[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Intel CET Support?

* Felix Potthast:

> i just stumbled upon the fact that debian doesn't yet make use of the
> Intel CET security feature, while many other distributions
> (Ubuntu, Fedora, Suse, Arch Linux) do.

There's no kernel support for userspace CET, and it's been missing for
many years now.  The userspace ABi will change, but the hope is that a
glibc update is sufficient to enable it for those distributions that
are already built to spec.  Reportedly, Fedora mostly works with
custom kernels (not the Fedora kernel though; it follows mainline).
There's some hope that userspace CET lands in an upcoming 6.y kernel
upstream, with a low value for y, but we've been disappointed
countless times.

The most interesting part is probably the shadow stack and the
efficient backtrace generation it enables (the full call stack, not
just the last 32 or so frames, as with LBR; and even faster than
frame-pointer traversal).  This particular part of CET is already
available in AMD's Zen 3 CPUs, not just Intel's Tigerlake and later

Reply to: