100644 sysdeps/unix/sysv/linux/x86/check-cet.awk
 create mode 100644 sysdeps/unix/sysv/linux/x86/configure
 create mode 100644 sysdeps/unix/sysv/linux/x86/configure.ac
 create mode 100644 sysdeps/unix/sysv/linux/x86/dl-cet.c
 create mode 100644 sysdeps/unix/sysv/linux/x86/dl-cet.h
 create mode 100644 sysdeps/unix/sysv/linux/x86/dl-procruntime.c
 create mode 100644 sysdeps/unix/sysv/linux/x86/ldsodefs.h
 create mode 100644 sysdeps/unix/sysv/linux/x86/link_map.h
 create mode 100644 sysdeps/unix/sysv/linux/x86/pthreaddef.h
 create mode 100644 sysdeps/unix/sysv/linux/x86_64/dl-machine.h
 create mode 100644 sysdeps/x86/jmp_buf-ssp.sym

-- 
2.17.1

[PATCH 24/24] Intel CET: Document --enable-cet

[H.J. Lu]

	* NEWS: Mention --enable-cet.
	* manual/install.texi: Document --enable-cet.
	* INSTALL: Regenerated.
---
 INSTALL             | 11 +++++++++++
 NEWS                | 10 ++++++++++
 manual/install.texi | 10 ++++++++++
 3 files changed, 31 insertions(+)

diff --git a/INSTALL b/INSTALL
index 052b1b6f89..5e6d80480b 100644
--- a/INSTALL
+++ b/INSTALL
@@ -106,6 +106,17 @@ if 'CFLAGS' is specified it must enable optimization.  For example:
      programs and tests are created as dynamic position independent
      executables (PIE) by default.
 
+'--enable-cet'
+     Enable Intel Control-flow Enforcement Technology (CET) support.
+     When the library is built with -enable-cet, the resulting glibc is
+     protected with indirect branch tracking (IBT) and shadow stack
+     (SHSTK).  CET-enabled glibc is compatible with all existing
+     executables and shared libraries.  This feature is currently
+     supported on i386, x86_64 and x32 with GCC 8 and binutils 2.29 or
+     later.  Note that CET-enabled glibc requires CPUs capable of
+     multi-byte NOPs, like x86-64 processors as well as Intel Pentium
+     Pro or newer.
+
 '--disable-profile'
      Don't build libraries with profiling information.  You may want to
      use this option if you don't plan to do profiling.
diff --git a/NEWS b/NEWS
index d51fa09544..e914336557 100644
--- a/NEWS
+++ b/NEWS
@@ -9,6 +9,16 @@ Version 2.28
 
 Major new features:
 
+* The GNU C Library can now be compiled with support for Intel CET, AKA
+  Intel Control-flow Enforcement Technology.  When the library is built
+  with --enable-cet, the resulting glibc is protected with indirect
+  branch tracking (IBT) and shadow stack (SHSTK).  CET-enabled glibc is
+  compatible with all existing executables and shared libraries.  This
+  feature is currently supported on i386, x86_64 and x32 with GCC 8 and
+  binutils 2.29 or later.  Note that CET-enabled glibc requires CPUs
+  capable of multi-byte NOPs, like x86-64 processors as well as Intel
+  Pentium Pro or newer.
+
 * <math.h> functions that round their results to a narrower type are added
   from TS 18661-1:2014 and TS 18661-3:2015:
 
diff --git a/manual/install.texi b/manual/install.texi
index 4bbbfcffa5..62aec719d7 100644
--- a/manual/install.texi
+++ b/manual/install.texi
@@ -137,6 +137,16 @@ with no-pie.  The resulting glibc can be used with the GCC option,
 PIE.  This option also implies that glibc programs and tests are created
 as dynamic position independent executables (PIE) by default.
 
+@item --enable-cet
+Enable Intel Control-flow Enforcement Technology (CET) support.  When
+the library is built with --enable-cet, the resulting glibc is protected
+with indirect branch tracking (IBT) and shadow stack (SHSTK)@.  CET-enabled
+glibc is compatible with all existing executables and shared libraries.
+This feature is currently supported on i386, x86_64 and x32 with GCC 8 and
+binutils 2.29 or later.  Note that CET-enabled glibc requires CPUs capable
+of multi-byte NOPs, like x86-64 processors as well as Intel Pentium Pro or
+newer.
+
 @item --disable-profile
 Don't build libraries with profiling information.  You may want to use
 this option if you don't plan to do profiling.
-- 
2.17.1