| Message ID | 20220902234213.3034396-1-keescook@chromium.org (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | x86/Kconfig: Enable kernel IBT by default | expand |
diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig index f9920f1341c8..b48fd28cba4a 100644 --- a/arch/x86/Kconfig +++ b/arch/x86/Kconfig @@ -1837,7 +1837,7 @@ config CC_HAS_IBT config X86_KERNEL_IBT prompt "Indirect Branch Tracking" - bool + def_bool y depends on X86_64 && CC_HAS_IBT && HAVE_OBJTOOL # https://github.com/llvm/llvm-project/commit/9d7001eba9c4cb311e03cd8cdc231f9e579f2d0f depends on !LD_IS_LLD || LLD_VERSION >= 140000
This security defense is runtime enabled via CPU ID, so build it in by default. It will be enabled if the CPU supports it. The build takes 2 seconds longer, which seems a small price to pay for gaining this coverage by default. Cc: Peter Zijlstra <peterz@infradead.org> Cc: Thomas Gleixner <tglx@linutronix.de> Cc: Ingo Molnar <mingo@redhat.com> Cc: Borislav Petkov <bp@alien8.de> Cc: Dave Hansen <dave.hansen@linux.intel.com> Cc: x86@kernel.org Cc: "H. Peter Anvin" <hpa@zytor.com> Suggested-by: Sami Tolvanen <samitolvanen@google.com> Signed-off-by: Kees Cook <keescook@chromium.org> --- arch/x86/Kconfig | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)