Debian Technical Committee: Bug#1113774: Disabling -fcf-protection in sudo for bookworm
(Bcc'ing -devel for information)
Re: To 1113774@bugs.debian.org
> In #1113774, Marcos Del Sol Vives is asking the committee about the compiler
> flags used for sudo in bookworm on the i386 architecture. The sudo version
> there is enabling `-fcf-protection` when supported by the compiler:
>
> https://sources.debian.org/src/sudo/1.9.13p3-1%2Bdeb12u2/m4/hardening.m4#L108-L114
>
> The problem is, that on his machine, a Vortex86DX3, the generated ENDBR
> instructions, which live in an opcode region declared as NOPs in earlier
> architecture specs, are not ignored, but raise exceptions and cause sudo to
> abort.
>
> There is a lot of evidence that Control-flow Enforcement Technology (CET or
> cf-protection) is only meant to be enabled on 64-bit binaries and is
> ineffective elsewhere:
> * https://docs.kernel.org/next/x86/shstk.html
> * https://lkml.org/lkml/2025/9/1/1704
>
> One part of the thread was discussing the usefulness of this feature even in
> 64-bit environments (the kernel only half-supports it in userland) which has
> led to https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1113864 being filed on
> dpkg-dev, but this is not relevant to the TC question. In fact, dpkg-dev is
> only emitting -fcf-protection on amd64 and not on i386. A large part of the
> thread assumed the default bookworm compiler flags had that problem, but it's
> actually upstream sudo adding -fcf-protection.
>
> Around the time of the discussion, upstream sudo included a change that limits
> -fcf-protection to x86_64: https://github.com/sudo-project/sudo/pull/468
>
> The question if Vortex86DX3 is part of bookworm's i386 architecture baseline
> was raised. In https://lists.debian.org/debian-devel/2023/10/msg00120.html Ben
> Hutchings confirms that ENDBR32 should be ignored by i686-conformant
> processors, and that i686 is required for bookworm. (He corrects himself in the
> next mail saying this would apply to trixie only, but again corrects himself
> saying this applies to bookworm indeed.) This seems to indicate that
> Vortex86DX3 is not i686-conformant. The submitter claims the CPU is conformant,
> citing https://psc.informatik.uni-jena.de/hw/p-pro-3.pdf page 417 as saying
> ENDBR32 was "reserved".
>
> https://www.debian.org/releases/bookworm/i386/release-notes/ch-information.en.html#i386-is-i686
>
> Debian trixie bumps the compiler baseline for i386 such that this CPU is
> definitely no longer supported so this issue is solely about bookworm.
>
> The TL;DR summary of the problem is: in Debian bookworm, the sudo package is
> using -fcf-protection on i386 (where it should be a no-op), but this breaks
> sudo on this Vortex86DX3 CPU (that should ignore ENDBR32 but does not).
>
> The TC has been discussing the issue with all involved parties and Marc, the
> sudo maintainer has agreed to accept advice, so we will just do that instead of
> overruling him.
>
> I am calling for votes on this ballot:
>
> [A] The TC advises the sudo maintainer to update the sudo package in bookworm
> such that on the i386 architecture, the `-fcf-protection` compiler flag is no
> longer used.
>
> [F] Further discussion.
With 6 votes in favor and none against, option A was accepted by the
committee.
Marc, do you need anything else from us?
Christoph
Reply to: