User:Deltachrome/CET

From Gentoo Wiki
Jump to:navigation Jump to:search
Resources

Introduction

Control-flow integrity is a comprehensive set of techniques to mitigate exploits based on return-oriented programming (ROP). Recent generations of x86 CPUs support hardware extensions that allow the use of CFI with little to no performance penalty. While most mainstream distributions enable it by default, the setup on Gentoo can be a little tricky.

Overview

CFI for x86 CPUs was first introduced by Intel under the name of "Intel Control Flow Enforcement Technology" (CET), but is supported by recent AMD Processors as well. It is divided into two domains, namely the Shadow Stack (SS) and Indirect Branch Tracking (IBT). Even though it is possible to use these technologies independently, it is recommended to employ them in tandem for maximum effect.

Hardware Support

Both IBT and SS are supported since Intel's 11th-generation (Tiger Lake) and AMD's Zen 3 architecture respectively. On supported machines, the flags listed in /proc/cpuinfo should contain ibt and user_shstk.

Kernel

Indirect Branch Tracking

Kernel support for IBT was merged for the 5.18 release.

KERNEL CONFIG_X86_KERNEL_IBT
Processor type and features  --->
  [*] Indirect Branch Tracking Search for <code>CONFIG_X86_KERNEL_IBT</code> to find this item.

Shadow Stack

Shadow Stack support within the Kernel is present since version 6.4.

KERNEL CONFIG_X86_USER_SHADOW_STACK
Processor type and features  --->
  [*] X86 userspace shadow stack Search for <code>CONFIG_X86_USER_SHADOW_STACK</code> to find this item.

Toolchain

For CET to work, binaries must be built with a toolchain that supports it. In Gentoo, this is controlled by the cet USE-flag, which was enabled by default in the 23.0 profiles.

Minimum Toolchain Version with CET support
Program Minimum Version Note
sys-devel/gcc 8.0
dev-libs/glibc 2.28 For shadow stack support with Linux 6.6 and newer, glibc version 2.39 is required.
sys-devel/binutils 2.29

Build Flags

Tip
If a hardened profile is used, no further configuration is required.

GCC and Clang compile CET-supporting binaries with the -fcf-protection flag.

Verifying it Works

Look for the following line early in the boot log:

[ 0.124061] CET detected: Indirect Branch Tracking enabled

External resources

References