Introduce Kconfig option X86_INTEL_BRANCH_TRACKING_USER. Indirect Branch Tracking (IBT) provides protection against CALL-/JMP- oriented programming attacks. It is active when the kernel has this feature enabled, and the processor and the application support it. When this feature is enabled, legacy non-IBT applications continue to work, but without IBT protection. Signed-off-by: Yu-cheng Yu <yu-cheng.yu@xxxxxxxxx> --- arch/x86/Kconfig | 15 +++++++++++++++ arch/x86/Makefile | 7 +++++++ 2 files changed, 22 insertions(+) diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig index d1447380e02e..563f3c81f323 100644 --- a/arch/x86/Kconfig +++ b/arch/x86/Kconfig @@ -1998,6 +1998,21 @@ config X86_INTEL_SHADOW_STACK_USER If unsure, say y. +config X86_INTEL_BRANCH_TRACKING_USER + prompt "Intel Indirect Branch Tracking for user-mode" + def_bool n + depends on CPU_SUP_INTEL && X86_64 + select X86_INTEL_CET + ---help--- + Indirect Branch Tracking (IBT) provides protection against + CALL-/JMP-oriented programming attacks. It is active when + the kernel has this feature enabled, and the processor and + the application support it. When this feature is enabled, + legacy non-IBT applications continue to work, but without + IBT protection. + + If unsure, say y + config EFI bool "EFI runtime service support" depends on ACPI diff --git a/arch/x86/Makefile b/arch/x86/Makefile index c34f5befa4c8..f97b2c1c4d04 100644 --- a/arch/x86/Makefile +++ b/arch/x86/Makefile @@ -156,6 +156,13 @@ ifdef CONFIG_X86_INTEL_SHADOW_STACK_USER endif endif +# Check compiler ibt support +ifdef CONFIG_X86_INTEL_BRANCH_TRACKING_USER + ifeq ($(call cc-option-yn, -fcf-protection=branch), n) + $(error CONFIG_X86_INTEL_BRANCH_TRACKING_USER not supported by compiler) + endif +endif + # # If the function graph tracer is used with mcount instead of fentry, # '-maccumulate-outgoing-args' is needed to prevent a GCC bug -- 2.21.0
