Message ID | 20200918192312.25978-2-yu-cheng.yu@intel.com (mailing list archive) |
---|---|
State | New, archived |
Headers | show |
Series | Control-flow Enforcement: Indirect Branch Tracking | expand |
Hi, If you do another version of this: On 9/18/20 12:23 PM, Yu-cheng Yu wrote: > Introduce Kconfig option X86_INTEL_BRANCH_TRACKING_USER. > > Indirect Branch Tracking (IBT) provides protection against CALL-/JMP- > oriented programming attacks. It is active when the kernel has this > feature enabled, and the processor and the application support it. > When this feature is enabled, legacy non-IBT applications continue to > work, but without IBT protection. > > Signed-off-by: Yu-cheng Yu <yu-cheng.yu@intel.com> > --- > v10: > - Change build-time CET check to config depends on. > > arch/x86/Kconfig | 16 ++++++++++++++++ > 1 file changed, 16 insertions(+) > > diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig > index 6b6dad011763..b047e0a8d1c2 100644 > --- a/arch/x86/Kconfig > +++ b/arch/x86/Kconfig > @@ -1963,6 +1963,22 @@ config X86_INTEL_SHADOW_STACK_USER > > If unsure, say y. > > +config X86_INTEL_BRANCH_TRACKING_USER > + prompt "Intel Indirect Branch Tracking for user-mode" > + def_bool n > + depends on CPU_SUP_INTEL && X86_64 > + depends on $(cc-option,-fcf-protection) > + select X86_INTEL_CET > + help > + Indirect Branch Tracking (IBT) provides protection against > + CALL-/JMP-oriented programming attacks. It is active when > + the kernel has this feature enabled, and the processor and > + the application support it. When this feature is enabled, > + legacy non-IBT applications continue to work, but without > + IBT protection. > + > + If unsure, say y If unsure, say y. > + > config EFI > bool "EFI runtime service support" > depends on ACPI >
On Fri 2020-09-18 13:24:13, Randy Dunlap wrote: > Hi, > > If you do another version of this: > > On 9/18/20 12:23 PM, Yu-cheng Yu wrote: > > Introduce Kconfig option X86_INTEL_BRANCH_TRACKING_USER. > > > > Indirect Branch Tracking (IBT) provides protection against CALL-/JMP- > > oriented programming attacks. It is active when the kernel has this > > feature enabled, and the processor and the application support it. > > When this feature is enabled, legacy non-IBT applications continue to > > work, but without IBT protection. > > > > Signed-off-by: Yu-cheng Yu <yu-cheng.yu@intel.com> > > --- > > v10: > > - Change build-time CET check to config depends on. > > > > arch/x86/Kconfig | 16 ++++++++++++++++ > > 1 file changed, 16 insertions(+) > > > > diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig > > index 6b6dad011763..b047e0a8d1c2 100644 > > --- a/arch/x86/Kconfig > > +++ b/arch/x86/Kconfig > > @@ -1963,6 +1963,22 @@ config X86_INTEL_SHADOW_STACK_USER > > > > If unsure, say y. > > > > +config X86_INTEL_BRANCH_TRACKING_USER > > + prompt "Intel Indirect Branch Tracking for user-mode" > > + def_bool n > > + depends on CPU_SUP_INTEL && X86_64 > > + depends on $(cc-option,-fcf-protection) > > + select X86_INTEL_CET > > + help > > + Indirect Branch Tracking (IBT) provides protection against > > + CALL-/JMP-oriented programming attacks. It is active when > > + the kernel has this feature enabled, and the processor and > > + the application support it. When this feature is enabled, > > + legacy non-IBT applications continue to work, but without > > + IBT protection. > > + > > + If unsure, say y > > If unsure, say y. Actually, it would be "If unsure, say Y.", to be consistent with the rest of the Kconfig. But I wonder if Yes by default is good idea. Only very new CPUs will support this, right? Are they even available at the market? Should the help text say "if your CPU is Whatever Lake or newer, ...." :-) ? Best regards, Pavel
