Re: Intel CET Support?

To: Felix Potthast <felix.potthast@student.uni-siegen.de>
Cc: <debian-devel@lists.debian.org>
Subject: Re: Intel CET Support?
From: Florian Weimer <fw@deneb.enyo.de>
Date: Sat, 10 Sep 2022 21:15:16 +0200
Message-id: <[🔎] 87czc32g8r.fsf@mid.deneb.enyo.de>
In-reply-to: <[🔎] 6b0a21364a8bd1ae1311836bb5ff5863f2982482.camel@student.uni-siegen.de> (Felix Potthast's message of "Mon, 5 Sep 2022 22:44:52 +0200")
References: <[🔎] 6b0a21364a8bd1ae1311836bb5ff5863f2982482.camel@student.uni-siegen.de>

* Felix Potthast:

> i just stumbled upon the fact that debian doesn't yet make use of the
> Intel CET security feature, while many other distributions
> (Ubuntu, Fedora, Suse, Arch Linux) do.

There's no kernel support for userspace CET, and it's been missing for
many years now.  The userspace ABi will change, but the hope is that a
glibc update is sufficient to enable it for those distributions that
are already built to spec.  Reportedly, Fedora mostly works with
custom kernels (not the Fedora kernel though; it follows mainline).
There's some hope that userspace CET lands in an upcoming 6.y kernel
upstream, with a low value for y, but we've been disappointed
countless times.

The most interesting part is probably the shadow stack and the
efficient backtrace generation it enables (the full call stack, not
just the last 32 or so frames, as with LBR; and even faster than
frame-pointer traversal).  This particular part of CET is already
available in AMD's Zen 3 CPUs, not just Intel's Tigerlake and later
CPUs.

Reply to:

References:
- Intel CET Support?
  - From: Felix Potthast <felix.potthast@student.uni-siegen.de>

Prev by Date: Bug#1019518: ITP: gitsign -- keyless git signing using sigstore
Next by Date: please coordinate using ITP bugreports
Previous by thread: Re: Intel CET Support?
Next by thread: Bug#1019237: ITP: thelounge -- Modern, responsive, cross-platform, self-hosted web IRC client
Index(es):
- Date
- Thread