@@ -1969,6 +1969,26 @@ config X86_SHADOW_STACK
If unsure, say N.
+config X86_IBT
+ prompt "Intel Indirect Branch Tracking"
+ def_bool n
+ depends on X86_64
+ depends on $(cc-option,-fcf-protection)
+ select X86_CET
+ help
+ Indirect Branch Tracking (IBT) provides protection against
+ CALL-/JMP-oriented programming attacks. It is active when
+ the kernel has this feature enabled, and the processor and
+ the application support it. When this feature is enabled,
+ legacy non-IBT applications continue to work, but without
+ IBT protection.
+ Support for this feature is present on Tiger Lake family of
+ processors released in 2020 or later. Enabling this feature
+ increases kernel text size by 3.7 KB.
+ See Documentation/x86/intel_cet.rst for more information.
+
+ If unsure, say N.
+
config EFI
bool "EFI runtime service support"
depends on ACPI
@@ -74,6 +74,12 @@
#define DISABLE_SHSTK (1 << (X86_FEATURE_SHSTK & 31))
#endif
+#ifdef CONFIG_X86_IBT
+#define DISABLE_IBT 0
+#else
+#define DISABLE_IBT (1 << (X86_FEATURE_IBT & 31))
+#endif
+
#ifdef CONFIG_X86_CET
#define DISABLE_CET 0
#else
@@ -103,7 +109,7 @@
#define DISABLED_MASK16 (DISABLE_PKU|DISABLE_OSPKE|DISABLE_LA57|DISABLE_UMIP| \
DISABLE_ENQCMD|DISABLE_SHSTK)
#define DISABLED_MASK17 0
-#define DISABLED_MASK18 0
+#define DISABLED_MASK18 (DISABLE_IBT)
#define DISABLED_MASK19 0
#define DISABLED_MASK_CHECK BUILD_BUG_ON_ZERO(NCAPINTS != 20)
Indirect Branch Tracking (IBT) provides protection against CALL-/JMP- oriented programming attacks. It is active when the kernel has this feature enabled, and the processor and the application support it. When this feature is enabled, legacy non-IBT applications continue to work, but without IBT protection. Signed-off-by: Yu-cheng Yu <yu-cheng.yu@intel.com> Cc: Kees Cook <keescook@chromium.org> --- arch/x86/Kconfig | 20 ++++++++++++++++++++ arch/x86/include/asm/disabled-features.h | 8 +++++++- 2 files changed, 27 insertions(+), 1 deletion(-)