Fedora 45 Considering x86_64 Shadow Stack Usage by Default

Bender1 pts0 comments

Fedora 45 Considering x86_64 Shadow Stack Usage By Default - Phoronix

Articles & Reviews

News Archive

Forums

Premium Ad-Free<br>Contact

Popular Categories

Close

Articles & Reviews

News Archive

Forums

Premium

Contact

Categories

Computers Display Drivers Graphics Cards Linux Gaming Memory Motherboards Processors Software Storage Operating Systems Peripherals

Fedora 45 Considering x86_64 Shadow Stack Usage By Default

Written by Michael Larabel in Fedora on 2 July 2026 at 05:17 PM EDT. 1 Comment

A change proposal under consideration for Fedora Linux 45 would enable x86_64 Shadow Stack usage by default in the name of better security on modern Intel and AMD systems.

The change proposal is to enable Shadow Stack protection for applications/libraries compiled with GCC, LLVM Clang, or Rustc by default on x86_64. The dynamic linker or startic startup routines will activate Shadow Stack for any process where the binary and shared library dependencies are all built with Shadow Stack support present. Shadow Stacks are hardware-enforced by modern Intel and AMD CPUs to help fend off against Return-Oriented Programming "ROP" style exploits.

The change proposal goes on to elaborate:<br>"This change enables Shadow Stack protection by default on x86_64 machines that support it on Fedora Linux 45. The dynamic linker, or static startup routines, will activate Shadow Stack for any process whose binary and shared library dependencies are all built with Shadow Stack support, protecting processes by default whenever possible. Shadow Stacks are one of two Control-Flow Enforcement features introduced in Intel CET, alongside Indirect Branch Tracking (IBT), designed to defend against Return-Oriented Programming (ROP) and Jump-Oriented Programming (JOP) attacks by protecting return addresses. This Fedora change only covers enabling Shadow Stack support. Enabling Indirect Branch Tracking by default is not in scope.

This change is backward compatible for the most part: -fcf-protection is a default compile time flag already enabled in redhat-rpm-config for Fedora since 2018 and thus the majority of binaries are already built with the appropriate markup. Thus, after this change is applied, applications whose dependencies carry Shadow Stack markup gain protection transparently while applications that load any non-compliant object at startup continue to run without Shadow Stack protection. The only new failure mode is when a Shadow Stack enabled process attempts to dlopen a non-compliant shared object at runtime, which results in a dlopen error that looks like error: dlopen: /path/to/library.so: rebuild shared object with SHSTK support enabled."

The performance cost of Shadow Stack usage tends to be very miniscule to non-existent while providing better system security. This is also working toward enabling Indirect Branch Tracking "IBT" in a later Fedora Linux release for full Control-flow Enforcement Technology (CET) protection.

More details on the Shadow Stack proposal for Fedora 45 can be found via the Fedora Wiki.

1 Comment

Tweet

Fedora Council Seeks To Shutdown Current Discussions Over AI Developer Desktop<br>Fedora 45 Looks To Finally Offer Install Support For Stratis Storage<br>Fedora 45 Considering A Lightened GRUB Bootloader For Confidential Compute<br>Fedora 44 RISC-V Images Released, Including New "Omni" Kernel For Broader RISC-V Hardware Support<br>Fedora 45 Considering Use Of PURL Metadata For Uniquely Identifying Software Packages<br>Fedora Retiring Its Deepin Desktop Packages

Michael Larabel is the principal author of Phoronix.com and founded the site in 2004 with a focus on enriching the Linux hardware experience. Michael has written more than 20,000 articles covering the state of Linux hardware support, Linux performance, graphics drivers, and other topics. Michael is also the lead developer of the Phoronix Test Suite, Phoromatic, and OpenBenchmarking.org automated benchmarking software. He can be followed via Twitter, LinkedIn, or contacted via MichaelLarabel.com.

Red Hat ARM Engineer Abandons ARM64 Linux Personal Desktop, Goes Back To AMD Ryzen System<br>"Disgusting" Linux sched_ext Source Code Restructured Following Complaint By Linus Torvalds<br>One Line x86 Change To GCC Compiler Nets +12% Benchmark Win For Modern Intel/AMD CPUs<br>COSMIC's New System Monitor Is Looking Very Slick<br>Nourish: A New Wayland Compositor Powered By Vulkan With Infinite Scrolling/Panning<br>CachyOS June 2026 OS Released With More Performance Optimizations<br>Linux Cache Aware Scheduling Extended For Even Better Performance: Up To 360% In MySQL<br>Linux 7.2 Staging Still Working To Tame The Realtek RTL8723BS "Beast Of A Driver"

Fedora 45 Considering x86_64 Shadow Stack Usage By Default

EFS File-System Slated For Removal With Linux 7.3 After 20+ Years Unmaintained

Linux Kernel Developers Again Discussing AI Agent Attribution - Potentially Dropping It

Intel Posts Initial GCC Compiler Patches For AI Compute Extensions "ACE"

Vibe Coded X11 Server Written In...

shadow fedora stack linux default change

Related Articles