On Fri, Dec 05, 2025 at 12:38:59PM +0000, James Addison wrote:
>My reading of the thread is that fcf-protection=return can be
>security-effective on 32-bit x86 processors, has no effect on binary
>size, and does not introduce the compatibility issues that
>fcf-protection=branch does.
[snip]
>So to reformulate that as a question: why is the advice to remove the
>flag completely, instead of reducing it to fcf-protection=return?
This requires kernel support to be effective - and Bookworm does not
have a kernel with that flag turned on. I understand there to be no
difference between disabling fcf-protection entirely vs return in i386
for Bookworm.
[ ... snip ... ]
Thanks, Paul.
I briefly wondered about people who could be running custom kernels (e.g. with support enabled) in combination with the Debian sudo (and potentially other) binaries, or that Debian might choose to enable it at the kernel config level in futute -- but, given my understanding is that the patch will only affect i386 packages, and that the CET instructions are no-ops on that platform, I think that that consideration is moot.