Message-id: <[email protected]>
In-reply-to: <[email protected]>
References: <[email protected]>

Hello,
I encountered a similar sudo issue with Bookworm installed on a Vortex86DX3 CPU based embedded computer.
Vortex86 series chips are less known x86 CPUs, that are manufactured and are available on-the-market still today. Their type detection in Linux Kernel was implemented in 2021. They are 32-bit only and they are stated not to be fully i686 compatible CPUs.
See for example: https://www.icop.com.tw/news/858#!

I was able to make sudo (and visudo) executable working on this CPU, by recompiling the sudo-1.9.15p5 source code package on the target with manually removed "-fcf_protection" hardening option.

I did not yet met any other program in Bookworm's i386 release having similar "illegal instruction" issue. So, by using a recompiled sudo, Bookworm seems to work on Vortex86DX3.

Regards,
Laszlo

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Yes, this is a known issue. This is because Bookworm only supports 32-bit CPUs that are fully Intel compatible. You will find that there are other binaries such as ffmpeg that fail with the same problem. (This is from memory. I have a similar system
that is "almost" Intel compatible, but cannot run Bookworm due to these issues.)

The fact that these processors are still sold today is interesting, though. A big part of the argument for limiting 32-bit support has to do with the assumption that they are all "very old" systems. So a NEW 32-bit processor might change that
discussion.

This is perhaps a better link for that, though, since it shows a product based on that CPU, rather than just a discussion about it:

https://icop.com.tw/product/VDX3-PITX#!

(Note: The site uses a self-signed certificate. Bleh.)

It doesn't list a price or availability, though, which suggests that it may NOT actually be sold any more.

Do you have an example of a site where these are available for purchase as new (not used or refurbished)?

--J

On Jun 8, 2024, at 02:25, Laszlo Merenyi <[email protected]> wrote:

Message-id: <[email protected]>
In-reply-to: <[email protected]>
References: <[email protected]>

Hello,
I encountered a similar sudo issue with Bookworm installed on a Vortex86DX3 CPU based embedded computer.
Vortex86 series chips are less known x86 CPUs, that are manufactured and are available on-the-market still today. Their type detection in Linux Kernel was implemented in 2021. They are 32-bit only and they are stated not to be fully i686 compatible

CPUs.

See for example: https://www.icop.com.tw/news/858#!

I was able to make sudo (and visudo) executable working on this CPU, by recompiling the sudo-1.9.15p5 source code package on the target with manually removed "-fcf_protection" hardening option.

I did not yet met any other program in Bookworm's i386 release having similar "illegal instruction" issue. So, by using a recompiled sudo, Bookworm seems to work on Vortex86DX3.

Regards,
Laszlo

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Sat, 08 Jun 2024 07:25:49 +0000, Laszlo Merenyi
<[email protected]> wrote:

I was able to make sudo (and visudo) executable working on this CPU, by recompiling the sudo-1.9.15p5 source code package on the target with manually removed "-fcf_protection" hardening option.

I did not yet met any other program in Bookworm's i386 release having similar "illegal instruction" issue. So, by using a recompiled sudo, Bookworm seems to work on Vortex86DX3.

I am part of the sudo maintainer team in Debian. Sudo is a security
relevant software, and in the team we decided that it is more
important to have a maximally hardened binary than to run on hardware
that doesnt have official support.

I'd rather not weaken sudo security for all over supporting a tiny
part of the hardware base. Also, the bug is a toolchain topic in my
opinion, sudo is just a user of the problematic toolchain features.

I'm open for arguments though. Please also see #1043281 which has most
of the technical points there.

Greetings
Marc
--
---------------------------------------------------------------------------- Marc Haber | " Questions are the | Mailadresse im Header Rhein-Neckar, DE | Beginning of Wisdom " |
Nordisch by Nature | Lt. Worf, TNG "Rightful Heir" | Fon: *49 6224 1600402

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Jun 9, 2024, at 03:02, Marc Haber <[email protected]> wrote:

On Sat, 08 Jun 2024 07:25:49 +0000, Laszlo Merenyi
<[email protected]> wrote:

I was able to make sudo (and visudo) executable working on this CPU, by recompiling the sudo-1.9.15p5 source code package on the target with manually removed "-fcf_protection" hardening option.

I did not yet met any other program in Bookworm's i386 release having similar "illegal instruction" issue. So, by using a recompiled sudo, Bookworm seems to work on Vortex86DX3.

