Re: [PATCH v18 02/25] x86/cet/shstk: Add Kconfig option for user-mode control-flow protection

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 1/29/2021 11:42 AM, Dave Hansen wrote:
On 1/27/21 1:25 PM, Yu-cheng Yu wrote:
+	help
+	  Control-flow protection is a hardware security hardening feature
+	  that detects function-return address or jump target changes by
+	  malicious code.

It's not really one feature.  I also think it's not worth talking about
shadow stacks or indirect branch tracking in *here*.  Leave that for
Documentation/.

Just say:

	Control-flow protection is a set of hardware features which
	place additional restrictions on indirect branches.  These help
	mitigate ROP attacks.

... and add more in the IBT patches.

  Applications must be enabled to use it, and old
+	  userspace does not get protection "for free".
+	  Support for this feature is present on processors released in
+	  2020 or later.  Enabling this feature increases kernel text size
+	  by 3.7 KB.

Did any CPUs ever get released that have this?  If so, name them.  If
not, time to change this to 2021, I think.


Ok.  I will update this.

Yu-cheng



[Index of Archives]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]

  Powered by Linux