Intel finally published a whitepaper about Spectre #2 Mitigation. The PDF is also featured on Hacker News. It’s a technical whitepaper, but you can see the footprints of lawyers all over the language.
CET introduces a shadow stack for return addresses only, and will fail your code into an exception if the normal stack return address and the shadow stack address disagree. Trying to touch and manipulate the shadow stack will also fail into an exception. That is, CET makes touching a return address on the stack toxic by having in effect separate argument and return address stacks, and your code explodes every time you try to do something funny with return addresses.
Which is what Retpolines depend on.