Fedora 45 Considering x86_64 Shadow Stack Usage By Default
Fedora 45 Considering x86_64 Shadow Stack Usage By Default
https://www.phoronix.com/news/Fedora-45-Consider-Shadow-Stack
Publish Date: 2026-07-02 17:17:00
Source Domain: www.phoronix.com
A change proposal under consideration for Fedora Linux 45 would enable x86_64 Shadow Stack usage by default in the name of better security on modern Intel and AMD systems.
The change proposal is to enable Shadow Stack protection for applications/libraries compiled with GCC, LLVM Clang, or Rustc by default on x86_64. The dynamic linker or startic startup routines will activate Shadow Stack for any process where the binary and shared library dependencies are all built with Shadow Stack support present. Shadow Stacks are hardware-enforced by modern Intel and AMD CPUs to help fend off against Return-Oriented Programming “ROP” style exploits.
The change proposal goes on to elaborate:
“This change enables Shadow Stack protection by default on x86_64 machines that support it on Fedora Linux 45. The dynamic linker, or static startup routines, will activate Shadow Stack for any process whose binary and shared library dependencies are all built with Shadow Stack support, protecting processes by default whenever possible. Shadow Stacks are one of two Control-Flow Enforcement features introduced in Intel CET, alongside Indirect Branch Tracking (IBT), designed to defend against Return-Oriented Programming (ROP) and Jump-Oriented Programming (JOP) attacks by protecting return addresses. This Fedora change only covers enabling Shadow Stack support. Enabling Indirect Branch Tracking by default is not in scope.
This change is backward compatible for the most part: -fcf-protection is a default compile time flag already enabled in redhat-rpm-config for Fedora since 2018 and thus the majority of binaries are already built with the appropriate markup. Thus, after this change is applied, applications whose dependencies carry Shadow Stack markup gain protection transparently while applications that load any non-compliant object at startup continue to run without Shadow Stack protection. The only new failure mode is when a Shadow Stack enabled process attempts to dlopen a…