Announcement

Collapse
No announcement yet.

Intel Submits Long-Awaited Shadow Stack Support For Linux 6.4

Collapse
X
Collapse
 
  • Page of 1
  • Filter
  • Time
  • Show
Clear All
new posts
Previous template Next
  • #1

    Intel Submits Long-Awaited Shadow Stack Support For Linux 6.4

    Phoronix: Intel Submits Long-Awaited Shadow Stack Support For Linux 6.4

    While Intel Shadow Stack support has been around since Tiger Lake CPUs as part of Intel's Control-flow Enforcement Technology (CET), finally for the Linux 6.4 kernel is this security feature being enabled with the mainline Linux kernel...

    Intel Submits Long-Awaited Shadow Stack Support For Linux 6.4 - Phoronix
    https://www.phoronix.com/news/Shadow-Stack-PR-For-Linux-6.4
    Phoronix, Linux Hardware Reviews, Linux hardware benchmarks, Linux server benchmarks, Linux benchmarking, Desktop Linux, Linux performance, Open Source graphics, Linux How To, Ubuntu benchmarks, Ubuntu hardware, Phoronix Test Suite
    Tags: None
  • #2
    The words "Intel" and "security" used together sends cold shivers down my spine.
    • Likes 4

    Comment

    • #3
      Does this protect only the kernel or also user space applications?

      Comment

      • #4
        Originally posted by MadWatch View Post
        Does this protect only the kernel or also user space applications?
        I believe it is intended to be active at all times, as it has separate shadows for each, iirc. What I want to see is the final performance hit.

        Comment

        • #5
          Originally posted by MadWatch View Post
          Does this protect only the kernel or also user space applications?
          This specifically is for protecting userspace applications. Note that another part of CET called IBT is already in use by the kernel today (it got added around 5.19) for kernel side protection
          (assuming you select the KConfig for it but I suspect all distros do that by now)
          • Likes 3

          Comment

          • #6
            Originally posted by xorbe View Post

            I believe it is intended to be active at all times, as it has separate shadows for each, iirc. What I want to see is the final performance hit.
            Hopefully, negligible, since it should just be adding a second push to a different stack to CALL and a branch-predictable comparison to RET... both implemented in the CPU itself where it can be tuned for them.
            • Likes 1

            Comment

            Previous template Next
            Working...
            X