mirror of
https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git
synced 2025-01-07 14:32:23 +00:00
x86/alternatives: Make FineIBT mode Kconfig selectable
Since FineIBT performs checking at the destination, it is weaker against attacks that can construct arbitrary executable memory contents. As such, some system builders want to run with FineIBT disabled by default. Allow the "cfi=kcfi" boot param mode to be selectable through Kconfig via the newly introduced CONFIG_CFI_AUTO_DEFAULT. Reviewed-by: Sami Tolvanen <samitolvanen@google.com> Reviewed-by: Nathan Chancellor <nathan@kernel.org> Tested-by: Nathan Chancellor <nathan@kernel.org> Link: https://lore.kernel.org/r/20240501000218.work.998-kees@kernel.org Signed-off-by: Kees Cook <kees@kernel.org>
This commit is contained in:
parent
51005a59bc
commit
d6f635bcac
@ -2427,6 +2427,15 @@ config STRICT_SIGALTSTACK_SIZE
|
|||||||
|
|
||||||
Say 'N' unless you want to really enforce this check.
|
Say 'N' unless you want to really enforce this check.
|
||||||
|
|
||||||
|
config CFI_AUTO_DEFAULT
|
||||||
|
bool "Attempt to use FineIBT by default at boot time"
|
||||||
|
depends on FINEIBT
|
||||||
|
default y
|
||||||
|
help
|
||||||
|
Attempt to use FineIBT by default at boot time. If enabled,
|
||||||
|
this is the same as booting with "cfi=auto". If disabled,
|
||||||
|
this is the same as booting with "cfi=kcfi".
|
||||||
|
|
||||||
source "kernel/livepatch/Kconfig"
|
source "kernel/livepatch/Kconfig"
|
||||||
|
|
||||||
endmenu
|
endmenu
|
||||||
|
@ -93,7 +93,7 @@
|
|||||||
*
|
*
|
||||||
*/
|
*/
|
||||||
enum cfi_mode {
|
enum cfi_mode {
|
||||||
CFI_DEFAULT, /* FineIBT if hardware has IBT, otherwise kCFI */
|
CFI_AUTO, /* FineIBT if hardware has IBT, otherwise kCFI */
|
||||||
CFI_OFF, /* Taditional / IBT depending on .config */
|
CFI_OFF, /* Taditional / IBT depending on .config */
|
||||||
CFI_KCFI, /* Optionally CALL_PADDING, IBT, RETPOLINE */
|
CFI_KCFI, /* Optionally CALL_PADDING, IBT, RETPOLINE */
|
||||||
CFI_FINEIBT, /* see arch/x86/kernel/alternative.c */
|
CFI_FINEIBT, /* see arch/x86/kernel/alternative.c */
|
||||||
|
@ -885,8 +885,8 @@ void __init_or_module apply_seal_endbr(s32 *start, s32 *end) { }
|
|||||||
|
|
||||||
#endif /* CONFIG_X86_KERNEL_IBT */
|
#endif /* CONFIG_X86_KERNEL_IBT */
|
||||||
|
|
||||||
#ifdef CONFIG_FINEIBT
|
#ifdef CONFIG_CFI_AUTO_DEFAULT
|
||||||
#define __CFI_DEFAULT CFI_DEFAULT
|
#define __CFI_DEFAULT CFI_AUTO
|
||||||
#elif defined(CONFIG_CFI_CLANG)
|
#elif defined(CONFIG_CFI_CLANG)
|
||||||
#define __CFI_DEFAULT CFI_KCFI
|
#define __CFI_DEFAULT CFI_KCFI
|
||||||
#else
|
#else
|
||||||
@ -994,7 +994,7 @@ static __init int cfi_parse_cmdline(char *str)
|
|||||||
}
|
}
|
||||||
|
|
||||||
if (!strcmp(str, "auto")) {
|
if (!strcmp(str, "auto")) {
|
||||||
cfi_mode = CFI_DEFAULT;
|
cfi_mode = CFI_AUTO;
|
||||||
} else if (!strcmp(str, "off")) {
|
} else if (!strcmp(str, "off")) {
|
||||||
cfi_mode = CFI_OFF;
|
cfi_mode = CFI_OFF;
|
||||||
cfi_rand = false;
|
cfi_rand = false;
|
||||||
@ -1254,7 +1254,7 @@ static void __apply_fineibt(s32 *start_retpoline, s32 *end_retpoline,
|
|||||||
"FineIBT preamble wrong size: %ld", fineibt_preamble_size))
|
"FineIBT preamble wrong size: %ld", fineibt_preamble_size))
|
||||||
return;
|
return;
|
||||||
|
|
||||||
if (cfi_mode == CFI_DEFAULT) {
|
if (cfi_mode == CFI_AUTO) {
|
||||||
cfi_mode = CFI_KCFI;
|
cfi_mode = CFI_KCFI;
|
||||||
if (HAS_KERNEL_IBT && cpu_feature_enabled(X86_FEATURE_IBT))
|
if (HAS_KERNEL_IBT && cpu_feature_enabled(X86_FEATURE_IBT))
|
||||||
cfi_mode = CFI_FINEIBT;
|
cfi_mode = CFI_FINEIBT;
|
||||||
|
Loading…
Reference in New Issue
Block a user