Re: Bug#1113864: Replace -fcf-protection=full with -fcf-protection=return

To: 1113864@bugs.debian.org, debian-devel@lists.debian.org
Subject: Re: Bug#1113864: Replace -fcf-protection=full with -fcf-protection=return
From: Marcos Del Sol Vives <marcos@orca.pet>
Date: Wed, 3 Sep 2025 18:14:05 +0200
Message-id: <[🔎] ea66ed3c-3c9e-464e-a82d-d705d9699456@orca.pet>
In-reply-to: <[🔎] aLhjIc0xiEBkZzR2@thunder.hadrons.org>
References: <[🔎] 9b15285b-894d-4404-85f4-cdb7e2a7bbed@orca.pet> <[🔎] aLhjIc0xiEBkZzR2@thunder.hadrons.org>

El 03/09/2025 a las 17:47, Guillem Jover escribió:
> Hi!
> 
> On Wed, 2025-09-03 at 16:24:50 +0200, Marcos Del Sol Vives wrote:
>> Package: dpkg-dev
>> Version: 1.22.21
>> Priority: wishlist
>> X-Debbugs-Cc: debian-devel@lists.debian.org
> 
>> Currently, on amd64 and i386 as of Trixie, packages are being built by
>> default with -fcf-protection=full. This results in shadow stacks and IBT
>> (branch tracking) being enabled on binaries.
> 
> dpkg-buildflags only emits «-fcf-protection» on amd64.

My bad! I am not familiar with dpkg-dev's source code nor autoconf scripts,
and since the first result of -fcf-protection did not indicate any kind
of filtering (https://salsa.debian.org/dpkg-team/dpkg/-/blob/main/m4/dpkg-compiler.m4),
I thought it was actually being applied to everything!

I found now the real code that enables it at
https://salsa.debian.org/dpkg-team/dpkg/-/blob/main/scripts/Dpkg/Vendor/Debian.pm#L637-650
and yes, you're absolutely right, it's amd64-only!

> So, disabling the full CET would regress the current support and make
> enabling it fully in the future harder.
> 
> But it's not clear to me what's the status of submission for userland
> IBT in Linux.

Seems based on a random GitHub Gist that enabling (at least for testing)
IBT in user-land is fairly straightforward on a Linux kernel:
https://gist.github.com/sroettger/fe66f7eb0cb10a8ebd1454875a7131ea

So I assume considering the little effort required to enable it, that it'll
eventually also land in user-space. I would try enabling it on my machine
out of curiosity with Trixie or Sid, but unfortunately my AMD 8745H does
only support shadow stacks.

> So given the above, I'm inclined to mark this wontfix and close, and
> then "someone" needs to driver the transition to its conclusion.

That's an option, yes.

I opened this issue because I was asked to, and because I would personally
wait until there are IBT-enabled kernels to enable one such flag to perform
proper testing so binaries don't become larger prematurely.

However I see your point enabling it now so all packages don't need to be
recompiled further down with CET could be benefitial for a quicker rollout.

Greetings,
Marcos

Reply to:

Follow-Ups:
- Re: Bug#1113864: Replace -fcf-protection=full with -fcf-protection=return
  - From: Guillem Jover <guillem@debian.org>

References:
- Bug#1113864: Replace -fcf-protection=full with -fcf-protection=return
  - From: Marcos Del Sol Vives <marcos@orca.pet>
- Re: Bug#1113864: Replace -fcf-protection=full with -fcf-protection=return
  - From: Guillem Jover <guillem@debian.org>

Prev by Date: Re: Bug#1113864: Replace -fcf-protection=full with -fcf-protection=return
Next by Date: Bug#1113886: ITP: sql-tool -- Secure SQL tool for AI agents to interact with databases
Previous by thread: Re: Bug#1113864: Replace -fcf-protection=full with -fcf-protection=return
Next by thread: Re: Bug#1113864: Replace -fcf-protection=full with -fcf-protection=return
Index(es):
- Date
- Thread