On Tue, Apr 30, 2024 at 5:02 PM Kees Cook <[email protected]> wrote: > > Since FineIBT performs checking at the destination, it is weaker against > attacks that can construct arbitrary executable memory contents. As such, > some system builders want to run with FineIBT disabled by default. Allow > the "cfi=kcfi" boot param mode to be selectable through Kconfig via the > newly introduced CONFIG_CFI_AUTO_DEFAULT. > > Signed-off-by: Kees Cook <[email protected]> > ---
Reviewed-by: Sami Tolvanen <[email protected]> Sami
