tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

x86/alternatives: Make FineIBT mode Kconfig selectable

Since FineIBT performs checking at the destination, it is weaker against
attacks that can construct arbitrary executable memory contents. As such,
some system builders want to run with FineIBT disabled by default. Allow
the "cfi=kcfi" boot param mode to be selectable through Kconfig via the
newly introduced CONFIG_CFI_AUTO_DEFAULT.

Reviewed-by: Sami Tolvanen <samitolvanen@google.com>
Reviewed-by: Nathan Chancellor <nathan@kernel.org>
Tested-by: Nathan Chancellor <nathan@kernel.org>
Link: https://lore.kernel.org/r/20240501000218.work.998-kees@kernel.org
Signed-off-by: Kees Cook <kees@kernel.org>

authored by

Kees Cook and committed by
Kees Cook d6f635bc 51005a59

+14 -5
+9
arch/x86/Kconfig
··· 2427 2427 2428 2428 Say 'N' unless you want to really enforce this check. 2429 2429 2430 + config CFI_AUTO_DEFAULT 2431 + bool "Attempt to use FineIBT by default at boot time" 2432 + depends on FINEIBT 2433 + default y 2434 + help 2435 + Attempt to use FineIBT by default at boot time. If enabled, 2436 + this is the same as booting with "cfi=auto". If disabled, 2437 + this is the same as booting with "cfi=kcfi". 2438 + 2430 2439 source "kernel/livepatch/Kconfig" 2431 2440 2432 2441 endmenu
+1 -1
arch/x86/include/asm/cfi.h
··· 93 93 * 94 94 */ 95 95 enum cfi_mode { 96 - CFI_DEFAULT, /* FineIBT if hardware has IBT, otherwise kCFI */ 96 + CFI_AUTO, /* FineIBT if hardware has IBT, otherwise kCFI */ 97 97 CFI_OFF, /* Taditional / IBT depending on .config */ 98 98 CFI_KCFI, /* Optionally CALL_PADDING, IBT, RETPOLINE */ 99 99 CFI_FINEIBT, /* see arch/x86/kernel/alternative.c */
+4 -4
arch/x86/kernel/alternative.c
··· 885 885 886 886 #endif /* CONFIG_X86_KERNEL_IBT */ 887 887 888 - #ifdef CONFIG_FINEIBT 889 - #define __CFI_DEFAULT CFI_DEFAULT 888 + #ifdef CONFIG_CFI_AUTO_DEFAULT 889 + #define __CFI_DEFAULT CFI_AUTO 890 890 #elif defined(CONFIG_CFI_CLANG) 891 891 #define __CFI_DEFAULT CFI_KCFI 892 892 #else ··· 994 994 } 995 995 996 996 if (!strcmp(str, "auto")) { 997 - cfi_mode = CFI_DEFAULT; 997 + cfi_mode = CFI_AUTO; 998 998 } else if (!strcmp(str, "off")) { 999 999 cfi_mode = CFI_OFF; 1000 1000 cfi_rand = false; ··· 1254 1254 "FineIBT preamble wrong size: %ld", fineibt_preamble_size)) 1255 1255 return; 1256 1256 1257 - if (cfi_mode == CFI_DEFAULT) { 1257 + if (cfi_mode == CFI_AUTO) { 1258 1258 cfi_mode = CFI_KCFI; 1259 1259 if (HAS_KERNEL_IBT && cpu_feature_enabled(X86_FEATURE_IBT)) 1260 1260 cfi_mode = CFI_FINEIBT;