Intel's Linux Shadow Stack Patches Should Work Fine With AMD CPUs

Intel has for a while been posting Linux kernel patches for implementing Control Flow Enforcement (CET) technology, both for the Indirect Branch Tracking and Shadow Stack features. However, as written about earlier this week, Intel is focusing on the shadow stack support for user-space. The patches posted this past week by Intel for Linux Shadow Stack for User-Space support was limited to their own processors but fortunately it's appearing to be work out fine for AMD CPUs too.

The shadow stack functionality is about defending against return-oriented programming (ROP) attacks. The Shadow Stack keeps a copy of each CALL and upon a return (RET) will check the return address stored in the normal stack to verify it matches the contents of the Shadow Stack otherwise will generate a fault.

An Intel graphic on Shadow Stack as part of CET.

With the 35 patches posted this past week, the code was limited to being enabled with Intel CPUs given that is what Intel engineers have been obviously testing. But AMD Zen 3 processors also support the Shadow Stack functionality and as acknowledged in the Intel patches there was just a lack of being able to test these patches there.

This patch can hopefully be dropped now that there is AMD testing.

Fortunately, an AMD Linux engineer has been testing the CET Shadow Stack patches and commented that the patches appear to be running fine on AMD processors - including when testing a patched CET version of the GNU C Library and passing various reference tests.

So assuming no issues turn up moving forward, the CET Shadow Stack support once finally mainlined into the Linux kernel should work for both Intel and AMD CPUs as a security improvement.