In #1113774, Marcos Del Sol Vives is asking the committee about the compiler flags used for sudo in bookworm on the i386 architecture. The sudo version there is enabling `-fcf-protection` when supported by the compiler:
https://sources.debian.org/src/sudo/1.9.13p3-1%2Bdeb12u2/m4/hardening.m4#L108-L114 The problem is, that on his machine, a Vortex86DX3, the generated ENDBR instructions, which live in an opcode region declared as NOPs in earlier architecture specs, are not ignored, but raise exceptions and cause sudo to abort. There is a lot of evidence that Control-flow Enforcement Technology (CET or cf-protection) is only meant to be enabled on 64-bit binaries and is ineffective elsewhere: * https://docs.kernel.org/next/x86/shstk.html * https://lkml.org/lkml/2025/9/1/1704 One part of the thread was discussing the usefulness of this feature even in 64-bit environments (the kernel only half-supports it in userland) which has led to https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1113864 being filed on dpkg-dev, but this is not relevant to the TC question. In fact, dpkg-dev is only emitting -fcf-protection on amd64 and not on i386. A large part of the thread assumed the default bookworm compiler flags had that problem, but it's actually upstream sudo adding -fcf-protection. Around the time of the discussion, upstream sudo included a change that limits -fcf-protection to x86_64: https://github.com/sudo-project/sudo/pull/468 The question if Vortex86DX3 is part of bookworm's i386 architecture baseline was raised. In https://lists.debian.org/debian-devel/2023/10/msg00120.html Ben Hutchings confirms that ENDBR32 should be ignored by i686-conformant processors, and that i686 is required for bookworm. (He corrects himself in the next mail saying this would apply to trixie only, but again corrects himself saying this applies to bookworm indeed.) This seems to indicate that Vortex86DX3 is not i686-conformant. The submitter claims the CPU is conformant, citing https://psc.informatik.uni-jena.de/hw/p-pro-3.pdf page 417 as saying ENDBR32 was "reserved". https://www.debian.org/releases/bookworm/i386/release-notes/ch-information.en.html#i386-is-i686 Debian trixie bumps the compiler baseline for i386 such that this CPU is definitely no longer supported so this issue is solely about bookworm. The TL;DR summary of the problem is: in Debian bookworm, the sudo package is using -fcf-protection on i386 (where it should be a no-op), but this breaks sudo on this Vortex86DX3 CPU (that should ignore ENDBR32 but does not). The TC has been discussing the issue with all involved parties and Marc, the sudo maintainer has agreed to accept advice, so we will just do that instead of overruling him. I am calling for votes on this ballot: [A] The TC advises the sudo maintainer to update the sudo package in bookworm such that on the i386 architecture, the `-fcf-protection` compiler flag is no longer used. [F] Further discussion. Christoph
