x86/CET: Document glibc.tune.x86_ibt and glibc.tune.x86_shstk

* manual/tunables.texi: Document glibc.tune.x86_ibt and
	glibc.tune.x86_shstk.

ChangeLog

@@ -1,3 +1,8 @@
+2018-07-18  H.J. Lu  <hongjiu.lu@intel.com>
+
+	* manual/tunables.texi: Document glibc.tune.x86_ibt and
+	glibc.tune.x86_shstk.
+
 2018-07-18  H.J. Lu  <hongjiu.lu@intel.com>
 
 	* NEWS: Mention --enable-cet.

manual/tunables.texi

@@ -356,3 +356,31 @@ to set threshold in bytes for non temporal store.
 
 This tunable is specific to i386 and x86-64.
 @end deftp
+
+@deftp Tunable glibc.tune.x86_ibt
+The @code{glibc.tune.x86_ibt} tunable allows the user to control how
+indirect branch tracking (IBT) should be enabled.  Accepted values are
+@code{on}, @code{off}, and @code{permissive}.  @code{on} always turns
+on IBT regardless of whether IBT is enabled in the executable and its
+dependent shared libraries.  @code{off} always turns off IBT regardless
+of whether IBT is enabled in the executable and its dependent shared
+libraries.  @code{permissive} is the same as the default which disables
+IBT on non-CET executables and shared libraries.
+
+This tunable is specific to i386 and x86-64.
+@end deftp
+
+@deftp Tunable glibc.tune.x86_shstk
+The @code{glibc.tune.x86_shstk} tunable allows the user to control how
+the shadow stack (SHSTK) should be enabled.  Accepted values are
+@code{on}, @code{off}, and @code{permissive}.  @code{on} always turns on
+SHSTK regardless of whether SHSTK is enabled in the executable and its
+dependent shared libraries.  @code{off} always turns off SHSTK regardless
+of whether SHSTK is enabled in the executable and its dependent shared
+libraries.  @code{permissive} changes how dlopen works on non-CET shared
+libraries.  By default, when SHSTK is enabled, dlopening a non-CET shared
+library returns an error.  With @code{permissive}, it turns off SHSTK
+instead.
+
+This tunable is specific to i386 and x86-64.
+@end deftp