Intel CET Support Still Getting Squared Away For Linux In 2020

Various open-source patches have gone back to at least 2017 for enabling Intel's Control-Flow Enforcement Technology (CET) for the Linux kernel and related components. This is the Intel feature for helping prevent ROP and COP/JOP style attacks via indirect branch tracking and a shadow stack. Recently there has been a fair amount of CET improvements to the various open-source components.

CET has been around since GCC 8, Binutils 2.32, and Glibc 2.28 while as of writing the kernel bits in the mainline kernel have just been adding the CET instructions to the opcode map but without the actual CET kernel bits being mainlined.

That though could hopefully change soon as a few weeks ago the v10 patches for control-flow enforcement with enabling the shadow stack was sent out. Those kernel patches though are still in flux so might not be mainlined even for the upcoming Linux 5.8 kernel.

Outside of the kernel though, over in GCC space for GCC 11 is now defaulting the CET run-time support to auto for the compiler-side bits. So that's important for seeing CET support available by default on more systems.

There have also been other CET improvements for GCC 11 in recent days like enabling cross-compiler support when possible, enabling it in libbacktrace, and other CET enabling.

GCC 11 with the latest Control-Flow Enforcement Technology bits won't be out as stable until around this time next year but at least before then we'll hopefully see a Linux kernel release with all the CET bits there in place.