The following commit has been merged into the x86/cpu branch of tip:
Commit-ID: f12315780faf1cbfe00991077a1e8c8e4c201f3b
Gitweb: https://git.kernel.org/tip/f12315780faf1cbfe00991077a1e8c8e4c201f3b
Author: Kees Cook <kees@xxxxxxxxxx>
AuthorDate: Fri, 14 Feb 2025 11:22:21 -08:00
Committer: Ingo Molnar <mingo@xxxxxxxxxx>
CommitterDate: Fri, 21 Feb 2025 15:38:11 +01:00
x86/kcfi: Require FRED for FineIBT
With what appears to be an unavoidable pivot gadget always present in
the kernel (the entry code), FineIBT's lack of caller-side CFI hash
validation leaves it critically flawed:
https://lore.kernel.org/linux-hardening/Z60NwR4w%2F28Z7XUa@ubun/ [1]
Require FRED for FineIBT:
https://lore.kernel.org/linux-hardening/c46f5614-a82e-42fc-91eb-05e483a7df9c@xxxxxxxxxx/
(and probably should also require eXecute-Only memory too), and default
to kCFI when CFI is built in.
Signed-off-by: Kees Cook <kees@xxxxxxxxxx>
Signed-off-by: Ingo Molnar <mingo@xxxxxxxxxx>
Cc: Linus Torvalds <torvalds@xxxxxxxxxxxxxxxxxxxx>
Cc: "H. Peter Anvin" <hpa@xxxxxxxxx>
Cc: Peter Zijlstra <peterz@xxxxxxxxxxxxx>
Link: https://lore.kernel.org/r/20250214192210.work.253-kees@xxxxxxxxxx
---
arch/x86/Kconfig | 9 +++++----
arch/x86/include/asm/cfi.h | 2 +-
arch/x86/kernel/alternative.c | 4 +++-
3 files changed, 9 insertions(+), 6 deletions(-)
diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig
index 87198d9..754bcd6 100644
--- a/arch/x86/Kconfig
+++ b/arch/x86/Kconfig
@@ -2427,12 +2427,13 @@ config STRICT_SIGALTSTACK_SIZE
config CFI_AUTO_DEFAULT
bool "Attempt to use FineIBT by default at boot time"
- depends on FINEIBT
+ depends on FINEIBT && X86_FRED
default y
help
- Attempt to use FineIBT by default at boot time. If enabled,
- this is the same as booting with "cfi=auto". If disabled,
- this is the same as booting with "cfi=kcfi".
+ Attempt to use FineIBT by default at boot time if supported
+ and sensible for the hardware. If enabled, this is the same
+ as booting with "cfi=auto". If disabled, this is the same as
+ booting with "cfi=kcfi".
source "kernel/livepatch/Kconfig"
diff --git a/arch/x86/include/asm/cfi.h b/arch/x86/include/asm/cfi.h
index 31d19c8..547377e 100644
--- a/arch/x86/include/asm/cfi.h
+++ b/arch/x86/include/asm/cfi.h
@@ -93,7 +93,7 @@
*
*/
enum cfi_mode {
- CFI_AUTO, /* FineIBT if hardware has IBT, otherwise kCFI */
+ CFI_AUTO, /* FineIBT if hardware has IBT, FRED, and XOM */
CFI_OFF, /* Taditional / IBT depending on .config */
CFI_KCFI, /* Optionally CALL_PADDING, IBT, RETPOLINE */
CFI_FINEIBT, /* see arch/x86/kernel/alternative.c */
diff --git a/arch/x86/kernel/alternative.c b/arch/x86/kernel/alternative.c
index c71b575..42f8184 100644
--- a/arch/x86/kernel/alternative.c
+++ b/arch/x86/kernel/alternative.c
@@ -1302,7 +1302,9 @@ static void __apply_fineibt(s32 *start_retpoline, s32 *end_retpoline,
if (cfi_mode == CFI_AUTO) {
cfi_mode = CFI_KCFI;
- if (HAS_KERNEL_IBT && cpu_feature_enabled(X86_FEATURE_IBT))
+ /* FineIBT requires IBT and will only be safe with FRED */
+ if (HAS_KERNEL_IBT && cpu_feature_enabled(X86_FEATURE_IBT) &&
+ cpu_feature_enabled(X86_FEATURE_FRED))
cfi_mode = CFI_FINEIBT;
}
|