Hi James, On Fri, Dec 05, 2025 at 12:38:59PM +0000, James Addison wrote: > My reading of the thread is that fcf-protection=return can be > security-effective on 32-bit x86 processors, has no effect on binary > size, and does not introduce the compatibility issues that > fcf-protection=branch does.
In order for -fcf-protection=return to provide any benefit, a shadow stack is required. That support has not trickled down yet. It is only since trixie that 64bit enables CONFIG_X86_USER_SHADOW_STACK, so no Debian i386 kernel ever enabled that. I also doubt that 32bit hardware supports this in any way. > I think this is what Helmut was pointing out -- the two halves of the > flag's behaviour. My clarification was that we're disabling both features, but doing so is ok, because neither has any practical benefit on i386. Helmut
