Glibc Updated For Recent Linux CET Shadow Stack Support

With Linux 6.6, the mainline kernel finally landed support for Shadow Stack on Intel/AMD CPUs that was originally rolled out as part of Intel's Control-flow Enforcement Technology (CET) for better fending off ROP attacks. The GNU C Library "glibc" was recently updated with some changes around the CET / Shadow Stack support.

The latest Glibc development code has has now synced against the Shadow Stack interface found with Linux 6.6+ on x86_64. The work went on to enable Shadow Stack during startup:

"Previously, CET was enabled by kernel before passing control to user space and the startup code must disable CET if applications or shared libraries aren't CET enabled. Since the current kernel only supports shadow stack and won't enable shadow stack before passing control to user space, we need to enable shadow stack during startup if the application and all shared library are shadow stack enabled. There is no need to disable shadow stack at startup. Shadow stack can only be enabled in a function which will never return. Otherwise, shadow stack will underflow at the function return."

But then a follow-up patch makes it clear to not set CET active by default:

"Not all CET enabled applications and libraries have been properly tested in CET enabled environments. Some CET enabled applications or libraries will crash or misbehave when CET is enabled. Don't set CET active by default so that all applications and libraries will run normally regardless of whether CET is active or not. Shadow stack can be enabled by

$ export GLIBC_TUNABLES=glibc.cpu.hwcaps=SHSTK

at run-time if shadow stack can be enabled by kernel.

NB: This commit can be reverted if it is OK to enable CET by default for all applications and libraries."

These CET Shadow Stack additions for the GNU C Library will be part of the glibc 2.39 release due out roughly next month.