I am part of the sudo maintainer team in Debian. Sudo is a security
relevant software, and in the team we decided that it is more
important to have a maximally hardened binary than to run on hardware
that doesnt have official support.

I'd rather not weaken sudo security for all over supporting a tiny
part of the hardware base. Also, the bug is a toolchain topic in my
opinion, sudo is just a user of the problematic toolchain features.

I'm open for arguments though. Please also see #1043281 which has most
of the technical points there.

That argument puts the cart before the horse. Changes to the 'sudo' package come later... maybe. (If this were a normal e-mail thread, I would change the subject line to make that clearer.)

The question right now is: Is this processor supported at all?

On the one hand it does not fit the description of currently supported 32-bit 686-class processors. It doesn't support the instruction that Intel backported into their processors after publishing the specs. (Which was a shady move, but one thing at a
time.)

On the other hand, the reasoning behind the decision to not support some of these processors was based on these processors being old, rare, off the market, etc. But this processor is still being sold, complete with motherboards for a number of
applications.

So given that these no longer fit the "old and busted" description, is Debian going to stick with the decision to not support them? Or is Debian going to continue to support this processor, since it is still apparently a viable product, enough that new
systems are using it?

Only after that issue is addressed does anyone need to worry about sudo. Depending on the answer, that is.

--J

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Sun, Jun 09, 2024 at 06:56:00AM -0500, rhys wrote:

The question right now is: Is this processor supported at all?

No.

So given that these no longer fit the "old and busted" description, is Debian going to stick with the decision to not support them?

I'm sure we will, yes, though I'm not in a position to decide that.

Or is Debian going to continue to support this processor, since it is still apparently a viable product, enough that new systems are using it?

Considering the plans for i386 I don't think it makes sense to even ask
this question?

Only after that issue is addressed does anyone need to worry about sudo. Depending on the answer, that is.

Yes, this indeed looks like one of those "why you don't support my CPU"
threads not specific to any software.

--
WBR, wRAR

-----BEGIN PGP SIGNATURE-----

iQJhBAABCgBLFiEEolIP6gqGcKZh3YxVM2L3AxpJkuEFAmZloVctFIAAAAAAFQAP cGthLWFkZHJlc3NAZ251cGcub3Jnd3JhckBkZWJpYW4ub3JnAAoJEDNi9wMaSZLh PjcP+gN3lNx8HR8MkcPZpiC64uzPHWnKesxuZOQwlYAkZA03N0OHRYp2iPbk88rT nal6IL0oanzmjChMftr1Z+ZQqPAlLA/cB7uXODk3LfOilQk/BArBttqHs89ySy+o StAipbro6d3qcXk+2jHpM2aRdmhvUICPXkkpkcLovd6KwN/e1xPTwm4cj5bUn8f6 RahRx1qVRHFEebajwlx1POZg3QRlhEz/8oLyeLBsKQVLPDw6lf7a+D2DsOdX/qkj /bVa4XByU5pp308xxljhVYWMSrD9zBSzqu6nTt53FlpuzngV2is+po6W1hLKQp/a WKPWDv6rY2eBKpa0MxV7cxBRL0CONP/g8zd8FhkvEQfIF3GEn+rgcEjlc9PWCFQc KbMl7Y0AHLM2j6BAgEnwKyW30VILYSnIJNcfGZEX1Zm2P7ypvAMlsv5D0QlB+eH8 eOWLQ8rs3eLCmKFoIXxz0w2LtfGu0bbScMe945L6XEz6/FBsUHznSzHyMa13nElU /la0I+o909dP11Y7cYep1ziB/YpMfnz55xpIoN6nUlGa2ka2fY4P3g8djVnj3dGZ 9rOcJKeawcHvrrYA0xSWmBLA8qfrzFKl6lK0vpEWmDAA6t7UJp4wG+e6cECaCQat HnVFANTr0s07WI78J8C5wR1lObI/5YYAv4rOXPP0HAfgwIBn
=n9+W
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

----_com.ninefolders.hd3.email_334700371689558_alt
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: base64

Cgo+IE9yIGlzIERlYmlhbiBnb2luZyB0byBjb250aW51ZSB0byBzdXBwb3J0IHRoaXMgcHJvY2Vz c29yLCBzaW5jZSBpdCBpcyBzdGlsbCBhcHBhcmVudGx5IGEgdmlhYmxlIHByb2R1Y3QsIGVub3Vn aCB0aGF0IG5ldyBzeXN0ZW1zIGFyZSB1c2luZyBpdD8KQ29uc2lkZXJpbmcgdGhlIHBsYW5zIGZv ciBpMzg2IEkgZG9uJ3QgdGhpbmsgaXQgbWFrZXMgc2Vuc2UgdG8gZXZlbiBhc2sKdGhpcyBxdWVz dGlvbj8KCk9mIGNvdXJzZSBpdCBtYWtlcyBzZW5zZSB0byBhc2suIFRoZSBwbGFucyBhcmUgYmFz ZWQgb24gYSBmYXVsdHkgcHJlbWlzZSwgYXMgZXZpZGVuY2VkIGJ5IHRoaXMgcHJvZHVjdC4gVGhl cmVmb3JlLCBpdCBpcyB3aXNlIHRvIHJldmlzaXQgdGhlIGlzc3VlLsKgCgpCYXNlZCBvbiB0aGVz ZSBORVcgaTY4Ni1jbGFzcyBzeXN0ZW1zIGJlaW5nIGF2YWlsYWJsZSwgYXJlIHBlb3BsZSBtb3Jl IHdpbGxpbmcgdG8gc3BlbmQgdGhlIHRpbWUgdG8gc3VwcG9ydCB0aGVtLCBrbm93aW5nIHRoYXQg dGhlIGNvZGUgd2lsbCBiZSB1c2VkIG9uIGhhcmR3YXJlIHN0aWxsIHN1cHBvcnRlZCBieSBpdHMg bWFudWZhY3R1cmVyLCBzdGlsbCB1bmRlciB3YXJyYW50eSwgc3RpbGwgaW4gcHJvZHVjdGlvbiB1 c2UsIGV0Yy4/CgpUaGVzZSBzeXN0ZW1zIG5vIGxvbmdlciBmYWxsIHVuZGVyICJoYXNuJ3QgYmVl biBtYWRlIHNpbmNlIDIwMDQuIiBUaGVzZSBhcmUgTkVXIHN5c3RlbXMuwqA= ----_com.ninefolders.hd3.email_334700371689558_alt
Content-Type: text/html; charset=utf-8
Content-Transfer-Encoding: base64

PGh0bWw+PGJvZHk+PGRpdiBpZD0ibmluZV9ib2R5X24xOGZmZDQtNjM1ZmQiIGNsYXNzPSJuaW5l X2JvZHkgbWNlRWRpdGFibGUiIGRpcj0iYXV0byIgc3R5bGU9ImZvbnQtZmFtaWx5OiBDYWxpYnJp LCBBcmlhbCwgSGVsdmV0aWNhLCBzYW5zLXNlcmlmOyBmb250LXNpemU6IDEyLjBwdDsgbGluZS1o ZWlnaHQ6IDEuMzsgY29sb3I6ICMxZjQ5N2Q7Ij48ZGl2IGNsYXNzPSJuaW5lLXBnIiBkaXI9ImF1 dG8iPjxiciAvPjwvZGl2PjwvZGl2PjxkaXYgaWQ9InF1b3RlZF9ib2R5X24xOGZmZDQtNjM1ZmQi IGNsYXNzPSJxdW90ZWRfYm9keV9lZGl0b3IgbWNlRWRpdGFibGUiIGRpcj0iYXV0byI+PGRpdiBj bGFzcz0ibmluZS1wZyIgZGlyPSJhdXRvIj48ZGl2IGNsYXNzPSJuaW5lLXBnIiBkaXI9ImF1dG8i PjxiciAvPjwvZGl2PjxkaXYgY2xhc3M9Im5pbmUtcGciIGRpcj0iYXV0byI+Jmd0OyBPciBpcyBE ZWJpYW4gZ29pbmcgdG8gY29udGludWUgdG8gc3VwcG9ydCB0aGlzIHByb2Nlc3Nvciwgc2luY2Ug aXQgaXMgc3RpbGwgYXBwYXJlbnRseSBhIHZpYWJsZSBwcm9kdWN0LCBlbm91Z2ggdGhhdCBuZXcg c3lzdGVtcyBhcmUgdXNpbmcgaXQ/PC9kaXY+PGRpdiBjbGFzcz0ibmluZS1wZyIgZGlyPSJhdXRv Ij5Db25zaWRlcmluZyB0aGUgcGxhbnMgZm9yIGkzODYgSSBkb24ndCB0aGluayBpdCBtYWtlcyBz ZW5zZSB0byBldmVuIGFzazwvZGl2PjxkaXYgY2xhc3M9Im5pbmUtcGciIGRpcj0iYXV0byI+dGhp cyBxdWVzdGlvbj88L2Rpdj48ZGl2IGNsYXNzPSJuaW5lLXBnIiBkaXI9ImF1dG8iPjxiciAvPjwv ZGl2PjxkaXYgY2xhc3M9Im5pbmUtcGciIGRpcj0iYXV0byI+T2YgY291cnNlIGl0IG1ha2VzIHNl bnNlIHRvIGFzay4gVGhlIHBsYW5zIGFyZSBiYXNlZCBvbiBhIGZhdWx0eSBwcmVtaXNlLCBhcyBl dmlkZW5jZWQgYnkgdGhpcyBwcm9kdWN0LiBUaGVyZWZvcmUsIGl0IGlzIHdpc2UgdG8gcmV2aXNp dCB0aGUgaXNzdWUuwqA8L2Rpdj48ZGl2IGNsYXNzPSJuaW5lLXBnIiBkaXI9ImF1dG8iPjxiciAv PjwvZGl2PjxkaXYgY2xhc3M9Im5pbmUtcGciIGRpcj0iYXV0byI+QmFzZWQgb24gdGhlc2UgTkVX IGk2ODYtY2xhc3Mgc3lzdGVtcyBiZWluZyBhdmFpbGFibGUsIGFyZSBwZW9wbGUgbW9yZSB3aWxs aW5nIHRvIHNwZW5kIHRoZSB0aW1lIHRvIHN1cHBvcnQgdGhlbSwga25vd2luZyB0aGF0IHRoZSBj b2RlIHdpbGwgYmUgdXNlZCBvbiBoYXJkd2FyZSBzdGlsbCBzdXBwb3J0ZWQgYnkgaXRzIG1hbnVm YWN0dXJlciwgc3RpbGwgdW5kZXIgd2FycmFudHksIHN0aWxsIGluIHByb2R1Y3Rpb24gdXNlLCBl dGMuPzwvZGl2PjxkaXYgY2xhc3M9Im5pbmUtcGciIGRpcj0iYXV0byI+PGJyIC8+PC9kaXY+PGRp diBjbGFzcz0ibmluZS1wZyIgZGlyPSJhdXRvIj5UaGVzZSBzeXN0ZW1zIG5vIGxvbmdlciBmYWxs IHVuZGVyICJoYXNuJ3QgYmVlbiBtYWRlIHNpbmNlIDIwMDQuIiBUaGVzZSBhcmUgTkVXIHN5c3Rl bXMuwqA8L2Rpdj48L2Rpdj48L2Rpdj48L2JvZHk+PC9odG1sPg== ----_com.ninefolders.hd3.email_334700371689558_alt--

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Sun, 09 Jun 2024 20:39:27 -0500, [email protected] wrote:

Based on these NEW i686-class systems being available, are people more willing to spend the time to support them, knowing that the code will be used on hardware still supported by its manufacturer, still under warranty, still in production use, etc.?

It is not enough to be willing. It is necessary to actually do. I
think that once i686 (re)qualifies as release arch, it will be (again)
one.

Greetings
Marc
--
---------------------------------------------------------------------------- Marc Haber | " Questions are the | Mailadresse im Header Rhein-Neckar, DE | Beginning of Wisdom " |
Nordisch by Nature | Lt. Worf, TNG "Rightful Heir" | Fon: *49 6224 1600402

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --------------RNAM6gVRRAE0buM53JWpYmgl
Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: base64

SGksDQoNCk9uIDA5LTA2LTIwMjQgMTo1NiBwLm0uLCByaHlzIHdyb3RlOg0KPiBTbyBnaXZl biB0aGF0IHRoZXNlIG5vIGxvbmdlciBmaXQgdGhlICJvbGQgYW5kIGJ1c3RlZCIgZGVzY3Jp cHRpb24sIGlzIERlYmlhbiBnb2luZyB0byBzdGljayB3aXRoIHRoZSBkZWNpc2lvbiB0byBu b3Qgc3VwcG9ydCB0aGVtPyAgT3IgaXMgRGViaWFuIGdvaW5nIHRvIGNvbnRpbnVlIHRvIHN1 cHBvcnQgdGhpcyBwcm9jZXNzb3IsIHNpbmNlIGl0IGlzIHN0aWxsIGFwcGFyZW50bHkgYSB2 aWFibGUgcHJvZHVjdCwgZW5vdWdoIHRoYXQgbmV3IHN5c3RlbXMgYXJlIHVzaW5nIGl0Pw0K DQpodHRwczovL2xpc3RzLmRlYmlhbi5vcmcvZGViaWFuLWRldmVsLWFubm91bmNlLzIwMjMv MTIvbXNnMDAwMDMuaHRtbCANCnN0aWxsIHN0YW5kcy4gRGViaWFuIGJhc2ljYWxseSBpc24n dCBnb2luZyB0byBzdXBwb3J0IGFueSBpMzg2IENQVSANCmFueW1vcmUgaW4gdGhlIHNlbnNl IHRoYXQgdGhlIFJlbGVhc2UgVGVhbSBnYXZlIHRoZSB0ZWFtcyB0aGUgd2lsZGNhcmQgDQp0 byBkcm9wIGtlcm5lbCwgaW5zdGFsbGVyIGFuZCBpbWFnZXMgc3VwcG9ydCBmb3IgaTM4NiAo SSBkb24ndCBoYXZlIHRoZSANCmRldGFpbHMgb2YgdGhlIGN1cnJlbnQgc3RhdHVzKS4NCg0K IiIiDQpGb2xsb3dpbmcgdGhhdCwgdGhlcmUgYXJlIHR3byByb3V0ZXMgaW50byBydW5uaW5n IGkzODY6DQoNCjEuIGFzIGEgbXVsdGktYXJjaCBvcHRpb24gb24gYW4gb3RoZXJ3aXNlIGFt ZDY0IHN5c3RlbQ0KMi4gYXMgYW4gaTM4NiBjaHJvb3Qgb24gYW5vdGhlciBhcmNoaXRlY3R1 cmUgc3lzdGVtDQoiIiINCg0KVGhhdCdzIHdoYXQgd2UgaW50ZW5kIHRvIGRvIGFzIERlYmlh bi4gSWYgeW91IHdhbnQgYW4gRGViaWFuIA0KYXJjaGl0ZWN0dXJlIHRvIGtlZXAgRGViaWFu IHJ1bm5pbmcgb24gaTM4NiBDUFUncywgeW91IGNhbiBjcmVhdGUgYSANCnBvcnQuIEJ1dCB1 bmxlc3MgeW91IGZpbmQgZW5vdWdoIHZvbHVudGVlcnMsIEknbSBhIGJpdCBza2VwdGljYWwg eW91J2xsIA0Kc3VjY2VlZC4gVGhlcmUgYXJlIGVub3VnaCBwcm9ibGVtcyB0byBjb3Zlciwg b2Ygd2hpY2ggdXBzdHJlYW0ga2VybmVsIA0Kc3VwcG9ydCBhbmQgdGhlIDMyIGJpdCBtZW1v cnkgYnVpbGQgcHJvYmxlbSBhcmUgb24gdGhlIHRvcCBvZiBteSBtaW5kLg0KDQpQYXVsDQo=


--------------RNAM6gVRRAE0buM53JWpYmgl--

-----BEGIN PGP SIGNATURE-----

wsB5BAABCAAjFiEEWLZtSHNr6TsFLeZynFyZ6wW9dQoFAmZorWoFAwAAAAAACgkQnFyZ6wW9dQor lQf/c67oTe8x9HLxKy7Radge6xOrj0G7B/OnesExAL/QHrONsuCETwVICvQN6WESD736HbTxLx5f 1QzBerlPEhU2kGi98k9pINKR17KWNoHh6+TEdJLyUG4Yst3cb9UVwPv5GuhVtDeLyO45BE3A+euV 5QdDy/bLdTsDVKr1AD36FZErIuMbuhBHt0JuzFLf56i9udx0gnxHyYjM7I4SOf0etFyKdMdjpGlB 1rh1osmcej8oTBsIiWWw3It5k8/sdIgSiPFdNnbEcp5OJ0/BXgIwY3cG11vlqd19TMjymoG09zDB aCADSlDMoM2i0RgOLHbUNtnLm9qcKXUrY8T+pcXYVg==
=ikEc
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)