Your message dated Mon, 11 Nov 2024 06:10:29 +0000
with message-id <e1tand7-00hwa1...@fasolo.debian.org>
and subject line Bug#1086695: fixed in linux 6.12~rc6-1~exp1
has caused the Debian Bug report #1086695,
regarding linux: Enable X86 userspace shadow stack
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1086695: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1086695
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: linux
Version: 6.11.5-1
Severity: wishlist
Tags: patch
X-Debbugs-Cc: miguel.bernal.ma...@linux.intel.com, jair.gonza...@linux.intel.com
Dear Maintainer,
Please enable the "X86 userspace shadow stack" (X86_USER_SHADOW_STACK).
Shadow stack protection is a hardware feature that detects function
return address corruption. This helps mitigate ROP (Return-oriented
programming) attacks. Applications must be enabled to use it, and old
userspace does not get protection "for free".
Shadow stack works by maintaining a secondary (shadow) stack that cannot be
directly modified by applications. When executing a CALL instruction, the
processor pushes the return address to both the normal stack and to the special
permission shadow stack. Upon RET, the processor pops the shadow stack copy
and compares it to the normal stack copy. If the two differ, the processor
raises a control protection fault. This implementation supports shadow stack on
64 bit kernels only, with support for 32 bit only via IA32 emulation.
CPUs supporting shadow stacks were first released in 2020.
See https://docs.kernel.org/arch/x86/shstk.html for more information.
A MR was created with this proposal at:
https://salsa.debian.org/kernel-team/linux/-/merge_requests/1253
Thanks,
Miguel Bernal Marin
--- End Message ---
--- Begin Message ---
Source: linux
Source-Version: 6.12~rc6-1~exp1
Done: Ben Hutchings <b...@debian.org>
We believe that the bug you reported is fixed in the latest version of
linux, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1086...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Ben Hutchings <b...@debian.org> (supplier of updated linux package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sun, 10 Nov 2024 01:12:45 +0100
Source: linux
Architecture: source
Version: 6.12~rc6-1~exp1
Distribution: experimental
Urgency: medium
Maintainer: Debian Kernel Team <debian-kernel@lists.debian.org>
Changed-By: Ben Hutchings <b...@debian.org>
Closes: 1032671 1082906 1085600 1086335 1086695
Changes:
linux (6.12~rc6-1~exp1) experimental; urgency=medium
.
* New upstream release candidate
.
[ Ben Hutchings ]
* Update to 6.12-rc2:
- Drop patches applied upstream:
- "tools/rtla: Fix installation from out-of-tree build"
- Refresh patches:
- Update "Revert "tools build: Clean CFLAGS and LDFLAGS for fixdep"" and
"fixdep: Allow overriding HOSTCC and HOSTLD" to use $(SILENT_MAKE)
- Adjust context in "fanotify: Taint on use of
FANOTIFY_ACCESS_PERMISSIONS"
- Adjust context in "kbuild: Look for module.lds under arch directory
too"
- Adjust context in "Include package version along with kernel release in
stack traces"
- Adjust context in "arm64: add kernel config option to lock down when in
Secure Boot mode"
- Adjust context in "efi: Lock down the kernel if booted in secure boot
mode"
- Adjust context in "security,perf: Allow further restriction of
perf_event_open"
- Adjust context in "intel-iommu: Add option to exclude integrated GPU
only"
* [rt] Update to 6.12-rc1-rt2
* d/rules.d/certs: Add newly required include directory to CPPFLAGS
* libcpupower: Update symbols file for change in 6.12
* d/config: Update with the help of kconfigeditor2:
- i2c: Remove I2C_COMPAT
- input/touchscreen: Remove TOUCHSCREEN_MCS5000
- mm: Enable Z3FOLD_DEPRECATED instead of Z3FOLD
- [amd64] sound/soc/intel: Enable AVS drivers to replace old Skylake SoC
drivers:
+ Enable SND_SOC_INTEL_AVS_MACH_RT286 and
SND_SOC_INTEL_AVS_MACH_RT5514
+ Leave SND_SOC_INTEL_AVS_MACH_MAX98357A disabled until we know it's safe
+ Remove SND_SOC_INTEL_SKYLAKE, SND_SOC_INTEL_CML_LP,
SND_SOC_INTEL_SKYLAKE_HDAUDIO_CODEC, SND_SOC_INTEL_SKL_*_MACH,
SND_SOC_INTEL_KBL_*_MACH
* drivers/usb/host: Enable XHCI_PCI_RENESAS on all architectures
.
[ Han Gao ]
* Enable DRM_XE for intel arc graphic card
.
[ Salvatore Bonaccorso ]
* mm: Do not enable Z3FOLD_DEPRECATED
* debian/patches: Correct misspelled filename extension for patch.
Thanks to Jing Luo (Closes: #1085600)
* [rt] Update to 6.12-rc4-rt6
.
[ Aurelien Jarno ]
* [arm64,armhf,riscv64,x86] Enable I2C_DESIGNWARE_CORE, now gating the other
I2C_DESIGNWARE options.
