Introduce Kconfig option X86_INTEL_BRANCH_TRACKING_USER.
Indirect Branch Tracking (IBT) provides protection against CALL-/JMP-
oriented programming attacks. It is active when the kernel has this
feature enabled, and the processor and the application support it.
When this feature is enabled, legacy non-IBT applications continue to
work, but without IBT protection.
Signed-off-by: Yu-cheng Yu <[email protected]>
---
v10:
- Change build-time CET check to config depends on.
arch/x86/Kconfig | 16 ++++++++++++++++
1 file changed, 16 insertions(+)
diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig
index 6b6dad011763..b047e0a8d1c2 100644
--- a/arch/x86/Kconfig
+++ b/arch/x86/Kconfig
@@ -1963,6 +1963,22 @@ config X86_INTEL_SHADOW_STACK_USER
If unsure, say y.
+config X86_INTEL_BRANCH_TRACKING_USER
+ prompt "Intel Indirect Branch Tracking for user-mode"
+ def_bool n
+ depends on CPU_SUP_INTEL && X86_64
+ depends on $(cc-option,-fcf-protection)
+ select X86_INTEL_CET
+ help
+ Indirect Branch Tracking (IBT) provides protection against
+ CALL-/JMP-oriented programming attacks. It is active when
+ the kernel has this feature enabled, and the processor and
+ the application support it. When this feature is enabled,
+ legacy non-IBT applications continue to work, but without
+ IBT protection.
+
+ If unsure, say y
+
config EFI
bool "EFI runtime service support"
depends on ACPI
--
2.21.0
Hi,
If you do another version of this:
On 9/18/20 12:23 PM, Yu-cheng Yu wrote:
> Introduce Kconfig option X86_INTEL_BRANCH_TRACKING_USER.
>
> Indirect Branch Tracking (IBT) provides protection against CALL-/JMP-
> oriented programming attacks. It is active when the kernel has this
> feature enabled, and the processor and the application support it.
> When this feature is enabled, legacy non-IBT applications continue to
> work, but without IBT protection.
>
> Signed-off-by: Yu-cheng Yu <[email protected]>
> ---
> v10:
> - Change build-time CET check to config depends on.
>
> arch/x86/Kconfig | 16 ++++++++++++++++
> 1 file changed, 16 insertions(+)
>
> diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig
> index 6b6dad011763..b047e0a8d1c2 100644
> --- a/arch/x86/Kconfig
> +++ b/arch/x86/Kconfig
> @@ -1963,6 +1963,22 @@ config X86_INTEL_SHADOW_STACK_USER
>
> If unsure, say y.
>
> +config X86_INTEL_BRANCH_TRACKING_USER
> + prompt "Intel Indirect Branch Tracking for user-mode"
> + def_bool n
> + depends on CPU_SUP_INTEL && X86_64
> + depends on $(cc-option,-fcf-protection)
> + select X86_INTEL_CET
> + help
> + Indirect Branch Tracking (IBT) provides protection against
> + CALL-/JMP-oriented programming attacks. It is active when
> + the kernel has this feature enabled, and the processor and
> + the application support it. When this feature is enabled,
> + legacy non-IBT applications continue to work, but without
> + IBT protection.
> +
> + If unsure, say y
If unsure, say y.
> +
> config EFI
> bool "EFI runtime service support"
> depends on ACPI
>
--
~Randy
On Fri 2020-09-18 13:24:13, Randy Dunlap wrote:
> Hi,
>
> If you do another version of this:
>
> On 9/18/20 12:23 PM, Yu-cheng Yu wrote:
> > Introduce Kconfig option X86_INTEL_BRANCH_TRACKING_USER.
> >
> > Indirect Branch Tracking (IBT) provides protection against CALL-/JMP-
> > oriented programming attacks. It is active when the kernel has this
> > feature enabled, and the processor and the application support it.
> > When this feature is enabled, legacy non-IBT applications continue to
> > work, but without IBT protection.
> >
> > Signed-off-by: Yu-cheng Yu <[email protected]>
> > ---
> > v10:
> > - Change build-time CET check to config depends on.
> >
> > arch/x86/Kconfig | 16 ++++++++++++++++
> > 1 file changed, 16 insertions(+)
> >
> > diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig
> > index 6b6dad011763..b047e0a8d1c2 100644
> > --- a/arch/x86/Kconfig
> > +++ b/arch/x86/Kconfig
> > @@ -1963,6 +1963,22 @@ config X86_INTEL_SHADOW_STACK_USER
> >
> > If unsure, say y.
> >
> > +config X86_INTEL_BRANCH_TRACKING_USER
> > + prompt "Intel Indirect Branch Tracking for user-mode"
> > + def_bool n
> > + depends on CPU_SUP_INTEL && X86_64
> > + depends on $(cc-option,-fcf-protection)
> > + select X86_INTEL_CET
> > + help
> > + Indirect Branch Tracking (IBT) provides protection against
> > + CALL-/JMP-oriented programming attacks. It is active when
> > + the kernel has this feature enabled, and the processor and
> > + the application support it. When this feature is enabled,
> > + legacy non-IBT applications continue to work, but without
> > + IBT protection.
> > +
> > + If unsure, say y
>
> If unsure, say y.
Actually, it would be "If unsure, say Y.", to be consistent with the
rest of the Kconfig.
