Re: [PATCH v18 02/25] x86/cet/shstk: Add Kconfig option for user-mode control-flow protection

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 1/27/21 1:25 PM, Yu-cheng Yu wrote:
> +	help
> +	  Control-flow protection is a hardware security hardening feature
> +	  that detects function-return address or jump target changes by
> +	  malicious code.

It's not really one feature.  I also think it's not worth talking about
shadow stacks or indirect branch tracking in *here*.  Leave that for
Documentation/.

Just say:

	Control-flow protection is a set of hardware features which
	place additional restrictions on indirect branches.  These help
	mitigate ROP attacks.

... and add more in the IBT patches.

>  Applications must be enabled to use it, and old
> +	  userspace does not get protection "for free".
> +	  Support for this feature is present on processors released in
> +	  2020 or later.  Enabling this feature increases kernel text size
> +	  by 3.7 KB.

Did any CPUs ever get released that have this?  If so, name them.  If
not, time to change this to 2021, I think.



[Index of Archives]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Linux FS]     [Yosemite Forum]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]     [Linux Resources]

  Powered by Linux