lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <aLan9S_47ERx69xO@torres.zugschlus.de>
Date: Tue, 2 Sep 2025 10:16:53 +0200
From: Marc Haber <mh+debian-kernel@...schlus.de>
To: "H. Peter Anvin" <hpa@...or.com>
Cc: Marcos Del Sol Vives <marcos@...a.pet>,
	kernel test robot <oliver.sang@...el.com>, oe-lkp@...ts.linux.dev,
	lkp@...el.com, linux-kernel@...r.kernel.org,
	Thomas Gleixner <tglx@...utronix.de>,
	Ingo Molnar <mingo@...hat.com>, Borislav Petkov <bp@...en8.de>,
	Dave Hansen <dave.hansen@...ux.intel.com>, x86@...nel.org,
	Peter Zijlstra <peterz@...radead.org>, Kees Cook <kees@...nel.org>,
	"Xin Li (Intel)" <xin@...or.com>,
	Sabyrzhan Tasbolatov <snovitoll@...il.com>
Subject: Re: [PATCH v2] x86: add hintable NOPs emulation

Hello,

I am one of the maintainers of sudo in Debian. The submitter of this 
kernel patch has been lobbying for changes to sudo for a longer time, 
asking me to disable -fcf-protection in the Debian packages for i386.

I am reluctant do doing so because I don't want to disable a security 
feature for the complete distribution just because it doesn't work for a 
rather exotic CPU family, that - to my understanding but please correct 
me if I'm wrong - claims to be i686 but actually isn't.

On Mon, Sep 01, 2025 at 02:28:04PM -0700, H. Peter Anvin wrote:
>On September 1, 2025 4:43:15 AM PDT, Marcos Del Sol Vives <marcos@...a.pet> wrote:
>>I assume the kernel is currently simply ignoring the CET flag on ELF for
>>all 32-bit x86 binaries and libraries?
>>
>>Anyhow, seeing this is indeed becoming more tricky and error-prone, I'm
>>contating the sudo developer which is, so far, the only software that
>>has this issue.
>
>Yep.

So you're saying that -fcf-protection is basically a no-op on i386 and 
will never have an effect?

For me, as the maintainer of the Debian package, this is an academic 
question. The change that the submitter wants in Debian will not happen 
in Debian unless the technical committee overrides my decision. And 
Debian oldstable is the last release that had full support for the i386 
architecture anyway. We reduced i386 support to be a "partial 
architecture" in current stable, targeting that architecture for 
containers and multi-arch systems with an amd64 kernel.

Will -fcf-protection have an effect when an i386 sudo is being executed 
with a amd64 kernel?

Greetings
Marc

-- 
-----------------------------------------------------------------------------
Marc Haber         | "I don't trust Computers. They | Mailadresse im Header
Leimen, Germany    |  lose things."    Winona Ryder | Fon: *49 6224 1600402
Nordisch by Nature |  How to make an American Quilt | Fax: *49 6224 1600421

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