Bug#1113774: Disabling -fcf-protection in sudo for bookworm

To: submit@bugs.debian.org
Cc: Marc Haber <mh+debian-kernel@zugschlus.de>
Subject: Bug#1113774: Disabling -fcf-protection in sudo for bookworm
From: Marcos Del Sol Vives <marcos@orca.pet>
Date: Tue, 2 Sep 2025 14:20:32 +0200
Message-id: <[🔎] 0ef6f9b2-e5ed-4f4d-b08f-b2d4a5fd6255@orca.pet>
Reply-to: Marcos Del Sol Vives <marcos@orca.pet>, 1113774@bugs.debian.org

Package: tech-ctte
Severity: normal

Currently "sudo" in Bookworm is broken on i686 for some i686-like
processors such as a Vortex86DX3 I own and VIA processors others have
(https://lists.debian.org/debian-devel/2023/10/msg00118.html), causing a
SIGILL if you attempt to run on them.

The issue is that sudo in bookworm is compiled with "-fcf-protection=full",
which causes binaries to contain ENDBR32 instructions. These are part of
Indirect Branch Tracking, a mechanism introduced by Intel's CET meant to
harden against exploits using return-oriented programming.

END32s are part of a formely-reserved chunk of instructions called
"hintable NOPs". These, to my knowledge, were only defined in US patent
US5701442A but not on the software design manual, where they appeared as
"reserved". Thus these processors do what in general reserved instructions
should do - raise an exception.

Disabling a security mechanism for these uncommon processors would be
probably a bad idea, but the thing is that this mechanism is _not_
supported by the Linux kernel in user mode. Thus, the compilation with
IBT just increases the size of the binaries at best, and prevents running
the binary at worst.

For user-mode, and only in 64-bit mode (but not on native 32-bit system,
neither when running 32-bit applications on a 64-bit kernel), Linux uses
another mechanism that does not require new instructions called shadow
stacks.

This is documented in the Kernel's own page about CET:
https://docs.kernel.org/arch/x86/shstk.html#cet-background
There it explicitely says that the protections are only available in 64-bit
modes, and further analysis of the kernel's code I've done confirms that
being the case:
https://lore.kernel.org/all/9412e249-8184-4817-bf35-1216db97ad4d@orca.pet/

I've submitted a patch against upstream sudo that has been accepted
(https://github.com/sudo-project/sudo/pull/468) that enables the
compilation with -fcf-protection only for 64-bit mode, but the current sudo
Debian maintainer has refused to accept a patch for "bookworm" that fixes
this issue, being concerned that it could lower the overall security of the
binary.

As part of an effort to handle these ENDBR32s in the kernel and ignore
them, H. Peter Anvin (a major x86 arch maintainer in the Linux kernel)
confirmed that 32-bit user-mode applications do not gain any security from
using ENDBR32, and that just disabling the IBT protection for them
would be the best approach:
https://lore.kernel.org/all/772C4DE8-8564-430D-9304-A39F88E07EBF@zytor.com/

Since bookworm is the last i686 release, I think it'd make sense to fix
this issue.

Greetings,
Marcos

Reply to:

Follow-Ups:
- Bug#1113774: Disabling -fcf-protection in sudo for bookworm
  - From: Christoph Berg <myon@debian.org>
- Processed: Re: Bug#1113774: Disabling -fcf-protection in sudo for bookworm
  - From: "Debian Bug Tracking System" <owner@bugs.debian.org>
- Processed: Re: Bug#1113774: Disabling -fcf-protection in sudo for bookworm
  - From: "Debian Bug Tracking System" <owner@bugs.debian.org>
- Bug#1113774: Disabling -fcf-protection in sudo for bookworm
  - From: Helmut Grohne <helmut@subdivi.de>

Next by Date: Bug#1113774: Disabling -fcf-protection in sudo for bookworm
Next by thread: Bug#1113774: Disabling -fcf-protection in sudo for bookworm
Index(es):
- Date
- Thread