Re: Illegal Instruction Using sudo in Bookworm on i686

Thu, 21 Aug 2025 10:18:17 -0700 


El 21/08/2025 a las 18:34, Simon McVittie escribió:
> On Thu, 21 Aug 2025 at 16:48:35 +0200, Marcos Del Sol Vives wrote:
>> Would it be acceptable to, rather than disable it entirely as previously
>> proposed, enable CET only when compiling for IA64 (amd64), but not for any
>> other architecture?
> 
> I think you are mixing up IA64 (Intel Itanium), a non-x86 instruction set 
> from Intel, with amd64/x86_64 (also known as EM64T or Intel 64), a 64-bit 
> expansion of the x86 instruction set. They are not the same thing, even 
> though x86 is also referred to as IA32: you might reasonably expect that the 
> 64-bit expansion/replacement of IA32 would be called IA64, but because of how 
> Intel have chosen to name their products, that is not actually true. (I agree 
> that this naming is extremely confusing.)
> 
> Typical 64-bit "PC" laptops/desktops/servers are x86_64 machines that can 
> (hopefully) run Debian's amd64 architecture, regardless of whether their CPU 
> was manufactured by Intel, AMD or someone else.
> 
> If you want to get security-sensitive changes merged for the benefit of these 
> architectures, it will probably go better if you are clear about which 
> architecture you are talking about!
> 
> (Another relevant source of confusion is that 32-bit x86 is not the same 
> thing as x32.)
> 
>     smcv

Hey.

I was incorrectly referring with IA64 not to Itanium but to x86-64 aka AMD64 
aka long mode, as IA32 is indeed x86. My bad! The x86 naming scheme is indeed a 
pretty convoluted one.

Anyhow, my point would be the same: maybe keep CET only for amd64, and disable 
it for the rest:

--- sudo-1.9.13p3.orig/m4/hardening.m4
+++ sudo-1.9.13p3/m4/hardening.m4
@@ -105,6 +105,8 @@ AC_DEFUN([SUDO_CHECK_HARDENING], [
                ])
            fi

+           if test X"$host_cpu" = X"x86_64"; then
+
            # Check for control-flow transfer instrumentation (Intel CET).
            AX_CHECK_COMPILE_FLAG([-fcf-protection], [
                AX_CHECK_LINK_FLAG([-fcf-protection], [
@@ -112,6 +114,8 @@ AC_DEFUN([SUDO_CHECK_HARDENING], [
                    AX_APPEND_FLAG([-Wc,-fcf-protection], [HARDENING_LDFLAGS])
                ])
            ])
+
+           fi
        fi

        # Linker-specific hardening flags.

Marcos























					Reply via email to