[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Bug#1113864: Replace -fcf-protection=full with -fcf-protection=return



El 03/09/2025 a las 17:47, Guillem Jover escribió:
> Hi!
> 
> On Wed, 2025-09-03 at 16:24:50 +0200, Marcos Del Sol Vives wrote:
>> Package: dpkg-dev
>> Version: 1.22.21
>> Priority: wishlist
>> X-Debbugs-Cc: debian-devel@lists.debian.org
> 
>> Currently, on amd64 and i386 as of Trixie, packages are being built by
>> default with -fcf-protection=full. This results in shadow stacks and IBT
>> (branch tracking) being enabled on binaries.
> 
> dpkg-buildflags only emits «-fcf-protection» on amd64.

My bad! I am not familiar with dpkg-dev's source code nor autoconf scripts,
and since the first result of -fcf-protection did not indicate any kind
of filtering (https://salsa.debian.org/dpkg-team/dpkg/-/blob/main/m4/dpkg-compiler.m4),
I thought it was actually being applied to everything!

I found now the real code that enables it at
https://salsa.debian.org/dpkg-team/dpkg/-/blob/main/scripts/Dpkg/Vendor/Debian.pm#L637-650
and yes, you're absolutely right, it's amd64-only!

> So, disabling the full CET would regress the current support and make
> enabling it fully in the future harder.
> 
> But it's not clear to me what's the status of submission for userland
> IBT in Linux.

Seems based on a random GitHub Gist that enabling (at least for testing)
IBT in user-land is fairly straightforward on a Linux kernel:
https://gist.github.com/sroettger/fe66f7eb0cb10a8ebd1454875a7131ea

So I assume considering the little effort required to enable it, that it'll
eventually also land in user-space. I would try enabling it on my machine
out of curiosity with Trixie or Sid, but unfortunately my AMD 8745H does
only support shadow stacks.

> So given the above, I'm inclined to mark this wontfix and close, and
> then "someone" needs to driver the transition to its conclusion.

That's an option, yes.

I opened this issue because I was asked to, and because I would personally
wait until there are IBT-enabled kernels to enable one such flag to perform
proper testing so binaries don't become larger prematurely.

However I see your point enabling it now so all packages don't need to be
recompiled further down with CET could be benefitial for a quicker rollout.

Greetings,
Marcos


Reply to: