| Message ID | 20210203225902.479-2-yu-cheng.yu@intel.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | Control-flow Enforcement: Indirect Branch Tracking | expand |
On Wed, Feb 03, 2021 at 02:58:56PM -0800, Yu-cheng Yu wrote: > Indirect branch tracking is a hardware security feature that verifies near > indirect call/jump instructions arrive at intended targets, which are > labeled by the compiler with ENDBR opcodes. If such instructions reach > unlabeled locations, the processor raises control-protection faults. > > Check the compiler is up-to-date at config time. > > Signed-off-by: Yu-cheng Yu <yu-cheng.yu@intel.com> Reviewed-by: Kees Cook <keescook@chromium.org>
diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig index 4628d4dadd34..63b878c4e4c6 100644 --- a/arch/x86/Kconfig +++ b/arch/x86/Kconfig @@ -1962,6 +1962,7 @@ config X86_CET def_bool n depends on X86_64 depends on AS_WRUSS + depends on $(cc-option,-fcf-protection) select ARCH_USES_HIGH_VMA_FLAGS select ARCH_HAS_SHADOW_STACK select ARCH_MAYBE_MKWRITE
Indirect branch tracking is a hardware security feature that verifies near indirect call/jump instructions arrive at intended targets, which are labeled by the compiler with ENDBR opcodes. If such instructions reach unlabeled locations, the processor raises control-protection faults. Check the compiler is up-to-date at config time. Signed-off-by: Yu-cheng Yu <yu-cheng.yu@intel.com> --- arch/x86/Kconfig | 1 + 1 file changed, 1 insertion(+)