Hello everyone According to the Trixie release notes, Debian 13 has introduced hardening against ROP attacks using Intel CET (Control-flow Enforcement Technology, and similar technologies on other CPUs). https://www.debian.org/releases/stable/release-notes/whats-new.html#hardening-against-rop-and-cop-jop-attacks-on-amd64-and-arm64 However, when I check with fwupdmgr, it says: “Not supported” > fwupdmgr security [...] > HSI-3 > ✔ CET Platform: Supported [...] > Runtime Suffix -! > ✘ CET OS Support: Not supported This is odd because all of the conditions appear to be met. /proc/cpuinfo shows both relevant features: > Model name: 13th Gen Intel(R) Core(TM) i7-1370P [...] > user_shstk > ibt The kernel has both options activated: > $ grep -E "CONFIG_X86_(CET|USER_SHADOW)" /boot/config-`uname -r` > CONFIG_X86_CET=y > CONFIG_X86_USER_SHADOW_STACK=y The manpage of dpkg-buildflags says it has the relevant build flags set as default: > branch > This setting (since dpkg 1.22.0; enabled by default) adds > -fcf-protection on amd64 and -mbranch-protection=standard on arm64 > to CFLAGS, CXXFLAGS, OBJCFLAGS, OBJCXXFLAGS, FFLAGS and FCFLAGS. > This adds branch protection to indirect calls, jumps and returns to > check whether these are valid at run-time. > Package: dpkg > Version: 1.22.21 The kernel documentation says that readelf should show a note in binaries. <https://docs.kernel.org/next/arch/x86/shstk.html> However, it does not show anything CET related on my binaries, e.g.: > /usr/lib/x86_64-linux-gnu/libc.so.6 What am I missing? Regards Stephan
Attachment:
signature.asc
Description: This is a digitally signed message part