diff options
| author | Florian Weimer <fweimer@redhat.com> | 2024-05-30 15:07:21 +0200 |
|---|---|---|
| committer | Florian Weimer <fweimer@redhat.com> | 2024-05-30 15:07:21 +0200 |
| commit | dbdeca0334e90b4a87e7f662f2d64b1dfde329d3 (patch) | |
| tree | 9e26fae54fd470e2892676ced9cfdfa19d056997 | |
| parent | 0c1d2c277a59f08fd3232b33d18644ea890190ea (diff) | |
| download | glibc-dbdeca0334e90b4a87e7f662f2d64b1dfde329d3.zip glibc-dbdeca0334e90b4a87e7f662f2d64b1dfde329d3.tar.gz glibc-dbdeca0334e90b4a87e7f662f2d64b1dfde329d3.tar.bz2 | |
manual: Update glibc.cpu.x86_shstk description
The previous text described a forcing behavior for the "on" setting
which is not actually implemented.
Also note that SHSTK is disabled by default.
| -rw-r--r-- | manual/tunables.texi | 31 |
1 files changed, 23 insertions, 8 deletions
diff --git a/manual/tunables.texi b/manual/tunables.texi index baaf751..3f98224 100644 --- a/manual/tunables.texi +++ b/manual/tunables.texi @@ -606,16 +606,31 @@ This tunable is specific to i386 and x86-64. @deftp Tunable glibc.cpu.x86_shstk The @code{glibc.cpu.x86_shstk} tunable allows the user to control how the shadow stack (SHSTK) should be enabled. Accepted values are -@code{on}, @code{off}, and @code{permissive}. @code{on} always turns on -SHSTK regardless of whether SHSTK is enabled in the executable and its -dependent shared libraries. @code{off} always turns off SHSTK regardless +@code{on}, @code{off}, and @code{permissive}: + +@table @code +@item on +Turn on SHSTK if the executable and its dependent shared libraries +contain markers indicating shadow stack support. This is the default +(but see below for additional hardware capability setting). + +@item off +Always turn off SHSTK regardless of whether SHSTK is enabled in the executable and its dependent shared -libraries. @code{permissive} changes how dlopen works on non-CET shared -libraries. By default, when SHSTK is enabled, dlopening a non-CET shared -library returns an error. With @code{permissive}, it turns off SHSTK -instead. +libraries. -This tunable is specific to i386 and x86-64. +@item permissive +Same as @code{on}, but change how dlopen works on non-CET shared +libraries. With the @code{on} setting, when SHSTK is enabled, dlopening +a non-CET shared library returns an error. With @code{permissive}, it +turns off SHSTK instead. +@end table + +@strong{Note:} By default, the SHSTK capability of the system is masked +at the hardware capability level. To turn it on, set the tunable +@samp{glibc.cpu.hwcaps=SHSTK}. + +This tunable is specific to x86-64. @end deftp @deftp Tunable glibc.cpu.prefer_map_32bit_exec |