Epic: Support Intel CET #47309
Description
Recent Intel x64 CPUs support a new security feature called CET (Control-flow Enforcement Technology). We plan to support it in the .NET 6.0.
Windows and Linux
- Add Shadow stack popping during stack unwinding.
Windows
- Add proper compiler and linker options to support CET for the C/C++ code.
- Implement our own version of RtlRestoreContext for exception handling (done on Windows only for now)
- Implement new way of thread suspension using a new user mode APC that would work the same way as on Unix.
- Implement new way of return address hijacking compatible with the CET.
- Make ThreadAbort work with CET enabled
- Make GC stress 4/8 work with CET enabled
- Enable CI for CET
- Enable non-strict mode by default
- Performance is comparable without CET enabled
- Debugging support is not restricted with CET enabled
Linux
- Add proper compiler options to enable IBT (indirect branch tracing) support and
.note.gnu.propertysection to indicate our native runtime binaries are compatible with shadow stack and IBT. - Add ENDBR instructions at the beginning of asm helper functions that can be called using indirect jumps or calls.
- Modify JIT to add ENDBR instructions at the beginning of all methods that can be called via indirect jumps or calls.
- The Linux work depends on the availability of the CET support in the mainstream Linux kernel. There is a patch that adds some
arch_prctloperations for the Intel CET.