Another Round Of Intel CET Patches, Still Working Toward Linux Kernel Integration
Intel Tiger Lake SoCs with CET support have been available now for about one year and Intel CET work for Linux goes back to 2017. Intel Control-Flow Enforcement Technology aims to prevent ROP and COP/JOP style attacks through indirect branch tracking and a shadow stack. The compiler-side CET patches quickly landed but the Linux kernel support for this security feature has long been ongoing and as of yesterday is up to its 29th round of review.
On Friday the 29th round of the CET shadow stack patches and CET indirect branch tracking patches were posted.
The 32 Linux patches for the CET shadow stack support saw most of the changes with various low-level code improvements and tweaks plus re-basing against the latest upstream kernel state. The ten patches for the CET indirect branch tracking were just re-basing the patches against the upstream kernel state.
Some Linux distributions and vendor kernels are already carrying the Intel CET patches in their out-of-tree form while we await to see if the patches are now deemed ready for mainline next cycle or will still require more rounds of review... Hopefully it's not like Intel SGX that took 40+ rounds of review before being ready for the mainline kernel.