Intel Working To Combine The Best Of CET + CFI Into "FineIBT"
Going back to February was the first security discussions by Intel researchers and engineers about providing fine-grained CFI on top of Intel's CET -- meanwhile the CET patches themselves have been a long time coming for the Linux kernel. CET hardware support debuted with Tiger Lake for helping to fend off possible ROP and COP/JOP style attacks. CFI support for the kernel meanwhile saw initial upstream support in Linux 5.13 when using Clang. CFI adds run-time checks by the compiler for every indirect function to ensure the target is a valid function with a valid static type. Intel's combination of these technologies is referred to as FineIBT and allows for more restrictive policies than what can be provided by CET alone and said to be more effective against control-flow attacks.
While CFI proponents have said using the compiler-based security feature only adds ~1% overhead, Intel researchers sum up Clang CFI as having 5~53% overhead. Intel meanwhile says their FineIBT solution has only 1~7% overhead. Those numbers are based on some custom micro-benchmarks they wrote for comparing these two solutions.
While we haven't heard much about FineIBT since the original proposal in February and their modified LLVM/Clang code hasn't been updated since March, it appears Intel is still pursuing this tech. The Linux Security Summit happening next month now has on its schedule a presentation over it.
So come the end of September we should be hearing about Intel's latest efforts around FineIBT for the Linux kernel and any new developments or plans for getting the support ironed out.