Re: Status of Intel CET in Debian

To: Stephan Verbücheln <verbuecheln@posteo.de>
Cc: debian-security@lists.debian.org, Guillem Jover <guillem@debian.org>
Subject: Re: Status of Intel CET in Debian
From: Emanuele Rocca <ema@debian.org>
Date: Thu, 16 Oct 2025 09:37:07 +0200
Message-id: <[🔎] aPCgo4cZe5aQrg9x@ariel.home>
In-reply-to: <[🔎] 66e599abaa304b9b20bb09ae728ef109a3dcd35d.camel@posteo.de>
References: <[🔎] 66e599abaa304b9b20bb09ae728ef109a3dcd35d.camel@posteo.de>

Hi Stephan,

On 2025-10-15 07:38, Stephan Verbücheln wrote:
> According to the Trixie release notes, Debian 13 has introduced
> hardening against ROP attacks using Intel CET (Control-flow Enforcement
> Technology, and similar technologies on other CPUs).
> 
> https://www.debian.org/releases/stable/release-notes/whats-new.html#hardening-against-rop-and-cop-jop-attacks-on-amd64-and-arm64
> 
> However, when I check with fwupdmgr, it says: “Not supported”
> 
> > fwupdmgr security
> [...]
> > HSI-3
> > ✔ CET Platform:                  Supported
> [...]
> > Runtime Suffix -!
> > ✘ CET OS Support:                Not supported

There is still some work to be done, at least on the glibc side, as
Guillem mentioned here:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1114518

ciao,
  ema

Reply to:

References:
- Status of Intel CET in Debian
  - From: Stephan Verbücheln <verbuecheln@posteo.de>

Prev by Date: Re: Status of Intel CET in Debian
Next by Date: Upcoming stable point release (13.2)
Previous by thread: Re: Status of Intel CET in Debian
Next by thread: Re: Re: BerkeleyDB CVEs
Index(es):
- Date
- Thread