[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Intel CET Support?


i just stumbled upon the fact that debian doesn't yet make use of the
Intel CET security feature, while many other distributions
(Ubuntu, Fedora, Suse, Arch Linux) do.

The idea is to insert endbr instructions,
(which are just NOPs on older CPUs) at the beginning
of functions to identify valid call targets to mitigate
ROP attacks.

You can do a quick test with

objdump -d /usr/bin/mv | grep endbr | wc -l

which outputs a nonzero number if the feature is used.

See for example this Phoronix article:

What is the reason debian doesn't use this?
It seems like a sensible thing to do for me, but
maybe you had a discussion about it and came to another conclusion?

Or was this just overlooked?

Looking forward to your answers.

Felix Potthast

Reply to: