[NativeAOT] Enable CET support

[jkotas]

CET is one of the low-level security mitigations.

It is supported on CoreCLR, but not on native AOT. We need to port the support from CoreCLR to native AOT (and test it that it works).

(Context #101891 (comment))

[VSadov]

Presumably this is not just suspension support (which is partially CET compatible, modulo return hijacking), but there is some Exception Handling work as well, right?
There are several places in CoreCLR where EH does something different for CET.

[jkotas]

What are the places in EH that you have in mind?

(There may be some changes needed in EH, but they should be very minor.)

[VSadov]

I just did a search for AreCetShadowStacksEnabled and saw a few uses in EH. Did not look in details what they do though.

[jkotas]

I just did a search for AreCetShadowStacksEnabled and saw a few uses in EH. Did not look in details what they do though.

Those are related to the suspension support. The shadows stacks turn return address hijacks into STATUS_RETURN_ADDRESS_HIJACK_ATTEMPT SEH exceptions.

[VSadov]

Those are related to the suspension support. The shadows stacks turn return address hijacks into STATUS_RETURN_ADDRESS_HIJACK_ATTEMPT SEH exceptions.

I see. I am trying to see how much is missing in NatveAOT.

I think we might want to fit this into 9.0. Especially since this is security related, it feels it fits the overall theme.

[janvorli]

@VSadov I'll be happy to help with this if you need some clarifications around the CET stuff.