XPost: linux.debian.bugs.dist 
 From: marcos@orca.pet 
  
 Package: dpkg-dev 
 Priority: wishlist 
  
 Hello everyone. 
  
 I have been instructed by Helmut Grohne from the technical commitee 
 (https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1113774#126) 
 to open a bug here to ask for a change in the current hardening defaults 
 of Debian for sid and future stable releases. 
  
 Currently, on amd64 and i386 as of Trixie, packages are being built by 
 default with -fcf-protection=full. This results in shadow stacks and IBT 
 (branch tracking) being enabled on binaries. 
  
 The issue is that, right now, user-mode applications running in the Linux 
 kernel in 64-bit mode only support shadow stacks. IBT protection is only 
 supported in the kernel, thus compiling user-mode applications with IBT 
 enabled results simply in an increased code size (due to generated ENDBR 
 landing instructions), all while offering no security improvements. 
  
 This is stated in the kernel documentation 
 (https://docs.kernel.org/next/x86/shstk.html): 
  
 > Today in the 64-bit kernel, only userspace shadow stack and kernel IBT 
 > are supported. 
  
 32-bit applications (either in native 32-bit mode or running under a 64-bit 
 kernel) do not support neither shadow stacks nor IBT. 
  
 I have provided in https://bugs.debian.org/cgi-bin/bugreport. 
 cgi?bug=1113774#96 
 a very simple program alongside compilation instructions that proves this 
 being the case. 
  
 By changing the default from -fcf-protection=full to -fcf-protection=return 
 (which only enables shadow stacks), the users would still experience the 
 exact same protection as they have right now, while generating smaller 
 binaries. 
  
 --- SoupGate-Win32 v1.05 
  * Origin: you cannot sedate... all the things you hate (1:229/2)