Fedora 45 to Enable x86_64 Shadow Stack by Default
Fedora Linux 45 is considering enabling hardware-enforced Shadow Stack protection by default, a feature of Intel CET to counter ROP attacks.
Fedora Linux 45 is proposing to enable Shadow Stack by default for the x86_64 architecture. According to a report by Phoronix, this change would automatically apply hardware-enforced return address protection to applications and libraries compiled with GCC, LLVM Clang, and Rustc. The goal is to significantly strengthen defenses against Return-Oriented Programming (ROP) attacks by leveraging the security features of modern Intel and AMD CPUs.
Proposal Overview
The core of this proposal is to enable Shadow Stack only when the dynamic linker or static startup routines on Fedora 45 confirm that the binary and all its shared library dependencies are built with Shadow Stack support. Since 2018, Fedora has enabled the -fcf-protection compile flag by default in redhat-rpm-config, meaning the majority of existing binaries already include the necessary markings. As such, this change is expected to enhance security transparently while maintaining backward compatibility for most applications.
Technical Background
Shadow Stack is one of the two primary features of Intel’s Control-flow Enforcement Technology (CET), the other being Indirect Branch Tracking (IBT), which is not part of this proposal. Shadow Stack protects return addresses at the hardware level, neutralizing ROP and Jump-Oriented Programming (JOP) attacks. ROP attacks, a classic and potent exploitation technique that overwrites return addresses on the stack to execute arbitrary code sequences, remain a significant security threat despite modern countermeasures.
Implementation Details
Under the proposal, the dynamic linker will check at process startup whether the loaded binary and all shared libraries are compatible with Shadow Stack. If all components are compliant, Shadow Stack will be enabled. If even a single non-compliant object is detected, Shadow Stack will remain disabled. This approach allows for a gradual transition without breaking compatibility.
However, a new potential failure mode is introduced. If a process with Shadow Stack enabled attempts to dynamically load a non-compliant shared object using dlopen, the operation will fail, returning an error. The error message will resemble: error: dlopen: /path/to/library.so: rebuild shared object with SHSTK support enabled, prompting developers to rebuild the affected library.
Performance and Future Plans
The performance impact of enabling Shadow Stack is reported to be negligible or minimal. Hardware-based control flow protection incurs far less overhead compared to software-based alternatives, offering practical security improvements at a low cost.
The Fedora project views this default enablement of Shadow Stack as an initial step toward broader implementation. Future releases may enable Indirect Branch Tracking by default, completing the full protective suite of CET. With the addition of IBT, comprehensive protection against ROP and JOP attacks can be achieved, significantly enhancing control flow integrity.
Editorial Opinion
In the short term, if this proposal is approved for Fedora 45, it is likely to influence other major Linux distributions. Enterprise-focused distributions, in particular, may consider adopting this change as a benchmark for enhanced security. However, the new error pattern introduced by dlopen could pose challenges for plugin-based applications, requiring swift adaptation from the developer community.
From a long-term perspective, full implementation of CET, including IBT, would effectively neutralize control-flow hijacking attacks like ROP and JOP. This represents a prime example of how operating systems and hardware can collaborate to improve security. However, older CPUs without Shadow Stack support will not benefit from this protection, potentially leading to segmentation among users and increased risks for legacy systems. The efficacy of Fedora’s initiative will largely depend on the adoption rate of CET-compliant CPUs in Intel and AMD’s roadmaps. As an editorial team, we are particularly interested in monitoring the real-world compatibility challenges posed by this proposal.
References
- Fedora 45 Considering x86_64 Shadow Stack Usage By Default — Phoronix — Published on July 2, 2026
- Fedora Wiki: Changes/ShadowStackDefault — Proposal details (unverified URL mentioned in the original article)
Frequently Asked Questions
- What is Shadow Stack?
- Shadow Stack is a feature of Intel CET that stores return addresses in a separate stack (shadow stack) maintained by hardware. It compares these addresses with the original stack to detect and prevent ROP attacks. It is supported by modern Intel and AMD CPUs.
- Will all existing applications be protected if this change is adopted in Fedora 45?
- Applications built since 2018 already have the `-fcf-protection` flag enabled, and if their dependent libraries are also compliant, they will be transparently protected. However, processes including non-compliant libraries or using dynamic loading (via `dlopen`) may lose protection or encounter errors.
- How significant is the performance impact?
- The performance cost of enabling Shadow Stack is reported to be negligible or minimal. Hardware-based implementation ensures lower overhead compared to software-based protection methods, making it an efficient security enhancement.
Comments