Bug#1113774: Disabling -fcf-protection in sudo for bookworm
El 02/09/2025 a las 16:06, Paul Tagliamonte escribió:
> On Tue, Sep 02, 2025 at 03:59:03PM +0200, Christoph Berg wrote:
>> Yeah I think you were right in rejecting this.
>
> I would need to read more to "get smart" here, but I think another factor to consider is the number of "true" i686 processers running this release vs the number of x86_64 processors running this release under an x86_64 kernel.
>
> My understanding from a quick read of the docs here (although, about 2 minutes worth so i'm very open to being convinced otherwise here) is that disabling this would disable CET for sudo:i386 when running under
> an amd64 kernel, in order to allow a i586 to run a i686 binary.
>
> paultag
>
Hi Paul,
CET's shadow stacks is not compatible with 32-bit user-mode binaries, neither in native 32-bit nor in a 64-bit kernel running 32-bit binaries. Keeping that enabled would do no harm, though no good either.
And CET's IBT, the feature that is introducing this incompatibility, is not enabled with user mode applications at all.
Note the kernel .config flag for one is "CONFIG_X86_USER_SHADOW_STACK" vs "CONFIG_X86_KERNEL_IBT", as one works only in user mode, and the other only in kernel mode.
Greetings,
Marcos
Reply to: