* Felix Potthast: > i just stumbled upon the fact that debian doesn't yet make use of the > Intel CET security feature, while many other distributions > (Ubuntu, Fedora, Suse, Arch Linux) do.
There's no kernel support for userspace CET, and it's been missing for many years now. The userspace ABi will change, but the hope is that a glibc update is sufficient to enable it for those distributions that are already built to spec. Reportedly, Fedora mostly works with custom kernels (not the Fedora kernel though; it follows mainline). There's some hope that userspace CET lands in an upcoming 6.y kernel upstream, with a low value for y, but we've been disappointed countless times. The most interesting part is probably the shadow stack and the efficient backtrace generation it enables (the full call stack, not just the last 32 or so frames, as with LBR; and even faster than frame-pointer traversal). This particular part of CET is already available in AMD's Zen 3 CPUs, not just Intel's Tigerlake and later CPUs.
