[PATCH v25 1/9] x86/cet/ibt: Add Kconfig option for Indirect Branch Tracking

Thu, 15 Apr 2021 15:18:52 -0700 

Indirect Branch Tracking (IBT) provides protection against CALL-/JMP-
oriented programming attacks.  It is active when the kernel has this
feature enabled, and the processor and the application support it.
When this feature is enabled, legacy non-IBT applications continue to
work, but without IBT protection.

Signed-off-by: Yu-cheng Yu <[email protected]>
Cc: Kees Cook <[email protected]>
---
v25:
- Make CONFIG_X86_IBT depend on CONFIG_X86_SHADOW_STACK.

 arch/x86/Kconfig                         | 19 +++++++++++++++++++
 arch/x86/include/asm/disabled-features.h |  8 +++++++-
 2 files changed, 26 insertions(+), 1 deletion(-)

diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig
index 77d2e44995d7..6bb69fba0dad 100644
--- a/arch/x86/Kconfig
+++ b/arch/x86/Kconfig
@@ -1965,6 +1965,25 @@ config X86_SHADOW_STACK
 
          If unsure, say N.
 
+config X86_IBT
+       prompt "Intel Indirect Branch Tracking"
+       def_bool n
+       depends on X86_SHADOW_STACK
+       depends on $(cc-option,-fcf-protection)
+       help
+         Indirect Branch Tracking (IBT) provides protection against
+         CALL-/JMP-oriented programming attacks.  It is active when
+         the kernel has this feature enabled, and the processor and
+         the application support it.  When this feature is enabled,
+         legacy non-IBT applications continue to work, but without
+         IBT protection.
+         Support for this feature is present on Tiger Lake family of
+         processors released in 2020 or later.  Enabling this feature
+         increases kernel text size by 3.7 KB.
+         See Documentation/x86/intel_cet.rst for more information.
+
+         If unsure, say N.
+
 config EFI
        bool "EFI runtime service support"
        depends on ACPI
diff --git a/arch/x86/include/asm/disabled-features.h 
b/arch/x86/include/asm/disabled-features.h
index e5c6ed9373e8..07cc40d49947 100644
--- a/arch/x86/include/asm/disabled-features.h
+++ b/arch/x86/include/asm/disabled-features.h
@@ -74,6 +74,12 @@
 #define DISABLE_SHSTK  (1 << (X86_FEATURE_SHSTK & 31))
 #endif
 
+#ifdef CONFIG_X86_IBT
+#define DISABLE_IBT    0
+#else
+#define DISABLE_IBT    (1 << (X86_FEATURE_IBT & 31))
+#endif
+
 /*
  * Make sure to add features to the correct mask
  */
@@ -96,7 +102,7 @@
 #define DISABLED_MASK16        
(DISABLE_PKU|DISABLE_OSPKE|DISABLE_LA57|DISABLE_UMIP| \
                         DISABLE_ENQCMD|DISABLE_SHSTK)
 #define DISABLED_MASK17        0
-#define DISABLED_MASK18        0
+#define DISABLED_MASK18        (DISABLE_IBT)
 #define DISABLED_MASK19        0
 #define DISABLED_MASK_CHECK BUILD_BUG_ON_ZERO(NCAPINTS != 20)
 
-- 
2.21.0

Reply via email to