summaryrefslogtreecommitdiff
path: root/rust
diff options
context:
space:
mode:
authorKees Cook <keescook@chromium.org>2022-11-01 10:25:07 -0700
committerPeter Zijlstra <peterz@infradead.org>2022-11-05 11:28:03 +0100
commit4fd5f70ce14da230c6a29648c3d51a48ee0b4bfd (patch)
tree2012d4b0fdcd548266b6d0c2f36506b4f99c6052 /rust
parentb32fd8a60f5d855758208c2b5b49cba8087f03c4 (diff)
x86/Kconfig: Enable kernel IBT by default
The kernel IBT defense strongly mitigates the common "first step" of ROP attacks, by eliminating arbitrary stack pivots (that appear either at the end of a function or in immediate values), which cannot be reached if indirect calls must be to marked function entry addresses. IBT is also required to be enabled to gain the FineIBT feature when built with Kernel Control Flow Integrity. Additionally, given that this feature is runtime enabled via CPU ID, it clearly should be built in by default; it will only be enabled if the CPU supports it. The build takes 2 seconds longer, which seems a small price to pay for gaining this coverage by default. Suggested-by: Sami Tolvanen <samitolvanen@google.com> Signed-off-by: Kees Cook <keescook@chromium.org> Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org> Link: https://lkml.kernel.org/r/20221101172503.gonna.094-kees@kernel.org
Diffstat (limited to 'rust')
0 files changed, 0 insertions, 0 deletions