Package: tech-ctte Severity: normal Currently "sudo" in Bookworm is broken on i686 for some i686-like processors such as a Vortex86DX3 I own and VIA processors others have (https://lists.debian.org/debian-devel/2023/10/msg00118.html), causing a SIGILL if you attempt to run on them.
The issue is that sudo in bookworm is compiled with "-fcf-protection=full", which causes binaries to contain ENDBR32 instructions. These are part of Indirect Branch Tracking, a mechanism introduced by Intel's CET meant to harden against exploits using return-oriented programming. END32s are part of a formely-reserved chunk of instructions called "hintable NOPs". These, to my knowledge, were only defined in US patent US5701442A but not on the software design manual, where they appeared as "reserved". Thus these processors do what in general reserved instructions should do - raise an exception. Disabling a security mechanism for these uncommon processors would be probably a bad idea, but the thing is that this mechanism is _not_ supported by the Linux kernel in user mode. Thus, the compilation with IBT just increases the size of the binaries at best, and prevents running the binary at worst. For user-mode, and only in 64-bit mode (but not on native 32-bit system, neither when running 32-bit applications on a 64-bit kernel), Linux uses another mechanism that does not require new instructions called shadow stacks. This is documented in the Kernel's own page about CET: https://docs.kernel.org/arch/x86/shstk.html#cet-background There it explicitely says that the protections are only available in 64-bit modes, and further analysis of the kernel's code I've done confirms that being the case: https://lore.kernel.org/all/[email protected]/ I've submitted a patch against upstream sudo that has been accepted (https://github.com/sudo-project/sudo/pull/468) that enables the compilation with -fcf-protection only for 64-bit mode, but the current sudo Debian maintainer has refused to accept a patch for "bookworm" that fixes this issue, being concerned that it could lower the overall security of the binary. As part of an effort to handle these ENDBR32s in the kernel and ignore them, H. Peter Anvin (a major x86 arch maintainer in the Linux kernel) confirmed that 32-bit user-mode applications do not gain any security from using ENDBR32, and that just disabling the IBT protection for them would be the best approach: https://lore.kernel.org/all/[email protected]/ Since bookworm is the last i686 release, I think it'd make sense to fix this issue. Greetings, Marcos
