Skip to content

Cherry-pick commit for Shadow Stack support

loqs requested to merge loqs/x264:SHSTK into main

Shadow Stack is one of two features that compromise Control Flow Enforcement Technology (CET). Both features are designed to mitigate Return Oriented Programming exploits.

With respect to user space Linux supports Shadow Stack but not Indirect Branch Tracking. glibc supports both. Arch enables support for both features with -fcf-protection in CFLAGS/CXXFLAGS. For compiler generated code that results in binaries supporting both features. Assembly code needs the GNU_PROPERTY_X86_FEATURE_1_SHSTK in section to indicate compatibility with Shadow Stack.

For Shadow Stack to be activated the environment variable GLIBC_TUNABLES=glibc.cpu.hwcaps=SHSTK has to be set.

Merge request reports