Intel CET Support?

To: <debian-devel@lists.debian.org>
Subject: Intel CET Support?
From: Felix Potthast <felix.potthast@student.uni-siegen.de>
Date: Mon, 5 Sep 2022 22:44:52 +0200
Message-id: <[🔎] 6b0a21364a8bd1ae1311836bb5ff5863f2982482.camel@student.uni-siegen.de>

Hello,

i just stumbled upon the fact that debian doesn't yet make use of the
Intel CET security feature, while many other distributions
(Ubuntu, Fedora, Suse, Arch Linux) do.

The idea is to insert endbr instructions,
(which are just NOPs on older CPUs) at the beginning
of functions to identify valid call targets to mitigate
ROP attacks.

You can do a quick test with

objdump -d /usr/bin/mv | grep endbr | wc -l

which outputs a nonzero number if the feature is used.

See for example this Phoronix article:
https://www.phoronix.com/news/Intel-CET-IBT-For-Linux-5.18

What is the reason debian doesn't use this?
It seems like a sensible thing to do for me, but
maybe you had a discussion about it and came to another conclusion?

Or was this just overlooked?

Looking forward to your answers.

Regards,
Felix Potthast

Reply to:

Follow-Ups:
- Re: Intel CET Support?
  - From: Jeremy Stanley <fungi@yuggoth.org>
- Re: Intel CET Support?
  - From: Andrey Rahmatullin <wrar@debian.org>
- Re: Intel CET Support?
  - From: Adrien CLERC <bugs-debian@antipoul.fr>
- Re: Intel CET Support?
  - From: Paul Wise <pabs@debian.org>
- Re: Intel CET Support?
  - From: Florian Weimer <fw@deneb.enyo.de>

Prev by Date: Bug#1019209: ITP: node-gulp-tap -- Easily tap into a gulp pipeline
Next by Date: Re: Intel CET Support?
Previous by thread: Bug#1019209: ITP: node-gulp-tap -- Easily tap into a gulp pipeline
Next by thread: Re: Intel CET Support?
Index(es):
- Date
- Thread