Re: [PATCH v12 1/8] x86/cet/ibt: Add Kconfig option for user-mode Indirect Branch Tracking

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi,

If you do another version of this:

On 9/18/20 12:23 PM, Yu-cheng Yu wrote:
> Introduce Kconfig option X86_INTEL_BRANCH_TRACKING_USER.
> 
> Indirect Branch Tracking (IBT) provides protection against CALL-/JMP-
> oriented programming attacks.  It is active when the kernel has this
> feature enabled, and the processor and the application support it.
> When this feature is enabled, legacy non-IBT applications continue to
> work, but without IBT protection.
> 
> Signed-off-by: Yu-cheng Yu <yu-cheng.yu@xxxxxxxxx>
> ---
> v10:
> - Change build-time CET check to config depends on.
> 
>  arch/x86/Kconfig | 16 ++++++++++++++++
>  1 file changed, 16 insertions(+)
> 
> diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig
> index 6b6dad011763..b047e0a8d1c2 100644
> --- a/arch/x86/Kconfig
> +++ b/arch/x86/Kconfig
> @@ -1963,6 +1963,22 @@ config X86_INTEL_SHADOW_STACK_USER
>  
>  	  If unsure, say y.
>  
> +config X86_INTEL_BRANCH_TRACKING_USER
> +	prompt "Intel Indirect Branch Tracking for user-mode"
> +	def_bool n
> +	depends on CPU_SUP_INTEL && X86_64
> +	depends on $(cc-option,-fcf-protection)
> +	select X86_INTEL_CET
> +	help
> +	  Indirect Branch Tracking (IBT) provides protection against
> +	  CALL-/JMP-oriented programming attacks.  It is active when
> +	  the kernel has this feature enabled, and the processor and
> +	  the application support it.  When this feature is enabled,
> +	  legacy non-IBT applications continue to work, but without
> +	  IBT protection.
> +
> +	  If unsure, say y

	  If unsure, say y.

> +
>  config EFI
>  	bool "EFI runtime service support"
>  	depends on ACPI
> 


-- 
~Randy




[Index of Archives]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]

  Powered by Linux