Bug#1113774: Disabling -fcf-protection in sudo for bookworm
I will try to summarize this TC bug. Sorry for the delay, I was just
too busy lately.
Marcos Del Sol Vives is asking the committee about the compiler flags used for
sudo in bookworm on the i386 architecture. The sudo version there is enabling
`-fcf-protection` when supported by the compiler:
https://sources.debian.org/src/sudo/1.9.13p3-1%2Bdeb12u2/m4/hardening.m4#L108-L114
The problem is, that on his machine, a Vortex86DX3, the generated ENDBR
instructions, which live in an opcode region declared as NOPs in earlier
architecture specs, are not ignored, but raise exceptions and cause sudo to
abort.
There is a lot of evidence that Control-flow Enforcement Technology (CET or
cf-protection) is only meant to be enabled on 64-bit binaries and is
ineffective elsewhere:
* https://docs.kernel.org/next/x86/shstk.html
* https://lkml.org/lkml/2025/9/1/1704
One part of the thread was discussing the usefulness of this feature even in
64-bit environments (the kernel only half-supports it in userland) which has
led to https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1113864 being filed on
dpkg-dev, but this is not relevant to the TC question. In fact, dpkg-dev is
only emitting -fcf-protection on amd64 and not on i386. A large part of the
thread assumed the default bookworm compiler flags had that problem, but it's
actually upstream sudo adding -fcf-protection.
Around the time of the discussion, upstream sudo included a change that limits
-fcf-protection to x86_64: https://github.com/sudo-project/sudo/pull/468
The question if Vortex86DX3 is part of bookworm's i386 architecture baseline
was raised. In https://lists.debian.org/debian-devel/2023/10/msg00120.html Ben
Hutchings confirms that ENDBR32 should be ignored by i686-conformant
processors, and that i686 is required for bookworm. (He corrects himself in the
next mail saying this would apply to trixie only, but again corrects himself
saying this applies to bookworm indeed.) This seems to indicate that
Vortex86DX3 is not i686-conformant. The submitter claims the CPU is conformant,
citing https://psc.informatik.uni-jena.de/hw/p-pro-3.pdf page 417 as saying
ENDBR32 was "reserved". (The URL doesn't load for me now so I can't validate.)
https://www.debian.org/releases/bookworm/i386/release-notes/ch-information.en.html#i386-is-i686
Another sub-question was how this relates to trixie, but this is out
of scope of the TC question.
So, if I got all parts about right, the problem here is that using
-fcf-protection on i386 (where it should be a no-op and hence should not be
used in the first place) actually breaks sudo on bookworm on this CPU
(that possibly should ignore ENDBR32 but does not).
Possible TC rulings are:
* agree with the submitter. -fcf-protection is no-op on i386; the sudo package
should be updated.
* reject the request; changing sudo for a very small number of users is too risky
(FWIW, the patch from https://github.com/sudo-project/sudo/pull/468 applies
trivially to sudo 1.9.13p3-1+deb12u2)
* reject the request; bookworm is already oldstable (if it's reaching us only
now, it's not that important)
* reject the request; the CPU in question is not part of the baseline
Marc has indicated that he would accept advice on this issue so we might go
with issuing that instead of formally overriding him.
Christoph
Reply to: