Your message dated Thu, 4 Dec 2025 15:47:15 +0100
with message-id <[email protected]>
and subject line Debian Technical Committee: Bug#1113774: Disabling
-fcf-protection in sudo for bookworm
has caused the Debian Bug report #1113774,
regarding Disabling -fcf-protection in sudo for bookworm
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1113774: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1113774
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: tech-ctte
Severity: normal
Currently "sudo" in Bookworm is broken on i686 for some i686-like
processors such as a Vortex86DX3 I own and VIA processors others have
(https://lists.debian.org/debian-devel/2023/10/msg00118.html), causing a
SIGILL if you attempt to run on them.
The issue is that sudo in bookworm is compiled with "-fcf-protection=full",
which causes binaries to contain ENDBR32 instructions. These are part of
Indirect Branch Tracking, a mechanism introduced by Intel's CET meant to
harden against exploits using return-oriented programming.
END32s are part of a formely-reserved chunk of instructions called
"hintable NOPs". These, to my knowledge, were only defined in US patent
US5701442A but not on the software design manual, where they appeared as
"reserved". Thus these processors do what in general reserved instructions
should do - raise an exception.
Disabling a security mechanism for these uncommon processors would be
probably a bad idea, but the thing is that this mechanism is _not_
supported by the Linux kernel in user mode. Thus, the compilation with
IBT just increases the size of the binaries at best, and prevents running
the binary at worst.
For user-mode, and only in 64-bit mode (but not on native 32-bit system,
neither when running 32-bit applications on a 64-bit kernel), Linux uses
another mechanism that does not require new instructions called shadow
stacks.
This is documented in the Kernel's own page about CET:
https://docs.kernel.org/arch/x86/shstk.html#cet-background
There it explicitely says that the protections are only available in 64-bit
modes, and further analysis of the kernel's code I've done confirms that
being the case:
https://lore.kernel.org/all/[email protected]/
I've submitted a patch against upstream sudo that has been accepted
(https://github.com/sudo-project/sudo/pull/468) that enables the
compilation with -fcf-protection only for 64-bit mode, but the current sudo
Debian maintainer has refused to accept a patch for "bookworm" that fixes
this issue, being concerned that it could lower the overall security of the
binary.
As part of an effort to handle these ENDBR32s in the kernel and ignore
them, H. Peter Anvin (a major x86 arch maintainer in the Linux kernel)
confirmed that 32-bit user-mode applications do not gain any security from
using ENDBR32, and that just disabling the IBT protection for them
would be the best approach:
https://lore.kernel.org/all/[email protected]/
Since bookworm is the last i686 release, I think it'd make sense to fix
this issue.
Greetings,
Marcos
--- End Message ---
--- Begin Message ---
(Bcc'ing -devel for information)
Re: To [email protected]
> In #1113774, Marcos Del Sol Vives is asking the committee about the compiler
> flags used for sudo in bookworm on the i386 architecture. The sudo version
> there is enabling `-fcf-protection` when supported by the compiler:
>
> https://sources.debian.org/src/sudo/1.9.13p3-1%2Bdeb12u2/m4/hardening.m4#L108-L114
>
> The problem is, that on his machine, a Vortex86DX3, the generated ENDBR
> instructions, which live in an opcode region declared as NOPs in earlier
> architecture specs, are not ignored, but raise exceptions and cause sudo to
> abort.
>
> There is a lot of evidence that Control-flow Enforcement Technology (CET or
> cf-protection) is only meant to be enabled on 64-bit binaries and is
> ineffective elsewhere:
> * https://docs.kernel.org/next/x86/shstk.html
> * https://lkml.org/lkml/2025/9/1/1704
>
> One part of the thread was discussing the usefulness of this feature even in
> 64-bit environments (the kernel only half-supports it in userland) which has
> led to https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1113864 being filed
> on
> dpkg-dev, but this is not relevant to the TC question. In fact, dpkg-dev is
> only emitting -fcf-protection on amd64 and not on i386. A large part of the
> thread assumed the default bookworm compiler flags had that problem, but it's
> actually upstream sudo adding -fcf-protection.
>
> Around the time of the discussion, upstream sudo included a change that limits
> -fcf-protection to x86_64: https://github.com/sudo-project/sudo/pull/468
>
> The question if Vortex86DX3 is part of bookworm's i386 architecture baseline
> was raised. In https://lists.debian.org/debian-devel/2023/10/msg00120.html Ben
> Hutchings confirms that ENDBR32 should be ignored by i686-conformant
> processors, and that i686 is required for bookworm. (He corrects himself in
> the
> next mail saying this would apply to trixie only, but again corrects himself
> saying this applies to bookworm indeed.) This seems to indicate that
> Vortex86DX3 is not i686-conformant. The submitter claims the CPU is
> conformant,
> citing https://psc.informatik.uni-jena.de/hw/p-pro-3.pdf page 417 as saying
> ENDBR32 was "reserved".
>
> https://www.debian.org/releases/bookworm/i386/release-notes/ch-information.en.html#i386-is-i686
>
> Debian trixie bumps the compiler baseline for i386 such that this CPU is
> definitely no longer supported so this issue is solely about bookworm.
>
> The TL;DR summary of the problem is: in Debian bookworm, the sudo package is
> using -fcf-protection on i386 (where it should be a no-op), but this breaks
> sudo on this Vortex86DX3 CPU (that should ignore ENDBR32 but does not).
>
> The TC has been discussing the issue with all involved parties and Marc, the
> sudo maintainer has agreed to accept advice, so we will just do that instead
> of
> overruling him.
>
> I am calling for votes on this ballot:
>
> [A] The TC advises the sudo maintainer to update the sudo package in
> bookworm
> such that on the i386 architecture, the `-fcf-protection` compiler flag is
> no
> longer used.
>
> [F] Further discussion.
With 6 votes in favor and none against, option A was accepted by the
committee.
Marc, do you need anything else from us?
Christoph
--- End Message ---