On Fri, Sep 18, 2020 at 1:59 PM Pavel Machek <pavel@ucw.cz> wrote: > > On Fri 2020-09-18 13:24:13, Randy Dunlap wrote: > > Hi, > > > > If you do another version of this: > > > > On 9/18/20 12:23 PM, Yu-cheng Yu wrote: > > > Introduce Kconfig option X86_INTEL_BRANCH_TRACKING_USER. > > > > > > Indirect Branch Tracking (IBT) provides protection against CALL-/JMP- > > > oriented programming attacks. It is active when the kernel has this > > > feature enabled, and the processor and the application support it. > > > When this feature is enabled, legacy non-IBT applications continue to > > > work, but without IBT protection. > > > > > > Signed-off-by: Yu-cheng Yu <yu-cheng.yu@intel.com> > > > --- > > > v10: > > > - Change build-time CET check to config depends on. > > > > > > arch/x86/Kconfig | 16 ++++++++++++++++ > > > 1 file changed, 16 insertions(+) > > > > > > diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig > > > index 6b6dad011763..b047e0a8d1c2 100644 > > > --- a/arch/x86/Kconfig > > > +++ b/arch/x86/Kconfig > > > @@ -1963,6 +1963,22 @@ config X86_INTEL_SHADOW_STACK_USER > > > > > > If unsure, say y. > > > > > > +config X86_INTEL_BRANCH_TRACKING_USER > > > + prompt "Intel Indirect Branch Tracking for user-mode" > > > + def_bool n > > > + depends on CPU_SUP_INTEL && X86_64 > > > + depends on $(cc-option,-fcf-protection) > > > + select X86_INTEL_CET > > > + help > > > + Indirect Branch Tracking (IBT) provides protection against > > > + CALL-/JMP-oriented programming attacks. It is active when > > > + the kernel has this feature enabled, and the processor and > > > + the application support it. When this feature is enabled, > > > + legacy non-IBT applications continue to work, but without > > > + IBT protection. > > > + > > > + If unsure, say y > > > > If unsure, say y. > > Actually, it would be "If unsure, say Y.", to be consistent with the > rest of the Kconfig. > > But I wonder if Yes by default is good idea. Only very new CPUs will > support this, right? Are they even available at the market? Should the > help text say "if your CPU is Whatever Lake or newer, ...." :-) ? > CET enabled kernel runs on all x86-64 processors. All my machines are running the same CET enabled kernel binary.
Hi! > > > > + help > > > > + Indirect Branch Tracking (IBT) provides protection against > > > > + CALL-/JMP-oriented programming attacks. It is active when > > > > + the kernel has this feature enabled, and the processor and > > > > + the application support it. When this feature is enabled, > > > > + legacy non-IBT applications continue to work, but without > > > > + IBT protection. > > > > + > > > > + If unsure, say y > > > > > > If unsure, say y. > > > > Actually, it would be "If unsure, say Y.", to be consistent with the > > rest of the Kconfig. > > > > But I wonder if Yes by default is good idea. Only very new CPUs will > > support this, right? Are they even available at the market? Should the > > help text say "if your CPU is Whatever Lake or newer, ...." :-) ? > > > > CET enabled kernel runs on all x86-64 processors. All my machines > are running the same CET enabled kernel binary. I believe that. But enabling CET in kernel is useless on Core 2 Duo machine, right? Pavel
On 9/18/2020 1:59 PM, Pavel Machek wrote: > On Fri 2020-09-18 13:24:13, Randy Dunlap wrote: >> Hi, >> >> If you do another version of this: >> >> On 9/18/20 12:23 PM, Yu-cheng Yu wrote: >>> Introduce Kconfig option X86_INTEL_BRANCH_TRACKING_USER. >>> >>> Indirect Branch Tracking (IBT) provides protection against CALL-/JMP- >>> oriented programming attacks. It is active when the kernel has this >>> feature enabled, and the processor and the application support it. >>> When this feature is enabled, legacy non-IBT applications continue to >>> work, but without IBT protection. >>> >>> Signed-off-by: Yu-cheng Yu <yu-cheng.yu@intel.com> >>> --- >>> v10: >>> - Change build-time CET check to config depends on. >>> >>> arch/x86/Kconfig | 16 ++++++++++++++++ >>> 1 file changed, 16 insertions(+) >>> >>> diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig >>> index 6b6dad011763..b047e0a8d1c2 100644 >>> --- a/arch/x86/Kconfig >>> +++ b/arch/x86/Kconfig >>> @@ -1963,6 +1963,22 @@ config X86_INTEL_SHADOW_STACK_USER >>> >>> If unsure, say y. >>> >>> +config X86_INTEL_BRANCH_TRACKING_USER >>> + prompt "Intel Indirect Branch Tracking for user-mode" >>> + def_bool n >>> + depends on CPU_SUP_INTEL && X86_64 >>> + depends on $(cc-option,-fcf-protection) >>> + select X86_INTEL_CET >>> + help >>> + Indirect Branch Tracking (IBT) provides protection against >>> + CALL-/JMP-oriented programming attacks. It is active when >>> + the kernel has this feature enabled, and the processor and >>> + the application support it. When this feature is enabled, >>> + legacy non-IBT applications continue to work, but without >>> + IBT protection. >>> + >>> + If unsure, say y >> >> If unsure, say y. > > Actually, it would be "If unsure, say Y.", to be consistent with the > rest of the Kconfig. > > But I wonder if Yes by default is good idea. Only very new CPUs will > support this, right? Are they even available at the market? Should the > help text say "if your CPU is Whatever Lake or newer, ...." :-) ? I will revise the wording if there is another version. But a CET-capable kernel can run on legacy systems. We have been testing that combination. Yu-cheng
On Fri, Sep 18, 2020 at 2:24 PM Pavel Machek <pavel@ucw.cz> wrote: > > Hi! > > > > > > + help > > > > > + Indirect Branch Tracking (IBT) provides protection against > > > > > + CALL-/JMP-oriented programming attacks. It is active when > > > > > + the kernel has this feature enabled, and the processor and > > > > > + the application support it. When this feature is enabled, > > > > > + legacy non-IBT applications continue to work, but without > > > > > + IBT protection. > > > > > + > > > > > + If unsure, say y > > > > > > > > If unsure, say y. > > > > > > Actually, it would be "If unsure, say Y.", to be consistent with the > > > rest of the Kconfig. > > > > > > But I wonder if Yes by default is good idea. Only very new CPUs will > > > support this, right? Are they even available at the market? Should the > > > help text say "if your CPU is Whatever Lake or newer, ...." :-) ? > > > > > > > CET enabled kernel runs on all x86-64 processors. All my machines > > are running the same CET enabled kernel binary. > > I believe that. > > But enabling CET in kernel is useless on Core 2 Duo machine, right? > This is very important for CET kernel to run on Core 2 Duo machine. Otherwise, a distro needs to provide 2 kernel binaries, one for CET CPU and one for non-CET CPU.
On Fri 2020-09-18 14:25:12, Yu, Yu-cheng wrote: > On 9/18/2020 1:59 PM, Pavel Machek wrote: > > On Fri 2020-09-18 13:24:13, Randy Dunlap wrote: > > > Hi, > > > > > > If you do another version of this: > > > > > > On 9/18/20 12:23 PM, Yu-cheng Yu wrote: > > > > Introduce Kconfig option X86_INTEL_BRANCH_TRACKING_USER. > > > > > > > > Indirect Branch Tracking (IBT) provides protection against CALL-/JMP- > > > > oriented programming attacks. It is active when the kernel has this > > > > feature enabled, and the processor and the application support it. > > > > When this feature is enabled, legacy non-IBT applications continue to > > > > work, but without IBT protection. > > > > > > > > Signed-off-by: Yu-cheng Yu <yu-cheng.yu@intel.com> > > > > --- > > > > v10: > > > > - Change build-time CET check to config depends on. > > > > > > > > arch/x86/Kconfig | 16 ++++++++++++++++ > > > > 1 file changed, 16 insertions(+) > > > > > > > > diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig > > > > index 6b6dad011763..b047e0a8d1c2 100644 > > > > --- a/arch/x86/Kconfig > > > > +++ b/arch/x86/Kconfig > > > > @@ -1963,6 +1963,22 @@ config X86_INTEL_SHADOW_STACK_USER > > > > If unsure, say y. > > > > +config X86_INTEL_BRANCH_TRACKING_USER > > > > + prompt "Intel Indirect Branch Tracking for user-mode" > > > > + def_bool n > > > > + depends