Bug#1114518: glibc: Please consider enabling CET support on amd64

To: submit@bugs.debian.org
Subject: Bug#1114518: glibc: Please consider enabling CET support on amd64
From: Guillem Jover <guillem@debian.org>
Date: Sat, 6 Sep 2025 15:43:08 +0200
Message-id: <[🔎] aLw6bE3I0Pbcnm7E@thunder.hadrons.org>
Reply-to: Guillem Jover <guillem@debian.org>, 1114518@bugs.debian.org

Source: glibc
Source-Version: 2.41-12
Severity: wishlist
Tags: security

Hi!

As it was brought up recently in #1113864, it seems like we are
lacking support from glibc (and Linux) for full CET coverage on amd64.

On the kernel there seems to still be missing support for IBT, which
means glibc cannot add support to enable it yet, although it has
scaffolding for it (tunables and ELF markings etc). But at least both
have support for shadow stacks.

I think it would be nice to enable CET support, via glibc's configure
--enable-cet=permissive option on amd64, so that we can start to
exercise this.

AFAIUI --enable-cet might currently be too strict, and could refuse to
load shared objects that have not yet been marked as supporting CET
(shadow stacks and/or IBT), such as packages not using dpkg-buildflags,
or for projects with source in assembler that have not been marked with
the appropriate section.

I think other distributions pass --enable-cet=permissive as well, and I
think previously they were passing --enable-cet and had to either
revert that due to breakage or switch to --enable-cet=permissive.
Checking now Fedora for example I see this:

  <https://src.fedoraproject.org/rpms/glibc/blob/rawhide/f/glibc.spec#_1412>

Thanks,
Guillem

Reply to:

Prev by Date: Re: SystemTap probes in glibc
Next by Date: Bug#1114824: libc-bin: ldd fails when "set -u" is used
Previous by thread: Re: SystemTap probes in glibc
Next by thread: Bug#1114824: libc-bin: ldd fails when "set -u" is used
Index(es):
- Date
- Thread