* Deepak Gupta: > How will they contribute to CFI bringup without having a CFI compiled > usersapce?
Build glibc themselves and then proceed one library at the time. >>Another use case would be running container images with CFI on a >>distribution kernel which supports pre-RVA23 hardware. > > Container image with CFI will have glibc and ld (and all other > userspace) also compiled with shadow stack instructions in it. As soon > as you take this container image to a pre-RVA23 hardware, you won't > even reach vDSO. It'll break much before that, unless kernel is taking > a trap on all sspush/sspopchk instructions in prologue/epilogue of > functions in userspace (glibc, ld, etc) The idea is that you can use a stock distribution kernel to run CFI images (potentially form a different distribution or version of the distribution). But maybe none of this really matters. How far out is CFI-checking hardware? Is it going to arrive much later than the RVA23 flag day that people are suggesting? Thanks, Florian
