[PATCH v24 1/9] x86/cet/ibt: Add Kconfig option for Indirect Branch Tracking

Thu, 01 Apr 2021 15:14:44 -0700 

Indirect Branch Tracking (IBT) provides protection against CALL-/JMP-
oriented programming attacks.  It is active when the kernel has this
feature enabled, and the processor and the application support it.
When this feature is enabled, legacy non-IBT applications continue to
work, but without IBT protection.

Signed-off-by: Yu-cheng Yu <[email protected]>
Cc: Kees Cook <[email protected]>
---
 arch/x86/Kconfig                         | 20 ++++++++++++++++++++
 arch/x86/include/asm/disabled-features.h |  8 +++++++-
 2 files changed, 27 insertions(+), 1 deletion(-)

diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig
index a69e351e7386..a58c5230e957 100644
--- a/arch/x86/Kconfig
+++ b/arch/x86/Kconfig
@@ -1969,6 +1969,26 @@ config X86_SHADOW_STACK
 
          If unsure, say N.
 
+config X86_IBT
+       prompt "Intel Indirect Branch Tracking"
+       def_bool n
+       depends on X86_64
+       depends on $(cc-option,-fcf-protection)
+       select X86_CET
+       help
+         Indirect Branch Tracking (IBT) provides protection against
+         CALL-/JMP-oriented programming attacks.  It is active when
+         the kernel has this feature enabled, and the processor and
+         the application support it.  When this feature is enabled,
+         legacy non-IBT applications continue to work, but without
+         IBT protection.
+         Support for this feature is present on Tiger Lake family of
+         processors released in 2020 or later.  Enabling this feature
+         increases kernel text size by 3.7 KB.
+         See Documentation/x86/intel_cet.rst for more information.
+
+         If unsure, say N.
+
 config EFI
        bool "EFI runtime service support"
        depends on ACPI
diff --git a/arch/x86/include/asm/disabled-features.h 
b/arch/x86/include/asm/disabled-features.h
index 018cd7acd3e9..9b826b9dd83d 100644
--- a/arch/x86/include/asm/disabled-features.h
+++ b/arch/x86/include/asm/disabled-features.h
@@ -74,6 +74,12 @@
 #define DISABLE_SHSTK  (1 << (X86_FEATURE_SHSTK & 31))
 #endif
 
+#ifdef CONFIG_X86_IBT
+#define DISABLE_IBT    0
+#else
+#define DISABLE_IBT    (1 << (X86_FEATURE_IBT & 31))
+#endif
+
 #ifdef CONFIG_X86_CET
 #define DISABLE_CET    0
 #else
@@ -103,7 +109,7 @@
 #define DISABLED_MASK16        
(DISABLE_PKU|DISABLE_OSPKE|DISABLE_LA57|DISABLE_UMIP| \
                         DISABLE_ENQCMD|DISABLE_SHSTK)
 #define DISABLED_MASK17        0
-#define DISABLED_MASK18        0
+#define DISABLED_MASK18        (DISABLE_IBT)
 #define DISABLED_MASK19        0
 #define DISABLED_MASK_CHECK BUILD_BUG_ON_ZERO(NCAPINTS != 20)
 
-- 
2.21.0

Reply via email to