Enable Intel CET support

[tjuhaszrh]

Intel CET

Intel CET is a security technology developed to fight memory-corruption based attacks.

Description of the issue

According to guides I was able to find online (intel presentation, annocheck), this feature should be enabled with the compilation flag -fcf-protection or -fcf-protection=full.

Trying to compile nodejs (using steps from the docs) with these flags I wasn't able to pass the before mentioned annocheck test for this feature on binary node, even if other binaries such as node_j2c contained the required .note.gnu.property that being SHSTK (Shadow Stack) and IBT (Branch Tracking).

Examples from my testing:

readelf -n node                                

Displaying notes found in: .note.gnu.build-id
  Owner                Data size        Description
  GNU                  0x00000014       NT_GNU_BUILD_ID (unique build ID bitstring)
    Build ID: ceaab14cf7bb408dd175fb713cb50a75f0ab11f0

Displaying notes found in: .note.gnu.property
  Owner                Data size        Description
  GNU                  0x00000030       NT_GNU_PROPERTY_TYPE_0
      Properties: x86 ISA needed: x86-64-baseline
        x86 feature used: x86, XMM, YMM, ZMM, XSAVE, MASK
        x86 ISA used: x86-64-baseline, x86-64-v2, x86-64-v3, x86-64-v4

readelf -n node_js2c 

Displaying notes found in: .note.gnu.build-id
  Owner                Data size        Description
  GNU                  0x00000014       NT_GNU_BUILD_ID (unique build ID bitstring)
    Build ID: c90bacc1964b4cf0b281541f93427a6c0080a219

Displaying notes found in: .note.gnu.property
  Owner                Data size        Description
  GNU                  0x00000040       NT_GNU_PROPERTY_TYPE_0
      Properties: x86 feature: IBT, SHSTK
        x86 ISA needed: x86-64-baseline
        x86 feature used: x86, XMM, YMM, ZMM, XSAVE, MASK
        x86 ISA used: x86-64-baseline, x86-64-v2, x86-64-v3, x86-64-v4

Desired state

I think it would be beneficial to enable this feature.

I sadly struggle to understand what could be the issue, or how could it be fixed. My guess is that it could be connected to this description from the annocheck page:
The feature is also an all-or-nothing type proposition for any process. Either all of the code in the process must have been built to support CET - in which case the feature can be enabled - or if even a single component does not support CET then it must be disabled for the entire process.

If anyone could provide any guidance or information about the issue I would really appreciate it.

[zjy-dev]

Sadly, according to this article, IBT will never work in user space program(like node), so maybe IBT related tests will never pass.

I search CET and occasionally find this issue without fully understanding of context, if I said something stupid feel really free to ignore or correct me.🤗🤗

[bnoordhuis]

IBT is already enabled because -fcf-protection (synonymous for -fcf-protection=full) is on by default in gcc on systems we build release binaries on. You can see with objdump -d node that functions start with an endbr64 instruction, the marker that's required by IBT. Maybe one possible improvement is to also enable -mcet-switch.

Apropos shadow stacks: V8 doesn't support them yet on anything besides x64 Windows, so that's one reason we can't enable them (for now, at least.)

Another obstacle is that shadow stacks are an all-or-nothing thing. All code inside a process needs to be shadow stack-aware, so it breaks backwards compatibility with native add-ons that are compiled without that support. I'm thinking specifically of add-ons that install signal handlers, like e.g. the popular segfault-handler npm package.

edit: although it's glibc that does most of the heavy lifting when it comes to signal handling so maybe it works okay with most add-ons. Someone would need to investigate.