From ca49edafdd5ce709b72cc68b435c78a46d34143a Mon Sep 17 00:00:00 2001
From: Jakub Jelen <jjelen@redhat.com>
Date: Tue, 27 Apr 2021 20:32:31 +0200
Subject: [PATCH] Restore Intel CET support after upstream release (#1954049)

---
 libgcrypt-1.8.5-intel-cet.patch | 34 +++++++++++++++++++++++++++++++++
 libgcrypt.spec                  |  3 +++
 2 files changed, 37 insertions(+)
 create mode 100644 libgcrypt-1.8.5-intel-cet.patch

diff --git a/libgcrypt-1.8.5-intel-cet.patch b/libgcrypt-1.8.5-intel-cet.patch
new file mode 100644
index 0000000..a19d2f1
--- /dev/null
+++ b/libgcrypt-1.8.5-intel-cet.patch
@@ -0,0 +1,34 @@
+From b04c0a86b19856071c29d2a6285f3240c606ee7a Mon Sep 17 00:00:00 2001
+From: "H.J. Lu" <hjl.tools@gmail.com>
+Date: Tue, 27 Apr 2021 09:08:41 -0700
+Subject: [PATCH] Always include <config.h> in cipher assembly codes
+
+* cipher/poly1305-s390x.S: Always include <config.h>.
+
+When Intel CET is enabled, we need to include <cet.h> in assembly codes
+to mark Intel CET support even if it is empty.  We should always include
+<config.h> in cipher assembly codes so that they will be marked for
+Intel CET support when compiling for x86-64 and i686.
+
+Signed-off-by: H.J. Lu <hjl.tools@gmail.com>
+---
+ cipher/poly1305-s390x.S | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/cipher/poly1305-s390x.S b/cipher/poly1305-s390x.S
+index 844245f6..28bed560 100644
+--- a/cipher/poly1305-s390x.S
++++ b/cipher/poly1305-s390x.S
+@@ -18,8 +18,8 @@
+  * License along with this program; if not, see <http://www.gnu.org/licenses/>.
+  */
+ 
+-#if defined (__s390x__) && __GNUC__ >= 4 && __ARCH__ >= 9
+ #include <config.h>
++#if defined (__s390x__) && __GNUC__ >= 4 && __ARCH__ >= 9
+ #if defined(HAVE_GCC_INLINE_ASM_S390X)
+ 
+ #include "asm-poly1305-s390x.h"
+-- 
+GitLab
+
diff --git a/libgcrypt.spec b/libgcrypt.spec
index 6aac689..c7f8e15 100644
--- a/libgcrypt.spec
+++ b/libgcrypt.spec
@@ -44,6 +44,8 @@ Patch24: libgcrypt-1.8.5-getrandom.patch
 Patch26: libgcrypt-1.8.3-fips-enttest.patch
 # Disable non-approved FIPS hashes in the enforced FIPS mode
 Patch27: libgcrypt-1.8.3-md-fips-enforce.patch
+# Missing Intel CET support in the library (#1954049)
+Patch28: libgcrypt-1.8.5-intel-cet.patch
 # FIPS module is redefined a little bit (implicit by kernel FIPS mode)
 Patch30: libgcrypt-1.8.5-fips-module.patch
 
@@ -93,6 +95,7 @@ applications using libgcrypt.
 %patch24 -p1 -b .getrandom
 %patch26 -p1 -b .fips-enttest
 %patch27 -p1 -b .fips-enforce
+%patch28 -p1 -b .intel-cet
 %patch30 -p1 -b .fips-module
 
 cp %{SOURCE4} cipher/