On Fri, Sep 18, 2020 at 2:24 PM Pavel Machek <pavel@xxxxxx> wrote: > > Hi! > > > > > > + help > > > > > + Indirect Branch Tracking (IBT) provides protection against > > > > > + CALL-/JMP-oriented programming attacks. It is active when > > > > > + the kernel has this feature enabled, and the processor and > > > > > + the application support it. When this feature is enabled, > > > > > + legacy non-IBT applications continue to work, but without > > > > > + IBT protection. > > > > > + > > > > > + If unsure, say y > > > > > > > > If unsure, say y. > > > > > > Actually, it would be "If unsure, say Y.", to be consistent with the > > > rest of the Kconfig. > > > > > > But I wonder if Yes by default is good idea. Only very new CPUs will > > > support this, right? Are they even available at the market? Should the > > > help text say "if your CPU is Whatever Lake or newer, ...." :-) ? > > > > > > > CET enabled kernel runs on all x86-64 processors. All my machines > > are running the same CET enabled kernel binary. > > I believe that. > > But enabling CET in kernel is useless on Core 2 Duo machine, right? > This is very important for CET kernel to run on Core 2 Duo machine. Otherwise, a distro needs to provide 2 kernel binaries, one for CET CPU and one for non-CET CPU. -- H.J.
