* Deepak Gupta:
How will they contribute to CFI bringup without having a CFI compiled usersapce?
Build glibc themselves and then proceed one library at the time.
Another use case would be running container images with CFI on a distribution kernel which supports pre-RVA23 hardware.
Container image with CFI will have glibc and ld (and all other userspace) also compiled with shadow stack instructions in it. As soon as you take this container image to a pre-RVA23 hardware, you won't even reach vDSO. It'll break much before that, unless kernel is taking a trap on all sspush/sspopchk instructions in prologue/epilogue of functions in userspace (glibc, ld, etc)
The idea is that you can use a stock distribution kernel to run CFI images (potentially form a different distribution or version of the distribution).
But maybe none of this really matters. How far out is CFI-checking hardware? Is it going to arrive much later than the RVA23 flag day that people are suggesting?
Thanks, Florian