* [riscv64] Enable GPIO_DWAPB, PINCTRL_SOPHGO_CV1800B,
PINCTRL_SOPHGO_CV1812H, PINCTRL_SOPHGO_SG2000, PINCTRL_SOPHGO_SG2002,
SENSORS_SG2042_MCU, SPI_DESIGNWARE, SPI_DW_MMIO.
* [riscv64] Enable STAGING_MEDIA, VIDEO_CADENCE_CSI2RX, VIDEO_STARFIVE_CAMSS.
.
[ Uwe Kleine-König ]
* [arm64] Enable ARM64_VA_BITS_52
.
[ Ricardo Salveti ]
* [arm64] Enable Qualcomm CONFIG_SC_GCC and CONFIG_PINCTRL for 7280,
7280, 8180X and 8280XP as builtin
.
[ Sjoerd Simons ]
* [x86] Enable Intel IPU supported camera sensors (Closes: #1082906)
.
[ Matthias Geiger ]
* [x86] Enable CIO2 and IPU3 as modules (Closes: #1086335)
.
[ Luca Boccassi ]
* Enable new IPE LSM. For more information on how to write policies see:
https://docs.kernel.org/security/ipe.html
.
[ Cyril Brulebois ]
* [arm64] drivers/usb/host: Enable USB_XHCI_PCI_RENESAS as module
(Closes: #1032671)
.
[ Miguel Bernal Marin ]
* [amd64] arch/x86: Enable X86_USER_SHADOW_STACK
(X86 userspace shadow stack) (Closes: #1086695)
Checksums-Sha1:
c348b38efeb4fc4ba42ada7d6f3ce0aee4307295 208684 linux_6.12~rc6-1~exp1.dsc
15271c87a1615af36bee7d6e68ed01c02f3ab907 150831992 linux_6.12~rc6.orig.tar.xz
071e5fda01566031f5442f5e7c9462e09c1ea7b3 1549788
linux_6.12~rc6-1~exp1.debian.tar.xz
2d078200f074e57bceba90a8726cd27840127358 8820
linux_6.12~rc6-1~exp1_source.buildinfo
Checksums-Sha256:
a63462792a6bd88c430ee2187d3a260ebfcd67b1bb320937889b0b3e613af502 208684
linux_6.12~rc6-1~exp1.dsc
c1001db946af8eb3d5969bd9055a67234fff2827280d019dafcb932c44d82480 150831992
linux_6.12~rc6.orig.tar.xz
ba497b83d10967b9689f785b733acf4e78c9a06abe2e34c388b3216f7e578629 1549788
linux_6.12~rc6-1~exp1.debian.tar.xz
61b44fda8e33135b2f0972d90d400cf2e554a10a2ab667449dd38cc825776c5f 8820
linux_6.12~rc6-1~exp1_source.buildinfo
Files:
c566c142c272f3a54d4646e997c01053 208684 kernel optional
linux_6.12~rc6-1~exp1.dsc
a0c7f1605e3244b526f4df0b76cd1d7f 150831992 kernel optional
linux_6.12~rc6.orig.tar.xz
5d67a8d552c3b2d71d510d8b6ad287b3 1549788 kernel optional
linux_6.12~rc6-1~exp1.debian.tar.xz
f383259fc1acee531ecc215f14a0ee04 8820 kernel optional
linux_6.12~rc6-1~exp1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEErCspvTSmr92z9o8157/I7JWGEQkFAmcxYAEACgkQ57/I7JWG
EQnvgA//dLjHYkRzIZ2/mhfGrRPnqe5M3tDFHcRzx5iBVsAl52otZ/Pmzvxp9rkm
+jChUB7NwuU/x/EhpWBOPHMtsK2fdoST5LtwU7c0IKXnBmUH3Twrhyjhq7j0r6/y
a2EMjvKur4uQAP0Wm2Igcl91qHdeHsrrG2WMo5ut1zGDlsEy5J1CpO6WNLuJvRlg
nlLCgh4tdr5+lzdGPHvln+HcA5s/+TkMQ/LbW8R7Y5k8QbnZbwqawi8lxrVYV/ep
8n08NdlJJ91UnUoUbRwXRwmobQ2xijYPAcKWN8SEAVFN8lfpOtErZljT3gLkgp23
zbehE2iZCfhW/2MMw/zx1XrZX17tC6RQL2Quw4EW3tCsN0OzYUzy8dZhV1OVvkWy
RFIthkqRFLmP8gHc1ZqtRgzU0+dTVX2VZYwAzzzi0i2qe9+phStIuA0xbVmE+VTf
gwWuU7U8m14ghZajqDXyT6EeTVRqkWmxV+6I19FC1gAuoHd+V91D63JdFQQD4qNI
Z5vRBt2OOeTDK73f86LLH6O6/B9dkt/mmB9bLuQX+5+2LYAJ15nsWRxfwqCR0KPm
UfksTN8lhqi24ev5Cfi9NxeWXTMQByz6AttdpfvvDGDhvAmYL9cj42u+mqOpGjC5
VgJ7WPLs2OfsyhCmQgox+Fsr/lv5iZjivVQHL9oolCi/b8RLKEA=
=L8ei
-----END PGP SIGNATURE-----
pgpv9Gb8Vul5l.pgp
Description: PGP signature
--- End Message ---
