Intel Submits Long-Awaited Shadow Stack Support For Linux 6.4

While Intel Shadow Stack support has been around since Tiger Lake CPUs as part of Intel's Control-flow Enforcement Technology (CET), finally for the Linux 6.4 kernel is this security feature being enabled with the mainline Linux kernel.

Intel Linux engineers have long been working on the shadow stack support as part of CET. The other part of CET, Indirect Branch Tracking, was upstreamed back in Linux 5.18.

Intel's shadow stack functionality for Linux 6.4 is return address protection to defend against return-oriented programming (ROP) attacks. The latest AMD CPUs also provide Shadow Stack functionality that is compatible with Intel's implementation.

Longtime Intel Linux engineer Dave Hansen submitted the x86/shstk pull request on Monday for finally introducing this feature. He explained in that message:

Please pull x86/shstk for 6.4. This is the long-awaited Shadow Stack support. It is the most highly desired hardware security feature in a long time. Both AMD and Intel have (compatible) implementations. It has been present on the Intel side since the 11th-gen CPUs, but it had a few stumbles on the way and is a bit tardy.

The trickiest part of this whole thing (IMNHO) was that shadow stacks exist in a permission grey area. A shadow stack PTE literally says Write=0, but some instructions _can_ write to it. The PTEs also can't be read-only so they can't be COW'd. They are oddballs.

The Write=0,Dirty=1 PTE permissions also mean that the dirty bit can not be used as freely as before. Those two things combine to create a fair amount of PTE management churn.

A few more things you should know:

1. There is a non-trivial amount of core mm churn. It has acks from mm folks and I hope it's no surprise to Andrew. These add a VMA argument to pte_mkwrite(). There is a new user in Andrew's pile which will need to get fixed up before this gets merged with the mm tree.
2. There has been an unusual snarl of userspace compatibility issues with shadow stacks. While the move to new arch_prctl() values helped, we can still envision scenarios where this old code might bite us. The plan is try to ban any problematic apps from using shadow stack if anything comes up in practice. We should obviously be on the lookout for these.
3. This conflicts with the LAM code which is coming in x86/mm. I'll discuss the resolution when I send x86/mm.

As of writing Linus Torvalds has yet to pull in the Shadow Stack support or make any mailing list comments. We'll see if all is well that Linus pulls in this feature for Linux 6.4 or if he has reservations given the comments above. Hopefully though this Intel/AMD security feature for helping fend off ROP attacks will finally be merged.