Bug#1113864: Replace -fcf-protection=full with -fcf-protection=return
Package: dpkg-dev
Version: 1.22.21
Priority: wishlist
X-Debbugs-Cc: debian-devel@lists.debian.org
Hello everyone.
I have been instructed by Helmut Grohne from the technical commitee
(https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1113774#126)
to open a bug here to ask for a change in the current hardening defaults
of Debian for sid and future stable releases.
Currently, on amd64 and i386 as of Trixie, packages are being built by
default with -fcf-protection=full. This results in shadow stacks and IBT
(branch tracking) being enabled on binaries.
The issue is that, right now, user-mode applications running in the Linux
kernel in 64-bit mode only support shadow stacks. IBT protection is only
supported in the kernel, thus compiling user-mode applications with IBT
enabled results simply in an increased code size (due to generated ENDBR
landing instructions), all while offering no security improvements.
This is stated in the kernel documentation
(https://docs.kernel.org/next/x86/shstk.html):
> Today in the 64-bit kernel, only userspace shadow stack and kernel IBT
> are supported.
32-bit applications (either in native 32-bit mode or running under a 64-bit
kernel) do not support neither shadow stacks nor IBT.
I have provided in https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1113774#96
a very simple program alongside compilation instructions that proves this
being the case.
By changing the default from -fcf-protection=full to -fcf-protection=return
(which only enables shadow stacks), the users would still experience the
exact same protection as they have right now, while generating smaller
binaries.
Reply to: