[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <aLan9S_47ERx69xO@torres.zugschlus.de>
Date: Tue, 2 Sep 2025 10:16:53 +0200
From: Marc Haber <mh+debian-kernel@...schlus.de>
To: "H. Peter Anvin" <hpa@...or.com>
Cc: Marcos Del Sol Vives <marcos@...a.pet>,
kernel test robot <oliver.sang@...el.com>, oe-lkp@...ts.linux.dev,
lkp@...el.com, linux-kernel@...r.kernel.org,
Thomas Gleixner <tglx@...utronix.de>,
Ingo Molnar <mingo@...hat.com>, Borislav Petkov <bp@...en8.de>,
Dave Hansen <dave.hansen@...ux.intel.com>, x86@...nel.org,
Peter Zijlstra <peterz@...radead.org>, Kees Cook <kees@...nel.org>,
"Xin Li (Intel)" <xin@...or.com>,
Sabyrzhan Tasbolatov <snovitoll@...il.com>
Subject: Re: [PATCH v2] x86: add hintable NOPs emulation
Hello,
I am one of the maintainers of sudo in Debian. The submitter of this
kernel patch has been lobbying for changes to sudo for a longer time,
asking me to disable -fcf-protection in the Debian packages for i386.
I am reluctant do doing so because I don't want to disable a security
feature for the complete distribution just because it doesn't work for a
rather exotic CPU family, that - to my understanding but please correct
me if I'm wrong - claims to be i686 but actually isn't.
On Mon, Sep 01, 2025 at 02:28:04PM -0700, H. Peter Anvin wrote:
>On September 1, 2025 4:43:15 AM PDT, Marcos Del Sol Vives <marcos@...a.pet> wrote:
>>I assume the kernel is currently simply ignoring the CET flag on ELF for
>>all 32-bit x86 binaries and libraries?
>>
>>Anyhow, seeing this is indeed becoming more tricky and error-prone, I'm
>>contating the sudo developer which is, so far, the only software that
>>has this issue.
>
>Yep.
So you're saying that -fcf-protection is basically a no-op on i386 and
will never have an effect?
For me, as the maintainer of the Debian package, this is an academic
question. The change that the submitter wants in Debian will not happen
in Debian unless the technical committee overrides my decision. And
Debian oldstable is the last release that had full support for the i386
architecture anyway. We reduced i386 support to be a "partial
architecture" in current stable, targeting that architecture for
containers and multi-arch systems with an amd64 kernel.
Will -fcf-protection have an effect when an i386 sudo is being executed
with a amd64 kernel?
Greetings
Marc
--
-----------------------------------------------------------------------------
Marc Haber | "I don't trust Computers. They | Mailadresse im Header
Leimen, Germany | lose things." Winona Ryder | Fon: *49 6224 1600402
Nordisch by Nature | How to make an American Quilt | Fax: *49 6224 1600421
Powered by blists - more mailing lists