On Fri, Feb 14, 2025 at 10:40:28PM +0000, Andrew Cooper wrote: > On 14/02/2025 9:54 pm, Kees Cook wrote: > > On Fri, Feb 14, 2025 at 07:39:20PM +0000, Andrew Cooper wrote: > >> Architecturally, FineIBT without FRED seems to be no improvement over > >> simple IBT. (I'd love to find some way of hardening the entrypoints, > >> but I can't see a robust way of doing so.) > > If you're just looking at IBT, yes. But kCFI (with or without IBT, > > but without FineIBT) will do hash checking at the call site, which > > should make it impossible to reach the entrypoints from an indirect call > > in the first place, as they have no hash preceding them. > > > >> However, micro-architecturally, FineIBT is still far better than simple > >> IBT for speculation issue, seeing as Intel keep on staunchly refusing to > >> turn off the indirect predictors by default like AMD do. > >> > >> A security conscious user ought to be using FineIBT for this, given a > >> choice, even if it's not perfect in other regards. > > A security conscious user should use kCFI without FineIBT. :) But I > > think we might be thinking about different elements of security. I am > > focusing on control flow, and I think you're considering speculation? > > True. The security realist knows they're dammed either way, and gets a > stiff drink instead.
I don't know how any of our livers survive. :) -- Kees Cook
