On Tue, Sep 02, 2025 at 04:13:46PM +0200, Marcos Del Sol Vives wrote:
El 02/09/2025 a las 16:06, Paul Tagliamonte escribió:On Tue, Sep 02, 2025 at 03:59:03PM +0200, Christoph Berg wrote:Yeah I think you were right in rejecting this.I would need to read more to "get smart" here, but I think another factor to consider is the number of "true" i686 processers running this release vs the number of x86_64 processors running this release under an x86_64 kernel.
So you're saying this compiled option could be disabled in sudo for i386 without any loss of security regardless on what CPU the program runs and regardless whether it runs under a 32bit or a 64bit kernel, right?
CET's shadow stacks is not compatible with 32-bit user-mode binaries, neither in native 32-bit nor in a 64-bit kernel running 32-bit binaries. Keeping that enabled would do no harm, though no good either. And CET's IBT, the feature that is introducing this incompatibility, is not enabled with user mode applications at all.
Why isnt -fcf-protection a no-op in the toolchain on i386 then?
Note the kernel .config flag for one is "CONFIG_X86_USER_SHADOW_STACK" vs "CONFIG_X86_KERNEL_IBT", as one works only in user mode, and the other only in kernel mode.
Both settings are =Y in the x86_64 kernel in Debian unstable. Greetings Marc -- ----------------------------------------------------------------------------- Marc Haber | "I don't trust Computers. They | Mailadresse im Header Leimen, Germany | lose things." Winona Ryder | Fon: *49 6224 1600402 Nordisch by Nature | How to make an American Quilt | Fax: *49 6224 1600421