diff --git a/CONFIG b/CONFIG
index 2d82e27bb..aafb4d4ab 100644
--- a/CONFIG
+++ b/CONFIG
@@ -76,6 +76,9 @@ CONFIG_UNIT_TESTS=y
 # Build examples
 CONFIG_EXAMPLES=y
 
+# Build with Control-flow Enforcement Technology (CET)
+CONFIG_CET=n
+
 # Directory that contains the desired SPDK environment library.
 # By default, this is implemented using DPDK.
 CONFIG_ENV=
diff --git a/configure b/configure
index 3bd19fcd9..6a20d2404 100755
--- a/configure
+++ b/configure
@@ -32,6 +32,7 @@ function usage()
 	echo " --enable-lto              Enable link-time optimization"
 	echo " --enable-pgo-capture      Enable generation of profile guided optimization data"
 	echo " --enable-pgo-use          Use previously captured profile guided optimization data"
+	echo " --enable-cet              Enable Intel Control-flow Enforcement Technology (CET)"
 	echo " --disable-tests           Disable building of functional tests"
 	echo " --disable-unit-tests      Disable building of unit tests"
 	echo " --disable-examples        Disable building of examples"
@@ -267,6 +268,12 @@ for i in "$@"; do
 		--disable-werror)
 			CONFIG[WERROR]=n
 			;;
+		--enable-cet)
+			CONFIG[CET]=y
+			;;
+		--disable-cet)
+			CONFIG[CET]=n
+			;;
 		--with-dpdk=*)
 			check_dir "$i"
 			CONFIG[DPDK_DIR]=$(readlink -f ${i#*=})
@@ -810,6 +817,14 @@ if [[ "${CONFIG[FUSE]}" = "y" ]]; then
 	fi
 fi
 
+if [ "${CONFIG[CET]}" = "y" ]; then
+	if ! echo -e 'int main(void) { return 0; }\n' | ${BUILD_CMD[@]} -fcf-protection - 2>/dev/null; then
+		echo --enable-cet requires compiler/linker that supports CET.
+		echo Please install then re-run this script.
+		exit 1
+	fi
+fi
+
 # We are now ready to generate final configuration. But first do sanity
 # check to see if all keys in CONFIG array have its reflection in CONFIG file.
 if [ $(egrep -c "^\s*CONFIG_[[:alnum:]_]+=" $rootdir/CONFIG) -ne ${#CONFIG[@]} ]; then
diff --git a/dpdkbuild/Makefile b/dpdkbuild/Makefile
index 78a52bf1e..e18536e56 100644
--- a/dpdkbuild/Makefile
+++ b/dpdkbuild/Makefile
@@ -88,6 +88,11 @@ else
 DPDK_CFLAGS += -Wno-error
 endif
 
+ifeq ($(CONFIG_CET),y)
+DPDK_CFLAGS += -fcf-protection
+DPDK_LDFLAGS += -fcf-protection
+endif
+
 ifdef EXTRA_DPDK_CFLAGS
 $(warning EXTRA_DPDK_CFLAGS defined, possibly to work around an unsupported compiler version)
 $(shell sleep 1)
diff --git a/mk/spdk.common.mk b/mk/spdk.common.mk
index f43f3f693..f3fe5c248 100644
--- a/mk/spdk.common.mk
+++ b/mk/spdk.common.mk
@@ -107,6 +107,11 @@ COMMON_CFLAGS += -fprofile-use=$(SPDK_ROOT_DIR)/build/pgo
 LDFLAGS += -fprofile-use=$(SPDK_ROOT_DIR)/build/pgo
 endif
 
+ifeq ($(CONFIG_CET),y)
+COMMON_CFLAGS += -fcf-protection
+LDFLAGS += -fcf-protection
+endif
+
 COMMON_CFLAGS += -Wformat -Wformat-security
 
 COMMON_CFLAGS += -D_GNU_SOURCE