on CPU_SUP_INTEL && X86_64 > > > > + depends on $(cc-option,-fcf-protection) > > > > + select X86_INTEL_CET > > > > + help > > > > + Indirect Branch Tracking (IBT) provides protection against > > > > + CALL-/JMP-oriented programming attacks. It is active when > > > > + the kernel has this feature enabled, and the processor and > > > > + the application support it. When this feature is enabled, > > > > + legacy non-IBT applications continue to work, but without > > > > + IBT protection. > > > > + > > > > + If unsure, say y > > > > > > If unsure, say y. > > > > Actually, it would be "If unsure, say Y.", to be consistent with the > > rest of the Kconfig. > > > > But I wonder if Yes by default is good idea. Only very new CPUs will > > support this, right? Are they even available at the market? Should the > > help text say "if your CPU is Whatever Lake or newer, ...." :-) ? > > I will revise the wording if there is another version. But a CET-capable > kernel can run on legacy systems. We have been testing that combination. Yes, but enabling CET is unneccessary overhead on older systems. And Kconfig is great place to explain that. Best regards, Pavel
On Fri, Sep 18, 2020 at 2:40 PM Pavel Machek <pavel@ucw.cz> wrote: > > On Fri 2020-09-18 14:25:12, Yu, Yu-cheng wrote: > > On 9/18/2020 1:59 PM, Pavel Machek wrote: > > > On Fri 2020-09-18 13:24:13, Randy Dunlap wrote: > > > > Hi, > > > > > > > > If you do another version of this: > > > > > > > > On 9/18/20 12:23 PM, Yu-cheng Yu wrote: > > > > > Introduce Kconfig option X86_INTEL_BRANCH_TRACKING_USER. > > > > > > > > > > Indirect Branch Tracking (IBT) provides protection against CALL-/JMP- > > > > > oriented programming attacks. It is active when the kernel has this > > > > > feature enabled, and the processor and the application support it. > > > > > When this feature is enabled, legacy non-IBT applications continue to > > > > > work, but without IBT protection. > > > > > > > > > > Signed-off-by: Yu-cheng Yu <yu-cheng.yu@intel.com> > > > > > --- > > > > > v10: > > > > > - Change build-time CET check to config depends on. > > > > > > > > > > arch/x86/Kconfig | 16 ++++++++++++++++ > > > > > 1 file changed, 16 insertions(+) > > > > > > > > > > diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig > > > > > index 6b6dad011763..b047e0a8d1c2 100644 > > > > > --- a/arch/x86/Kconfig > > > > > +++ b/arch/x86/Kconfig > > > > > @@ -1963,6 +1963,22 @@ config X86_INTEL_SHADOW_STACK_USER > > > > > If unsure, say y. > > > > > +config X86_INTEL_BRANCH_TRACKING_USER > > > > > + prompt "Intel Indirect Branch Tracking for user-mode" > > > > > + def_bool n > > > > > + depends on CPU_SUP_INTEL && X86_64 > > > > > + depends on $(cc-option,-fcf-protection) > > > > > + select X86_INTEL_CET > > > > > + help > > > > > + Indirect Branch Tracking (IBT) provides protection against > > > > > + CALL-/JMP-oriented programming attacks. It is active when > > > > > + the kernel has this feature enabled, and the processor and > > > > > + the application support it. When this feature is enabled, > > > > > + legacy non-IBT applications continue to work, but without > > > > > + IBT protection. > > > > > + > > > > > + If unsure, say y > > > > > > > > If unsure, say y. > > > > > > Actually, it would be "If unsure, say Y.", to be consistent with the > > > rest of the Kconfig. > > > > > > But I wonder if Yes by default is good idea. Only very new CPUs will > > > support this, right? Are they even available at the market? Should the > > > help text say "if your CPU is Whatever Lake or newer, ...." :-) ? > > > > I will revise the wording if there is another version. But a CET-capable > > kernel can run on legacy systems. We have been testing that combination. > > Yes, but enabling CET is unneccessary overhead on older systems. And > Kconfig is great place to explain that. > I can't tell any visible CET kernel overhead on my non-CET machines.
