Intel Revs New Linux Patches Providing For Shadow Stacks For User-Space

Written by Michael Larabel in Intel on 31 January 2022 at 06:08 AM EST. 3 Comments
INTEL
For years Intel has been working on Linux patches for supporting their Control-Flow Enforcement Technology (CET) with Indirect Branch Tracking and Shadow Stack support. It's been in the works for years and through many revisions while now they are pursuing a new route and focusing just on the Shadow Stack user-space functionality.

The shadow stack functionality is focused on defending against return-oriented programming (ROP) attacks. The Shadow Stack keeps a copy of each CALL and upon a return (RET) will check the return address stored in the normal stack to verify it matches the contents of the Shadow Stack otherwise will generate a fault.


Intel Shadow Stack support is back in the works for Linux.


Intel has supported CET going back to Tiger Lake systems with Indirect Branch Tracking as part of that for fighting off JOP/COP attacks too. While there have been IBT Linux patches worked on, moving forward Intel is focusing just on the Shadow Stack user-space support to get upstreamed for the mainline Linux kernel. That's the plan at least for the near-term with the IBT patches now taking a back-seat.


Intel's Rick Edgecombe noted in a new patch series on Sunday:
This is a slight reboot of the userspace CET series. I will be taking over the series from Yu-cheng. Per some internal recommendations, I’ve reset the version number and am calling it a new series. Hopefully, it doesn’t cause confusion.

The new plan is to upstream only userspace Shadow Stack support at this point. IBT can follow later, but for now I’ll focus solely on the most in-demand and widely available (with the feature on AMD CPUs now) part of CET.

So now we are at the set of 35 patches being proposed for shadow-stacks for user-space. Not only is this focused on enhancing security with modern x86_64 processors, but Google is also looking at using shadow stacks for improving tracing with better performance and reliability.

With the new patch series is a new system call for shadow stack allocation, changes to ensure older binaries will not break, and more. While the latest AMD Ryzen 5000 series processors can support shadow stacks too, the current patches are specifically limited to Intel CPUs. The plan is to permit AMD CPU support for user-space shadow stacks once someone(s) has tested it out -- hopefully that will happen prior to the patches being merged.

We'll see if this new Shadow Stacks for User-Space series gets picked up more quickly than the prior stalled CET patch series.
3 Comments
Related News
Intel Begins Readying Graphics Driver Changes For The Linux 6.14 Kernel
UMD Direct Submission "Proof Of Concept" For The Intel Xe Linux Driver
Intel Linux Display Driver Being Adapted For DRM Panic "Blue Screen of Death" Support
Intel Compute Runtime 24.45.31740.9 Released Ahead Of The Arc B580 "Battlemage" Launch
Intel ANV Driver Improves Vulkan Image Compression Going Back To Tigerlake
Intel CEO Pat Gelsinger Retires
About The Author
Michael Larabel

Michael Larabel is the principal author of Phoronix.com and founded the site in 2004 with a focus on enriching the Linux hardware experience. Michael has written more than 20,000 articles covering the state of Linux hardware support, Linux performance, graphics drivers, and other topics. Michael is also the lead developer of the Phoronix Test Suite, Phoromatic, and OpenBenchmarking.org automated benchmarking software. He can be followed via Twitter, LinkedIn, or contacted via MichaelLarabel.com.

Popular News This Week
OpenWrt Affected By Security Issue That Could Have Led To Compromised Build Artifacts
Linus Torvalds Comes Out Against "Completely Broken" x86_64 Feature Levels
How AMD Is Taking Standard C/C++ Code To Run Directly On GPUs
Linux EFI Zboot Abandoning "Compression Library Museum", Focusing On Gzip & Zstd
Ptyxis Becomes Ubuntu's Recommended Replacement To GNOME Terminal
COSMIC Alpha 4 Released For System76's Rust-Based Desktop
GNU Shepherd 1.0 Service Manager Released As "Solid Tool" Alternative To systemd
KDE Starts December By Landing A Number Of New Features