Sorry, I forgot to this part of the docs:

Exec

On exec, shadow stack features are disabled by the kernel. At which point, 
userspace can choose to re-enable, or lock them.

---

  This kernel documentation is very confusing. I guess *this* is
the reason why programs must be compiled with this feature enabled?
I don't know why this feature can't be enabled via the kernel to be
inherited on exec, so that all programs can just have it on by
default, if you really want to.

  This is kind of annoying, and I don't understand why exactly it
is done this way, since it basically breaks compatibility with
NVIDIA, and other proprietary software that you can't directly
compile. Scratch my `systemd` suggestion, it isn't possible with
the current kernel. Programs will have to have this kernel feature
enabled by the program that's being executed *itself,* which is an
extremely odd implementation detail that makes no sense IMHO.

  The implementation of this feature overall seems to be a complete
mess, on both the kernel/GCC+LLVM side. I don't really understand
the point of the ELF loader flag, when userspace program loaders
can't even exec programs to have the feature enabled before a given
program's execution execution even begins. What were they
thinking??!?

  Is there some ABI thing that I'm missing here that would break
ordinary programs, if the feature was forced on without any
specific compiler flags?

-- Conclusion --

  I don't believe this should be enabled by default, since it might
break compatibility with any hardware over 5 years old. I don't
think enabling this by default on a separate "security-focused" ISO
would be a bad idea, however. In fact, I believe many users would
like the addition of security-focused ISOs to Fedora Workstation,
and Fedora Server, with a small set of changes that makes Fedora
far more secure, and might break compatibility for some users, who
prefer older hardware, or prefer to use their machines in a
less-secure manner.


Sent with Proton Mail secure email.

On Tuesday, July 14th, 2026 at 18:40, CS Sushi Man via devel 
<[email protected]> wrote:

> 
> 
> On Tuesday, July 14th, 2026 at 18:24, CS Sushi Man via devel 
> <[email protected]> wrote:
> 
> >   if (syscall(SYS_arch_prctl, ARCH_SHSTK_UNLOCK, feature) < 0)
> >   {
> >     fprintf(stderr, "Error (failed to unlock): %s.\n", strerror(errno));
> >     return 1;
> >   }
> 
>   If the code I sent doesn't work, try removing the if-block I
> quoted above. Linux might not like the prospect of non-root
> programs unlocking/locking this feature.
> 
>           - C. S. Sushi
> 
> 
> Sent with Proton Mail secure email.
-- 
_______________________________________________
devel mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/[email protected]
Do not reply to spam, report it: 
https://forge.fedoraproject.org/infra/tickets/issues/new

Reply via email to