On Fri 2020-09-18 14:46:12, H.J. Lu wrote: > On Fri, Sep 18, 2020 at 2:40 PM Pavel Machek <pavel@ucw.cz> wrote: > > > > On Fri 2020-09-18 14:25:12, Yu, Yu-cheng wrote: > > > On 9/18/2020 1:59 PM, Pavel Machek wrote: > > > > On Fri 2020-09-18 13:24:13, Randy Dunlap wrote: > > > > > Hi, > > > > > > > > > > If you do another version of this: > > > > > > > > > > On 9/18/20 12:23 PM, Yu-cheng Yu wrote: > > > > > > Introduce Kconfig option X86_INTEL_BRANCH_TRACKING_USER. > > > > > > > > > > > > Indirect Branch Tracking (IBT) provides protection against CALL-/JMP- > > > > > > oriented programming attacks. It is active when the kernel has this > > > > > > feature enabled, and the processor and the application support it. > > > > > > When this feature is enabled, legacy non-IBT applications continue to > > > > > > work, but without IBT protection. > > > > > > > > > > > > Signed-off-by: Yu-cheng Yu <yu-cheng.yu@intel.com> > > > > > > --- > > > > > > v10: > > > > > > - Change build-time CET check to config depends on. > > > > > > > > > > > > arch/x86/Kconfig | 16 ++++++++++++++++ > > > > > > 1 file changed, 16 insertions(+) > > > > > > > > > > > > diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig > > > > > > index 6b6dad011763..b047e0a8d1c2 100644 > > > > > > --- a/arch/x86/Kconfig > > > > > > +++ b/arch/x86/Kconfig > > > > > > @@ -1963,6 +1963,22 @@ config X86_INTEL_SHADOW_STACK_USER > > > > > > If unsure, say y. > > > > > > +config X86_INTEL_BRANCH_TRACKING_USER > > > > > > + prompt "Intel Indirect Branch Tracking for user-mode" > > > > > > + def_bool n > > > > > > + depends on CPU_SUP_INTEL && X86_64 > > > > > > + depends on $(cc-option,-fcf-protection) > > > > > > + select X86_INTEL_CET > > > > > > + help > > > > > > + Indirect Branch Tracking (IBT) provides protection against > > > > > > + CALL-/JMP-oriented programming attacks. It is active when > > > > > > + the kernel has this feature enabled, and the processor and > > > > > > + the application support it. When this feature is enabled, > > > > > > + legacy non-IBT applications continue to work, but without > > > > > > + IBT protection. > > > > > > + > > > > > > + If unsure, say y > > > > > > > > > > If unsure, say y. > > > > > > > > Actually, it would be "If unsure, say Y.", to be consistent with the > > > > rest of the Kconfig. > > > > > > > > But I wonder if Yes by default is good idea. Only very new CPUs will > > > > support this, right? Are they even available at the market? Should the > > > > help text say "if your CPU is Whatever Lake or newer, ...." :-) ? > > > > > > I will revise the wording if there is another version. But a CET-capable > > > kernel can run on legacy systems. We have been testing that combination. > > > > Yes, but enabling CET is unneccessary overhead on older systems. And > > Kconfig is great place to explain that. > > > > I can't tell any visible CET kernel overhead on my non-CET machines. I assume you are not a troll but you sound a bit like one. Please list kernel size before and after enabling X86_INTEL_CET option(s). That's the overhead I'm talking about, and that's why Kconfig should explain what machines this is useful on. Best regards, Pavel
