Hi,
On 2025-09-06 06:50, Guillem Jover wrote:
> Someone would need to check which shared objects are still not marked,
> in a similar way as what Emanuele Rocca has been doing for arm64 (with
> its PAC and BTI counterparts).
On arm64, ELF files supporting what in Debian we call the "branch"
hardening features (PAC, BTI, GCS) are marked with a special ELF note.
$ readelf -n a.out | grep Properties
Properties: AArch64 feature: BTI, PAC, GCS
The checks mentioned by Guillem are based on that note. They are
performed daily on the whole archive, and the results are available
here: https://people.debian.org/~ema/pac-bti/
Is there a similar test that can be performed on x86 ELF files to find
out if fcf-protection is enabled properly?
Lintian currently has support for the following:
- hardening-no-fortify-functions
- harderning-no-relro
- hardening-no-bindnow
- hardening-no-pie
It would be great to add a "hardening-no-branch" check that works for
both architectures, if possible.
Thanks,
Emanuele
