Message ID | 20221101172503.gonna.094-kees@kernel.org (mailing list archive) |
---|---|
State | Mainlined |
Commit | 4fd5f70ce14da230c6a29648c3d51a48ee0b4bfd |
Headers | show |
Series | [v2] x86/Kconfig: Enable kernel IBT by default | expand |
diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig index 67745ceab0db..35d251ba0709 100644 --- a/arch/x86/Kconfig +++ b/arch/x86/Kconfig @@ -1854,7 +1854,7 @@ config CC_HAS_IBT config X86_KERNEL_IBT prompt "Indirect Branch Tracking" - bool + def_bool y depends on X86_64 && CC_HAS_IBT && HAVE_OBJTOOL # https://github.com/llvm/llvm-project/commit/9d7001eba9c4cb311e03cd8cdc231f9e579f2d0f depends on !LD_IS_LLD || LLD_VERSION >= 140000
The kernel IBT defense strongly mitigates the common "first step" of ROP attacks, by eliminating arbitrary stack pivots (that appear either at the end of a function or in immediate values), which cannot be reached if indirect calls must be to marked function entry addresses. IBT is also required to be enabled to gain the FineIBT feature when built with Kernel Control Flow Integrity. Additionally, given that this feature is runtime enabled via CPU ID, it clearly should be built in by default; it will only be enabled if the CPU supports it. The build takes 2 seconds longer, which seems a small price to pay for gaining this coverage by default. Cc: Peter Zijlstra <peterz@infradead.org> Cc: Thomas Gleixner <tglx@linutronix.de> Cc: Ingo Molnar <mingo@redhat.com> Cc: Borislav Petkov <bp@alien8.de> Cc: Dave Hansen <dave.hansen@linux.intel.com> Cc: x86@kernel.org Cc: "H. Peter Anvin" <hpa@zytor.com> Suggested-by: Sami Tolvanen <samitolvanen@google.com> Signed-off-by: Kees Cook <keescook@chromium.org> --- v2: update commit log with more details v1: https://lore.kernel.org/lkml/20220902234213.3034396-1-keescook@chromium.org/ --- arch/x86/Kconfig | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)