Source: glibc Source-Version: 2.41-12 Severity: wishlist Tags: security Hi!
As it was brought up recently in #1113864, it seems like we are lacking support from glibc (and Linux) for full CET coverage on amd64. On the kernel there seems to still be missing support for IBT, which means glibc cannot add support to enable it yet, although it has scaffolding for it (tunables and ELF markings etc). But at least both have support for shadow stacks. I think it would be nice to enable CET support, via glibc's configure --enable-cet=permissive option on amd64, so that we can start to exercise this. AFAIUI --enable-cet might currently be too strict, and could refuse to load shared objects that have not yet been marked as supporting CET (shadow stacks and/or IBT), such as packages not using dpkg-buildflags, or for projects with source in assembler that have not been marked with the appropriate section. I think other distributions pass --enable-cet=permissive as well, and I think previously they were passing --enable-cet and had to either revert that due to breakage or switch to --enable-cet=permissive. Checking now Fedora for example I see this: <https://src.fedoraproject.org/rpms/glibc/blob/rawhide/f/glibc.spec#_1412> Thanks, Guillem
