Intel Tidies Up CET While Waiting For It To Land In The Linux Kernel
Intel's SGX enclaves support patches for the Linux kernel have been through 40+ rounds of review at this point over the past many months as they try to get this security feature into the mainline Linux kernel. But SGX isn't the only Intel security feature that's been having a long process for mainlining: Control-flow Enforcement Technology (CET) is in a similar boat.
Intel Control-Flow Enforcement Technology aims to prevent ROP and COP/JOP style attacks through indirect branch tracking and a shadow stack. Linux patches for the kernel and compilers have been in the works for years and the CET hardware support debuted recently with Tiger Lake processors.
While this has been in the works for a while and now through fifteen rounds of review, it hasn't yet been merged for mainline. Some Linux distributions though are carrying the Intel CET patches to their distribution kernels.
Intel's Yu-cheng Yu last week sent out the v15 patches for enabling the CET shadow stack in the Linux kernel to provide application-level protections.
"I have run tests on these patches for quite some time, and they have been very stable. Linux distributions with CET are available now, and Intel processors with CET are becoming available. It would be nice if CET support can be accepted into the kernel. I will be working to address any issues should they come up," marked these latest patches.
The v15 patches re-based against the Linux 5.10 Git state plus had other small changes. The patches have been sitting on the mailing list for a week now without any comment so at this stage it's unclear if the CET support will get picked up for the Linux 5.11 merge window taking place in a few weeks.
There seemingly isn't too much interest in CET when the likes of the Clang code compiler have their own control flow integrity options without requiring any specialized hardware support. Google for instance makes use of Clang CFI on Android for several years. Other compiler-based defenses also exist. Thus it could also be a case similar to the short-lived Intel MPX support but we'll keep monitoring and see how the CET Linux kernel patches play out for mainline.
Intel Control-Flow Enforcement Technology aims to prevent ROP and COP/JOP style attacks through indirect branch tracking and a shadow stack. Linux patches for the kernel and compilers have been in the works for years and the CET hardware support debuted recently with Tiger Lake processors.
While this has been in the works for a while and now through fifteen rounds of review, it hasn't yet been merged for mainline. Some Linux distributions though are carrying the Intel CET patches to their distribution kernels.
Intel's Yu-cheng Yu last week sent out the v15 patches for enabling the CET shadow stack in the Linux kernel to provide application-level protections.
"I have run tests on these patches for quite some time, and they have been very stable. Linux distributions with CET are available now, and Intel processors with CET are becoming available. It would be nice if CET support can be accepted into the kernel. I will be working to address any issues should they come up," marked these latest patches.
The v15 patches re-based against the Linux 5.10 Git state plus had other small changes. The patches have been sitting on the mailing list for a week now without any comment so at this stage it's unclear if the CET support will get picked up for the Linux 5.11 merge window taking place in a few weeks.
There seemingly isn't too much interest in CET when the likes of the Clang code compiler have their own control flow integrity options without requiring any specialized hardware support. Google for instance makes use of Clang CFI on Android for several years. Other compiler-based defenses also exist. Thus it could also be a case similar to the short-lived Intel MPX support but we'll keep monitoring and see how the CET Linux kernel patches play out for mainline.
2 Comments