Package: dpkg-dev Followup-For: Bug #1021292 X-Debbugs-Cc: woo...@wookware.org, debian-de...@lists.debian.org
> We decided that the best thing to do was create a new hardening flags > feature called 'branch' to add to the existing set. This enables > -mbranch-protection=standard on arm64, and > -fcf-protection on amd64 After reading various threads (such as this[1] Xen thread, and from there a related[2] Linux kernel thread) about fcf-protection: Could we consider ensuring NOTRACK_EN=0 and -fno-jump-tables if-and-when making this change? (I'm not sure yet, but the CET 'notrack' instruction seems unusual to me, and although I hope to find out and become convinced that it's safe and worthwhile, it seems like a potential loophole in the safety that CET could offer. my understanding is that it's intended to allow certain limited callsites to invoke functions that do not begin with branch-target (endbr64) instructions) [1] - https://lists.xenproject.org/archives/html/xen-devel/2022-03/msg00522.html [2] - https://lkml.org/lkml/2022/3/7/1068
