Intel CET Shadow Stack Support Set To Be Introduced With Linux 6.4

After being in development for years, Intel's shadow stack support is set to be merged for the upcoming Linux 6.4 cycle. The shadow stack support is part of Intel's Control-flow Enforcement Technology (CET) security functionality.

Last year with Linux 5.18 Intel CET's Indirect Branch Tracking (IBT) was merged while for Linux 6.4 this summer the other aspect of CET is landing: Shaodw Stack. Intel's Shadow Stack support with this kernel functionality and supported Intel processors allows for helping to defend against return-oriented programming (ROP) attacks.

Intel began working on the CET / Shadow Stack support years ago and support worked its way into the GNU toolchain and related components while it took some time for the kernel bits to be all squared away. Intel originally announced CET all the way back in 2016 but it wasn't until 11th Gen Tiger Lake where Control-flow Enforcement Technology processors first appeared.

This Linux kernel support is around protecting user-space with shadow stack support. With Linux 6.4+ the Kconfig option added is X86_USER_SHADOW_STACK and is summed up there as:

Shadow stack protection is a hardware feature that detects function return address corruption. This helps mitigate ROP attacks. Applications must be enabled to use it, and old userspace does not get protection "for free".

The Intel Shadow Stack support as of yesterday was queued up in TIP's x86/shstk branch. Now that it's made it to a TIP branch, barring any unforeseen issues it will be sent in for the Linux 6.4 kernel merge window happening around early May.