How to enable Intel CET
by h3xduck
26 June 2025During my research on Intel CET, I found a surprising lack of comprehensive documentation on how to enable Intel CET in Linux and Windows. Even though it could be considered the most popular and widespread Control Flow Integrity (CFI) scheme, it was challenging for me to discover all the hidden things needed to get CET running in a system.
At the time of writing (June 2025), Intel CET is, in broad terms, enabled by default both in Windows and Linux. However, it might happen that, if you try to test it in your system, you find that it is not enabled. It turns out it is a bit opaque and difficult to understand why at times. Here I would like to document all the things needed, for future lurkers. I will try my best to keep this post updated, but please bare in mind that things may change rapidly.
Note that Intel CET consists of both the Shadow Stack (SHSTK from now onwards) and Indirect Branch Tracking (IBT); both have different requirements as stated below.
Also, as indicated, there are some system configurations at which I do now know if CET is available or not (due to not being able to test it there), if you happen to know please contact me and I will add that information for the rest.
If you are really convinced CET should be running in your system but you can’t get it to run, don’t worry, here is 95% of the times what is failing.
Linux
For your system to have CET enabled, your setup must meet ALL of the following criteria.
Processor support
CET requires new microinstructions and faults. Your processor must be one of the following or newer:
| Minimum processor | |
|---|---|
| Intel | Tiger Lake (11th generation) |
| AMD | Ryzen 5000-series* |
*While AMD implements a Shadow Stack, I haven’t been able to confirm if IBT is enabled in AMD processors.
Kernel support
One of the following Linux kernel versions or newer is required. At the moment, IBT enforcement is only supported for kernel code, while SHSTK enforcement is only placed in the userspace.
| SHSTK | IBT | |
|---|---|---|
| Userspace | From 6.6 onwards | No |
| Kernel | No | From 5.18 onwards |
In case your processor is 32bit:
| SHSTK | IBT | |
|---|---|---|
| Userspace | No | No |
| Kernel | No | From 5.18 onwards* |
*Only maybe, couldn’t test.
Compiler support
Your compiler must support the new CET flags:
| Version | |
|---|---|
| GCC | 8.1 onwards |
| Clang/LLVM | LLVM 11* |
*It is possible that it is available in 10.X
Application support
The application must opt-in being compiled with Intel CET via a compilation flag.
Your program must be compiled with the following flag:
| Flag | |
|---|---|
| GCC | -fcf-protection=full |
| Clang/LLVM | -fcf-protection=full |
You will probably want to know if default applications (e.g., the ones downloaded via packet managers like apt), were compiled with this flag. In practice, most applications in any Linux system are already compiled with it, but there are exceptions:
| Distro | Is the CET flag used for applications? |
|---|---|
| Fedora | Flag set |
| Arch Linux | Flag set |
| Ubuntu | Flag set |
| Debian | Flag set, but only in packages downloaded with dpkg 1.22.0 or later |
Runtime support
This is the trickiest part of CET and the one which is most difficult to debug. For a program to run under CET protection, every linked library must have been compiled with the CET flag, as stated previously.
In practice, 95% of the libraries are already compiled with the CET flag. However, if you suspect of any you may run:
readelf -n test
If you see the following or a similar note, then the binary/library was compiled with CET support:
Displaying notes found in: .note.gnu.property
Owner Data size Description
GNU 0x00000020 NT_GNU_PROPERTY_TYPE_0
Properties: x86 feature: IBT, SHSTK
x86 ISA needed: x86-64-baseline
In Ubuntu, I found at least two libraries under /lib/x86_64-linux-gnu/ that are not currently compiled with the CET flag:
- libgmp
- libmpg123
Finally, it turns out that the maintainers of libc added a runtime control for SHSTK as a ‘glibc tunable’. For variour reasons, this is currently disabled by default. You must set the tunable in the shell where you are running the CET-enforced program.
export GLIBC_TUNABLES=glibc.cpu.hwcaps=SHSTK
Windows
Windows does not implement the IBT protection, instead they choose to continue with the similar Control Flow Guard (CFG). Windows still features SHSTK. We do not comment here on KCET, the kernel implementation of CET, but only its userspace variant.
Your Windows system must equally meet all the following criteria to run a program with CET enabled.
Processor support
Kernel support
Windows support since W10 19H1 (v1903).
Compiler support
Your compiler must support the new CET flag:
| Version | |
|---|---|
| MSVC | 16.7 onwards |
Application support
The application must opt-in being compiled with Intel CET via the flag ‘/CETCOMPAT’.
Runtime support
As far as I know, Windows does not impose any additional runtime checks and uses CET for any process meeting the prior criteria. However, my testing was more limited in this OS than in Linux, please feel free to get in contact if you find some other requirement.
tags:
This work is licensed under a Creative Commons Attribution 4.0 International License.