I want full Cross-DSO CFI support in HardenedBSD 15-STABLE. FreeBSD
14-CURRENT is about to become 14-STABLE soon-ish, thus flipping the
main development branch to 15-CURRENT.
I think I want to merge my current Cross-DSO CFI work into 15-CURRENT
shortly after FreeBSD promotes -CURRENT to 15.
So, we would have Cross-DSO CFI enabled in base in 15-CURRENT.
14-STABLE and 13-STABLE would follow the current limit of applying CFI
to applications only.
Problem: Ports and packages. Of the 34,000+ packages, less than a few
thousand build with a Cross-DSO CFI world. The 15-CURRENT package
repo would be (mostly) useless until a significant number of ports are
Does the community have any thoughts? Should we push the envelope and
enable Cross-DSO CFI for 15-CURRENT? Or should we be conservative and
only merge Cross-DSO CFI when a sufficient number of ports
successfully build into packages?
Perhaps pushing the envelope will encourage more community
I value your input. If you have any thoughts to share, please do.
Cofounder / Security Engineer