CVSROOT: /cvs
Module name: www
Changes by: dera...@cvs.openbsd.org 2023/07/13 08:02:00
Modified files:
. : innovations.html
Log message:
Over the last 6 months we've worked on adding arm64 BTI & Intel IBT support
in the kernels and all userland binaries. We have been fixing all the
applications along the way. Many developers were involved.
There is an innovative and substantial difference in our approach compared
to how Linux is doing it:
- On OpenBSD, IBT/BTI enforcement is on by default (meaning mandatory),
unless a binary is linked to request opt-out (using -Wl,-z,nobtcfi). After all
our fixes, very few application binaries need that, and that count is expected
to shrink quickly as we (or upstreams) fix the outstanding issues.
- On Linux they are rehashing the same design as their executable-stack
mechanism:
if a single .o file in a resulting binary isn't marked as IBT/BTI enforcement,
the system will (silently) execute the program without enforcement and noone
knows this is happening. So for an issue from around 2001, today Linux binaries
with executable stack exist and work unsafely. I expect that 20 years from
now Linux binaries without IBT/BTI enforcement will also exist and work
unsafely..
