On 1/27/21 1:25 PM, Yu-cheng Yu wrote: > + help > + Control-flow protection is a hardware security hardening feature > + that detects function-return address or jump target changes by > + malicious code. It's not really one feature. I also think it's not worth talking about shadow stacks or indirect branch tracking in *here*. Leave that for Documentation/. Just say: Control-flow protection is a set of hardware features which place additional restrictions on indirect branches. These help mitigate ROP attacks. ... and add more in the IBT patches. > Applications must be enabled to use it, and old > + userspace does not get protection "for free". > + Support for this feature is present on processors released in > + 2020 or later. Enabling this feature increases kernel text size > + by 3.7 KB. Did any CPUs ever get released that have this? If so, name them. If not, time to change this to 2021, I think.
