Intel Revs New Linux Patches Providing For Shadow Stacks For User-Space

Written by Michael Larabel in Intel on 31 January 2022 at 06:08 AM EST. 3 Comments
INTEL
For years Intel has been working on Linux patches for supporting their Control-Flow Enforcement Technology (CET) with Indirect Branch Tracking and Shadow Stack support. It's been in the works for years and through many revisions while now they are pursuing a new route and focusing just on the Shadow Stack user-space functionality.

The shadow stack functionality is focused on defending against return-oriented programming (ROP) attacks. The Shadow Stack keeps a copy of each CALL and upon a return (RET) will check the return address stored in the normal stack to verify it matches the contents of the Shadow Stack otherwise will generate a fault.


Intel Shadow Stack support is back in the works for Linux.


Intel has supported CET going back to Tiger Lake systems with Indirect Branch Tracking as part of that for fighting off JOP/COP attacks too. While there have been IBT Linux patches worked on, moving forward Intel is focusing just on the Shadow Stack user-space support to get upstreamed for the mainline Linux kernel. That's the plan at least for the near-term with the IBT patches now taking a back-seat.


Intel's Rick Edgecombe noted in a new patch series on Sunday:
This is a slight reboot of the userspace CET series. I will be taking over the series from Yu-cheng. Per some internal recommendations, I’ve reset the version number and am calling it a new series. Hopefully, it doesn’t cause confusion.

The new plan is to upstream only userspace Shadow Stack support at this point. IBT can follow later, but for now I’ll focus solely on the most in-demand and widely available (with the feature on AMD CPUs now) part of CET.

So now we are at the set of 35 patches being proposed for shadow-stacks for user-space. Not only is this focused on enhancing security with modern x86_64 processors, but Google is also looking at using shadow stacks for improving tracing with better performance and reliability.

With the new patch series is a new system call for shadow stack allocation, changes to ensure older binaries will not break, and more. While the latest AMD Ryzen 5000 series processors can support shadow stacks too, the current patches are specifically limited to Intel CPUs. The plan is to permit AMD CPU support for user-space shadow stacks once someone(s) has tested it out -- hopefully that will happen prior to the patches being merged.

We'll see if this new Shadow Stacks for User-Space series gets picked up more quickly than the prior stalled CET patch series.
3 Comments
Related News
Linux 6.10 Adding Intel Low-Latency Hint To Aggressively Boost GT Frequency For GPU Compute
Intel Releases OpenVINO 2024.1 With More Gen AI & LLM Features
Intel ANV Vulkan Driver Enables VK_KHR_shader_float_controls2
Intel Has Many Improvements For The Xe Graphics Driver In Linux 6.10
Intel Enabling Linux Driver Display Support For Upcoming "Battlemage" GPUs
Intel Media Driver 2024Q1 Brings Arrow Lake H Support
About The Author
Michael Larabel

Michael Larabel is the principal author of Phoronix.com and founded the site in 2004 with a focus on enriching the Linux hardware experience. Michael has written more than 20,000 articles covering the state of Linux hardware support, Linux performance, graphics drivers, and other topics. Michael is also the lead developer of the Phoronix Test Suite, Phoromatic, and OpenBenchmarking.org automated benchmarking software. He can be followed via Twitter, LinkedIn, or contacted via MichaelLarabel.com.

Popular News This Week
Rust-Written LAVD Kernel Scheduler Shows Promising Results For Linux Gaming
Fedora Linux 40 Cleared For Release Next Week
AMD: "Additional Parts Of The Radeon Stack To Be Open Sourced Throughout The Year"
Fedora Linux 40 Available For Download As A Wonderful Upgrade
Mozilla Finally Begins Offering Firefox ARM64 Linux Binaries
openSUSE Factory Achieves Bit-By-Bit Reproducible Builds
Linux 6.10 Preps A Kernel Panic Screen - Sort Of A "Blue Screen of Death"
LXQt 2.0 Released For Qt6 Desktop Port, Greater Wayland Support