Re: Bug#1113864: Replace -fcf-protection=full with -fcf-protection=return

To: debian-devel@lists.debian.org
Cc: Florian Weimer <fw@deneb.enyo.de>, Rick Edgecombe <rick.p.edgecombe@intel.com>, Yu-cheng Yu <yu-cheng.yu@intel.com>, "H.J. Lu" <hjl.tools@gmail.com>
Subject: Re: Bug#1113864: Replace -fcf-protection=full with -fcf-protection=return
From: Guillem Jover <guillem@debian.org>
Date: Tue, 16 Sep 2025 09:50:12 +0200
Message-id: <[🔎] aMkWtEysXI-ofHnh@thunder.hadrons.org>
Mail-followup-to: debian-devel@lists.debian.org, Florian Weimer <fw@deneb.enyo.de>, Rick Edgecombe <rick.p.edgecombe@intel.com>, Yu-cheng Yu <yu-cheng.yu@intel.com>, "H.J. Lu" <hjl.tools@gmail.com>
In-reply-to: <[🔎] 87v7lufr9s.fsf@mid.deneb.enyo.de>
References: <[🔎] 9b15285b-894d-4404-85f4-cdb7e2a7bbed@orca.pet> <[🔎] aLhjIc0xiEBkZzR2@thunder.hadrons.org> <[🔎] ea66ed3c-3c9e-464e-a82d-d705d9699456@orca.pet> <[🔎] aLxmRBc8BDZnHOR-@thunder.hadrons.org> <[🔎] 87v7lufr9s.fsf@mid.deneb.enyo.de>

Hi!

[ For context, in Debian we have been building userland on amd64/x86_64
  with -fcf-protection, where there does not seem to be userland support
  for IBT at all from the Linux kernel side. So we were wondering whether
  it makes sense to keep doing that or not. See start of thread at
  <https://lists.debian.org/debian-devel/2025/09/msg00059.html>. ]

On Sun, 2025-09-07 at 13:14:55 +0200, Florian Weimer wrote:
> * Guillem Jover:
> > But, if the current IBT approach seems undesirable, I'd still be open to
> > switch to -fcf-protection=return for now, and revisit how to handle IBT
> > later. CCing Florian for potentially more context and opinion.
> 
> I'm not aware of any current public activities to enable userspace
> IBT.  I haven't see any recent attempt to define a userspace/kernel ABI,
> or to test (and port where necessary) userspace.

Thanks. So, do any of you (Florian, Rick, Yu-cheng, H.J., or perhaps
other people who have been working on this elsewhere) think we should
switch to -fcf-protection=return (from -fcf-protection)? Or are there
plans to add the userland IBT support in Linux in the near future?
Otherwise it indeed seems like a bit of a waste for now?

Thanks,
Guillem

Reply to:

Follow-Ups:
- Re: Bug#1113864: Replace -fcf-protection=full with -fcf-protection=return
  - From: "Edgecombe, Rick P" <rick.p.edgecombe@intel.com>

References:
- Bug#1113864: Replace -fcf-protection=full with -fcf-protection=return
  - From: Marcos Del Sol Vives <marcos@orca.pet>
- Re: Bug#1113864: Replace -fcf-protection=full with -fcf-protection=return
  - From: Guillem Jover <guillem@debian.org>
- Re: Bug#1113864: Replace -fcf-protection=full with -fcf-protection=return
  - From: Marcos Del Sol Vives <marcos@orca.pet>
- Re: Bug#1113864: Replace -fcf-protection=full with -fcf-protection=return
  - From: Guillem Jover <guillem@debian.org>
- Re: Bug#1113864: Replace -fcf-protection=full with -fcf-protection=return
  - From: Florian Weimer <fw@deneb.enyo.de>

Prev by Date: Re: abigail-tools instead of dpkg-gensymbols ?
Next by Date: Re: Bug#1113864: Replace -fcf-protection=full with -fcf-protection=return
Previous by thread: Re: Bug#1113864: Replace -fcf-protection=full with -fcf-protection=return
Next by thread: Re: Bug#1113864: Replace -fcf-protection=full with -fcf-protection=return
Index(es):
- Date
- Thread