From 7059ad8edbe13503d01947227a204cee9f67a911 Mon Sep 17 00:00:00 2001
From: Vladislav Dronov <vdronov@redhat.com>
Date: Sun, 17 May 2026 17:31:24 +0200
Subject: [PATCH] Enable Intel CET support in assembler sources

If Intel CET is enabled, add .note.gnu.property section with x86 assembly code
which indicates IBT and SHSTK presence. This is required for ELF outputs to mark
Intel CET support when Intel CET is enabled since all input files must be marked
with Intel CET support in order for linker to mark output with Intel CET support.

The required ENDBR instructions were added by the upsteream ISA-L commit cd888f01
(https://github.com/intel/isa-l/commit/cd888f01) included in this copy of ISA-L
code. The ISA-L upstream commit 57846f41 (https://github.com/intel/isa-l/commit/
57846f41) which added a section needed is missing here, so add it.

The object files with an assembly code and the resulting library have proper
flags in the proper section as a result:

$ readelf -n sources/isal/igzip/encode_df.c.o sources/libqpl.so.1.9.0
File: sources/isal/igzip/encode_df.c.o
Displaying notes found in: .note.gnu.property
  Owner                Data size 	Description
  GNU                  0x00000010	NT_GNU_PROPERTY_TYPE_0
      Properties: x86 feature: IBT, SHSTK
File: sources/libqpl.so.1.9.0
Displaying notes found in: .note.gnu.property
  Owner                Data size 	Description
  GNU                  0x00000010	NT_GNU_PROPERTY_TYPE_0
      Properties: x86 feature: IBT, SHSTK
---
 sources/isal/CMakeLists.txt        | 15 +++++++++++++++
 sources/isal/include/reg_sizes.asm | 15 +++++++++++++++
 2 files changed, 30 insertions(+)

diff --git a/sources/isal/CMakeLists.txt b/sources/isal/CMakeLists.txt
index 6e1aac426..182ff4475 100644
--- a/sources/isal/CMakeLists.txt
+++ b/sources/isal/CMakeLists.txt
@@ -103,3 +103,18 @@ if (NOT MSVC)
     # Setting POSIX compliance level for Linux builds (to use strnlen() function on Linux)
     target_compile_definitions(isal PRIVATE _POSIX_C_SOURCE=200809L)
 endif()
+
+# Enable Intel CET support in assembler sources
+check_c_source_compiles("
+    #if !defined(__CET__) || (__CET__ & 1) == 0
+    #error CET_BIT_1_NOT_SET
+    #endif
+    int main() { return 0; }
+" INTEL_CET_ENABLED)
+
+if(INTEL_CET_ENABLED)
+    target_compile_options(isal_asm PUBLIC "-DINTEL_CET_ENABLED")
+    message(STATUS "Intel CET protection is ENABLED")
+else()
+    message(STATUS "Intel CET protection is NOT enabled")
+endif()
diff --git a/sources/isal/include/reg_sizes.asm b/sources/isal/include/reg_sizes.asm
index 208ad14e5..9ea86c4ed 100644
--- a/sources/isal/include/reg_sizes.asm
+++ b/sources/isal/include/reg_sizes.asm
@@ -182,6 +182,21 @@
 
 %define XWORD(reg) reg %+ x
 
+%ifdef INTEL_CET_ENABLED
+  %ifdef __NASM_VER__
+    %ifidn __OUTPUT_FORMAT__,elf32
+section .note.gnu.property  note  alloc noexec align=4
+DD 0x00000004,0x0000000c,0x00000005,0x00554e47
+DD 0xc0000002,0x00000004,0x00000003
+    %endif
+    %ifidn __OUTPUT_FORMAT__,elf64
+section .note.gnu.property  note  alloc noexec align=8
+DD 0x00000004,0x00000010,0x00000005,0x00554e47
+DD 0xc0000002,0x00000004,0x00000003,0x00000000
+    %endif
+  %endif
+%endif
+
 %ifidn __OUTPUT_FORMAT__,elf32
 section .note.GNU-stack noalloc noexec nowrite progbits
 section .text