(Bcc'ing -devel for information) Re: To [email protected] > In #1113774, Marcos Del Sol Vives is asking the committee about the compiler > flags used for sudo in bookworm on the i386 architecture. The sudo version > there is enabling `-fcf-protection` when supported by the compiler: > > https://sources.debian.org/src/sudo/1.9.13p3-1%2Bdeb12u2/m4/hardening.m4#L108-L114 > > The problem is, that on his machine, a Vortex86DX3, the generated ENDBR > instructions, which live in an opcode region declared as NOPs in earlier > architecture specs, are not ignored, but raise exceptions and cause sudo to > abort. > > There is a lot of evidence that Control-flow Enforcement Technology (CET or > cf-protection) is only meant to be enabled on 64-bit binaries and is > ineffective elsewhere: > * https://docs.kernel.org/next/x86/shstk.html > * https://lkml.org/lkml/2025/9/1/1704 > > One part of the thread was discussing the usefulness of this feature even in > 64-bit environments (the kernel only half-supports it in userland) which has > led to https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1113864 being filed > on > dpkg-dev, but this is not relevant to the TC question. In fact, dpkg-dev is > only emitting -fcf-protection on amd64 and not on i386. A large part of the > thread assumed the default bookworm compiler flags had that problem, but it's > actually upstream sudo adding -fcf-protection. > > Around the time of the discussion, upstream sudo included a change that limits > -fcf-protection to x86_64: https://github.com/sudo-project/sudo/pull/468 > > The question if Vortex86DX3 is part of bookworm's i386 architecture baseline > was raised. In https://lists.debian.org/debian-devel/2023/10/msg00120.html Ben > Hutchings confirms that ENDBR32 should be ignored by i686-conformant > processors, and that i686 is required for bookworm. (He corrects himself in > the > next mail saying this would apply to trixie only, but again corrects himself > saying this applies to bookworm indeed.) This seems to indicate that > Vortex86DX3 is not i686-conformant. The submitter claims the CPU is > conformant, > citing https://psc.informatik.uni-jena.de/hw/p-pro-3.pdf page 417 as saying > ENDBR32 was "reserved". > > https://www.debian.org/releases/bookworm/i386/release-notes/ch-information.en.html#i386-is-i686 > > Debian trixie bumps the compiler baseline for i386 such that this CPU is > definitely no longer supported so this issue is solely about bookworm. > > The TL;DR summary of the problem is: in Debian bookworm, the sudo package is > using -fcf-protection on i386 (where it should be a no-op), but this breaks > sudo on this Vortex86DX3 CPU (that should ignore ENDBR32 but does not). > > The TC has been discussing the issue with all involved parties and Marc, the > sudo maintainer has agreed to accept advice, so we will just do that instead > of > overruling him. > > I am calling for votes on this ballot: > > [A] The TC advises the sudo maintainer to update the sudo package in > bookworm > such that on the i386 architecture, the `-fcf-protection` compiler flag is > no > longer used. > > [F] Further discussion.
With 6 votes in favor and none against, option A was accepted by the committee. Marc, do you need anything else from us? Christoph
