glibc: add option enableCETRuntimeDefault to runtime-enable CET by default

this appears to have been added to glibc because of the number
of packages in some distributions that were built with CET enabled
before a CET enabled machine was available to test for breakage
with.

we don't have that problem to such an extent and users of hardened
systems will likely want to enable this by default.

pkgs/development/libraries/glibc/2.39-revert-cet-default-disable.patch

@@ -0,0 +1,49 @@
+Revert 55d63e731253de82e96ed4ddca2e294076cd0bc5
+
+--- b/sysdeps/x86/cpu-features.c
++++ a/sysdeps/x86/cpu-features.c
+@@ -110,7 +110,7 @@
+   if (!CPU_FEATURES_CPU_P (cpu_features, RTM_ALWAYS_ABORT))
+     CPU_FEATURE_SET_ACTIVE (cpu_features, RTM);
+ 
++#if CET_ENABLED
+-#if CET_ENABLED && 0
+   CPU_FEATURE_SET_ACTIVE (cpu_features, IBT);
+   CPU_FEATURE_SET_ACTIVE (cpu_features, SHSTK);
+ #endif
+reverted:
+--- b/sysdeps/x86/cpu-tunables.c
++++ a/sysdeps/x86/cpu-tunables.c
+@@ -35,17 +35,6 @@
+       break;								\
+     }
+ 
+-#define CHECK_GLIBC_IFUNC_CPU_BOTH(f, cpu_features, name, len)		\
+-  _Static_assert (sizeof (#name) - 1 == len, #name " != " #len);	\
+-  if (tunable_str_comma_strcmp_cte (&f, #name))				\
+-    {									\
+-      if (f.disable)							\
+-	CPU_FEATURE_UNSET (cpu_features, name)				\
+-      else								\
+-	CPU_FEATURE_SET_ACTIVE (cpu_features, name)			\
+-      break;								\
+-    }
+-
+ /* Disable a preferred feature NAME.  We don't enable a preferred feature
+    which isn't available.  */
+ #define CHECK_GLIBC_IFUNC_PREFERRED_OFF(f, cpu_features, name, len)	\
+@@ -142,13 +131,11 @@
+ 	    }
+ 	  break;
+ 	case 5:
+-	  {
+-	    CHECK_GLIBC_IFUNC_CPU_BOTH (n, cpu_features, SHSTK, 5);
+-	  }
+ 	  if (n.disable)
+ 	    {
+ 	      CHECK_GLIBC_IFUNC_CPU_OFF (n, cpu_features, LZCNT, 5);
+ 	      CHECK_GLIBC_IFUNC_CPU_OFF (n, cpu_features, MOVBE, 5);
++	      CHECK_GLIBC_IFUNC_CPU_OFF (n, cpu_features, SHSTK, 5);
+ 	      CHECK_GLIBC_IFUNC_CPU_OFF (n, cpu_features, SSSE3, 5);
+ 	      CHECK_GLIBC_IFUNC_CPU_OFF (n, cpu_features, XSAVE, 5);
+ 	    }

pkgs/development/libraries/glibc/common.nix

@@ -37,6 +37,7 @@
 , profilingLibraries ? false
 , withGd ? false
 , enableCET ? false
+, enableCETRuntimeDefault ? false
 , extraBuildInputs ? []
 , extraNativeBuildInputs ? []
 , ...
@@ -50,6 +51,7 @@ in
 
 assert withLinuxHeaders -> linuxHeaders != null;
 assert withGd -> gd != null && libpng != null;
+assert enableCET == false -> !enableCETRuntimeDefault;
 
 stdenv.mkDerivation ({
   version = version + patchSuffix;
@@ -114,7 +116,8 @@ stdenv.mkDerivation ({
       lib.optional (isAarch64 && isLinux) ./0001-aarch64-math-vector.h-add-NVCC-include-guard.patch
     )
     ++ lib.optional stdenv.hostPlatform.isMusl ./fix-rpc-types-musl-conflicts.patch
-    ++ lib.optional stdenv.buildPlatform.isDarwin ./darwin-cross-build.patch;
+    ++ lib.optional stdenv.buildPlatform.isDarwin ./darwin-cross-build.patch
+    ++ lib.optional enableCETRuntimeDefault ./2.39-revert-cet-default-disable.patch;
 
   postPatch =
     ''

pkgs/development/libraries/glibc/default.nix

@@ -3,6 +3,7 @@
 , profilingLibraries ? false
 , withGd ? false
 , enableCET ? if stdenv.hostPlatform.isx86_64 then "permissive" else false
+, enableCETRuntimeDefault ? false
 , pkgsBuildBuild
 , libgcc
 }:
@@ -16,7 +17,7 @@ let
 in
 
 (callPackage ./common.nix { inherit stdenv; } {
-  inherit withLinuxHeaders withGd profilingLibraries enableCET;
+  inherit withLinuxHeaders withGd profilingLibraries enableCET enableCETRuntimeDefault;
   pname = "glibc" + lib.optionalString withGd "-gd" + lib.optionalString (stdenv.cc.isGNU && libgcc==null) "-nolibgcc";
 }).overrideAttrs(previousAttrs: {