On Thu, Aug 21, 2025 at 06:53:48PM +0200, Marcos Del Sol Vives wrote:
Would it be acceptable to, rather than disable it entirely as previously proposed, enable CET only when compiling for IA64 (amd64), but not for any other architecture?I think you are mixing up IA64 (Intel Itanium), a non-x86 instruction set from Intel, with amd64/x86_64 (also known as EM64T or Intel 64), a 64-bit expansion of the x86 instruction set. They are not the same thing, even though x86 is also referred to as IA32: you might reasonably expect that the 64-bit expansion/replacement of IA32 would be called IA64, but because of how Intel have chosen to name their products, that is not actually true. (I agree that this naming is extremely confusing.) Typical 64-bit "PC" laptops/desktops/servers are x86_64 machines that can (hopefully) run Debian's amd64 architecture, regardless of whether their CPU was manufactured by Intel, AMD or someone else. If you want to get security-sensitive changes merged for the benefit of these architectures, it will probably go better if you are clear about which architecture you are talking about! (Another relevant source of confusion is that 32-bit x86 is not the same thing as x32.) smcvHey. I was incorrectly referring with IA64 not to Itanium but to x86-64 aka AMD64 aka long mode, as IA32 is indeed x86. My bad! The x86 naming scheme is indeed a pretty convoluted one. Anyhow, my point would be the same: maybe keep CET only for amd64, and disable it for the rest:
Well you've already got the answer to this question specifically (back in 2023) but you should also consider that the baseline for i386 in trixie is no longer suitable for you anyway.
-- WBR, wRAR
signature.asc
Description: PGP signature