On 9/18/2020 2:40 PM, Pavel Machek wrote: > On Fri 2020-09-18 14:25:12, Yu, Yu-cheng wrote: >> On 9/18/2020 1:59 PM, Pavel Machek wrote: >>> On Fri 2020-09-18 13:24:13, Randy Dunlap wrote: >>>> Hi, >>>> >>>> If you do another version of this: >>>> >>>> On 9/18/20 12:23 PM, Yu-cheng Yu wrote: >>>>> Introduce Kconfig option X86_INTEL_BRANCH_TRACKING_USER. >>>>> >>>>> Indirect Branch Tracking (IBT) provides protection against CALL-/JMP- >>>>> oriented programming attacks. It is active when the kernel has this >>>>> feature enabled, and the processor and the application support it. >>>>> When this feature is enabled, legacy non-IBT applications continue to >>>>> work, but without IBT protection. >>>>> >>>>> Signed-off-by: Yu-cheng Yu <yu-cheng.yu@intel.com> >>>>> --- >>>>> v10: >>>>> - Change build-time CET check to config depends on. >>>>> >>>>> arch/x86/Kconfig | 16 ++++++++++++++++ >>>>> 1 file changed, 16 insertions(+) >>>>> >>>>> diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig >>>>> index 6b6dad011763..b047e0a8d1c2 100644 >>>>> --- a/arch/x86/Kconfig >>>>> +++ b/arch/x86/Kconfig >>>>> @@ -1963,6 +1963,22 @@ config X86_INTEL_SHADOW_STACK_USER >>>>> If unsure, say y. >>>>> +config X86_INTEL_BRANCH_TRACKING_USER >>>>> + prompt "Intel Indirect Branch Tracking for user-mode" >>>>> + def_bool n >>>>> + depends on CPU_SUP_INTEL && X86_64 >>>>> + depends on $(cc-option,-fcf-protection) >>>>> + select X86_INTEL_CET >>>>> + help >>>>> + Indirect Branch Tracking (IBT) provides protection against >>>>> + CALL-/JMP-oriented programming attacks. It is active when >>>>> + the kernel has this feature enabled, and the processor and >>>>> + the application support it. When this feature is enabled, >>>>> + legacy non-IBT applications continue to work, but without >>>>> + IBT protection. >>>>> + >>>>> + If unsure, say y >>>> >>>> If unsure, say y. >>> >>> Actually, it would be "If unsure, say Y.", to be consistent with the >>> rest of the Kconfig. >>> >>> But I wonder if Yes by default is good idea. Only very new CPUs will >>> support this, right? Are they even available at the market? Should the >>> help text say "if your CPU is Whatever Lake or newer, ...." :-) ? >> >> I will revise the wording if there is another version. But a CET-capable >> kernel can run on legacy systems. We have been testing that combination. > > Yes, but enabling CET is unneccessary overhead on older systems. And > Kconfig is great place to explain that. Maybe I'll add: If the kernel is to be used only on older systems that do not support IBT, and the size of the binary is important, you can save 900 KB by disabling this feature. Otherwise, if unsure, say Y. How is that? Thanks, Yu-cheng
On 9/21/20 3:30 PM, Yu, Yu-cheng wrote: > +config X86_INTEL_BRANCH_TRACKING_USER > + prompt "Intel Indirect Branch Tracking for user-mode" Take the "Intel " and "INTEL_" out, please. It will only cause us all pain later if some of our x86 compatriots decide to implement this. > If the kernel is to be used only on older systems that do not support > IBT, and the size of the binary is important, you can save 900 KB by > disabling this feature. > > Otherwise, if unsure, say Y. 900k seems like a *lot*. Where the heck does that come from? Also, comments like that don't age very well. Consider: Support for this feature is only known to be present on Intel processors released in 2020 or later. This feature is also known to increase kernel text size substantially. If unsure, say N. The 900KB is probably wrong today in a lot of configurations, and will; only get *more* wrong over time.
On 9/21/2020 3:41 PM, Dave Hansen wrote: > On 9/21/20 3:30 PM, Yu, Yu-cheng wrote: >> +config X86_INTEL_BRANCH_TRACKING_USER >> + prompt "Intel Indirect Branch Tracking for user-mode" > > Take the "Intel " and "INTEL_" out, please. It will only cause us all > pain later if some of our x86 compatriots decide to implement this. > >> If the kernel is to be used only on older systems that do not support >> IBT, and the size of the binary is important, you can save 900 KB by >> disabling this feature. >> >> Otherwise, if unsure, say Y. > > 900k seems like a *lot*. Where the heck does that come from? > > Also, comments like that don't age very well. Consider: > > Support for this feature is only known to be present on Intel > processors released in 2020 or later. This feature is also > known to increase kernel text size substantially. > > If unsure, say N. > Thanks! > The 900KB is probably wrong today in a lot of configurations, and will; > only get *more* wrong over time. > I was talking about the vmlinux file, and probably should have said bzImage size, which has 14 KB increase when CET is enabled. Yu-cheng
Hi! > > +config X86_INTEL_BRANCH_TRACKING_USER > > + prompt "Intel Indirect Branch Tracking for user-mode" > > Take the "Intel " and "INTEL_" out, please. It will only cause us all > pain later if some of our x86 compatriots decide to implement this. Are other x86 manufacturers legally allowed to implement that? > > If the kernel is to be used only on older systems that do not support > > IBT, and the size of the binary is important, you can save 900 KB by > > disabling this feature. > > > > Otherwise, if unsure, say Y. > > 900k seems like a *lot*. Where the heck does that come from? > > Also, comments like that don't age very well. Consider: > > Support for this feature is only known to be present on Intel > processors released in 2020 or later. This feature is also > known to increase kernel text size substantially. > > If unsure, say N. That is much better, thanks. Pavel
On 9/21/20 3:47 PM, Yu, Yu-cheng wrote: >> The 900KB is probably wrong today in a lot of configurations, and will; >> only get *more* wrong over time. > > I was talking about the vmlinux file, and probably should have said > bzImage size, which has 14 KB increase when CET is enabled. Well, vmlinux size is important too. 1 page of vmlinux size means one fewer page of memory available for real use. I would really encourage you when you write to try to be specific and use as much plain language as possible without being verbose. Most people understand things like "this feature increases kernel text size". I wouldn't expect most folks who can type "make oldconfig; make install" to understands the difference between vmlinux and bzImage.
On 9/21/20 3:52 PM, Pavel Machek wrote: >>> +config X86_INTEL_BRANCH_TRACKING_USER >>> + prompt "Intel Indirect Branch Tracking for user-mode" >> Take the "Intel " and "INTEL_" out, please. It will only cause us all >> pain later if some of our x86 compatriots decide to implement this. > Are other x86 manufacturers legally allowed to implement that? I don't know and frankly don't want to know. We've seen AMD and Intel both implement plenty of features from the other. Protection Keys for Userspace is the most recent example. Unless there's evidence to the contrary, I think the best thing for the kernel is to assume that any feature can show up on any vendor's CPU.
On 9/21/2020 3:54 PM, Dave Hansen wrote: > On 9/21/20 3:47 PM, Yu, Yu-cheng wrote: >>> The 900KB is probably wrong today in a lot of configurations, and will; >>> only get *more* wrong over time. >> >> I was talking about the vmlinux file, and probably should have said >> bzImage size, which has 14 KB increase when CET is enabled. > > Well, vmlinux size is important too. 1 page of vmlinux size means one > fewer page of memory available for real use. > > I would really encourage you when you write to try to be specific and > use as much plain language as possible without being verbose. Most > people understand things like "this feature increases kernel text size". > I wouldn't expect most folks who can type "make oldconfig; make > install" to understands the difference between vmlinux and bzImage. > Ok, thanks! Yu-cheng
diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig index 6b6dad011763..b047e0a8d1c2 100644 --- a/arch/x86/Kconfig +++ b/arch/x86/Kconfig @@ -1963,6 +1963,22 @@ config X86_INTEL_SHADOW_STACK_USER If unsure, say y. +config X86_INTEL_BRANCH_TRACKING_USER + prompt "Intel Indirect Branch Tracking for user-mode" + def_bool n + depends on CPU_SUP_INTEL && X86_64 + depends on $(cc-option,-fcf-protection) + select X86_INTEL_CET + help + Indirect Branch Tracking (IBT) provides protection against + CALL-/JMP-oriented programming attacks. It is active when + the kernel has this feature enabled, and the processor and + the application support it. When this feature is enabled, + legacy non-IBT applications continue to work, but without + IBT protection. + + If unsure, say y + config EFI bool "EFI runtime service support" depends on ACPI
Introduce Kconfig option X86_INTEL_BRANCH_TRACKING_USER. Indirect Branch Tracking (IBT) provides protection against CALL-/JMP- oriented programming attacks. It is active when the kernel has this feature enabled, and the processor and the application support it. When this feature is enabled, legacy non-IBT applications continue to work, but without IBT protection. Signed-off-by: Yu-cheng Yu <yu-cheng.yu@intel.com> --- v10: - Change build-time CET check to config depends on. arch/x86/Kconfig | 16 ++++++++++++++++ 1 file changed, 16 insertions(+)