But I wonder if Yes by default is good idea. Only very new CPUs will
support this, right? Are they even available at the market? Should the
help text say "if your CPU is Whatever Lake or newer, ...." :-) ?
Best regards,
Pavel
--
(english) http://www.livejournal.com/~pavelmachek
(cesky, pictures) http://atrey.karlin.mff.cuni.cz/~pavel/picture/horses/blog.html
On Fri, Sep 18, 2020 at 1:59 PM Pavel Machek <[email protected]> wrote:
>
> On Fri 2020-09-18 13:24:13, Randy Dunlap wrote:
> > Hi,
> >
> > If you do another version of this:
> >
> > On 9/18/20 12:23 PM, Yu-cheng Yu wrote:
> > > Introduce Kconfig option X86_INTEL_BRANCH_TRACKING_USER.
> > >
> > > Indirect Branch Tracking (IBT) provides protection against CALL-/JMP-
> > > oriented programming attacks. It is active when the kernel has this
> > > feature enabled, and the processor and the application support it.
> > > When this feature is enabled, legacy non-IBT applications continue to
> > > work, but without IBT protection.
> > >
> > > Signed-off-by: Yu-cheng Yu <[email protected]>
> > > ---
> > > v10:
> > > - Change build-time CET check to config depends on.
> > >
> > > arch/x86/Kconfig | 16 ++++++++++++++++
> > > 1 file changed, 16 insertions(+)
> > >
> > > diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig
> > > index 6b6dad011763..b047e0a8d1c2 100644
> > > --- a/arch/x86/Kconfig
> > > +++ b/arch/x86/Kconfig
> > > @@ -1963,6 +1963,22 @@ config X86_INTEL_SHADOW_STACK_USER
> > >
> > > If unsure, say y.
> > >
> > > +config X86_INTEL_BRANCH_TRACKING_USER
> > > + prompt "Intel Indirect Branch Tracking for user-mode"
> > > + def_bool n
> > > + depends on CPU_SUP_INTEL && X86_64
> > > + depends on $(cc-option,-fcf-protection)
> > > + select X86_INTEL_CET
> > > + help
> > > + Indirect Branch Tracking (IBT) provides protection against
> > > + CALL-/JMP-oriented programming attacks. It is active when
> > > + the kernel has this feature enabled, and the processor and
> > > + the application support it. When this feature is enabled,
> > > + legacy non-IBT applications continue to work, but without
> > > + IBT protection.
> > > +
> > > + If unsure, say y
> >
> > If unsure, say y.
>
> Actually, it would be "If unsure, say Y.", to be consistent with the
> rest of the Kconfig.
>
> But I wonder if Yes by default is good idea. Only very new CPUs will
> support this, right? Are they even available at the market? Should the
> help text say "if your CPU is Whatever Lake or newer, ...." :-) ?
>
CET enabled kernel runs on all x86-64 processors. All my machines
are running the same CET enabled kernel binary.
--
H.J.
Hi!
> > > > + help
> > > > + Indirect Branch Tracking (IBT) provides protection against
> > > > + CALL-/JMP-oriented programming attacks. It is active when
> > > > + the kernel has this feature enabled, and the processor and
> > > > + the application support it. When this feature is enabled,
> > > > + legacy non-IBT applications continue to work, but without
> > > > + IBT protection.
> > > > +
> > > > + If unsure, say y
> > >
> > > If unsure, say y.
> >
> > Actually, it would be "If unsure, say Y.", to be consistent with the
> > rest of the Kconfig.
> >
> > But I wonder if Yes by default is good idea. Only very new CPUs will
> > support this, right? Are they even available at the market? Should the
> > help text say "if your CPU is Whatever Lake or newer, ...." :-) ?
> >
>
> CET enabled kernel runs on all x86-64 processors. All my machines
> are running the same CET enabled kernel binary.
I believe that.
But enabling CET in kernel is useless on Core 2 Duo machine, right?
Pavel
--
(english) http://www.livejournal.com/~pavelmachek
(cesky, pictures) http://atrey.karlin.mff.cuni.cz/~pavel/picture/horses/blog.html
On 9/18/2020 1:59 PM, Pavel Machek wrote:
> On Fri 2020-09-18 13:24:13, Randy Dunlap wrote:
>> Hi,
>>
>> If you do another version of this:
>>
>> On 9/18/20 12:23 PM, Yu-cheng Yu wrote:
>>> Introduce Kconfig option X86_INTEL_BRANCH_TRACKING_USER.
>>>
>>> Indirect Branch Tracking (IBT) provides protection against CALL-/JMP-
>>> oriented programming attacks. It is active when the kernel has this
>>> feature enabled, and the processor and the application support it.
>>> When this feature is enabled, legacy non-IBT applications continue to
>>> work, but without IBT protection.
>>>
>>> Signed-off-by: Yu-cheng Yu <[email protected]>
>>> ---
>>> v10:
>>> - Change build-time CET check to config depends on.
>>>
>>> arch/x86/Kconfig | 16 ++++++++++++++++
>>> 1 file changed, 16 insertions(+)
>>>
>>> diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig
>>> index 6b6dad011763..b047e0a8d1c2 100644
>>> --- a/arch/x86/Kconfig
>>> +++ b/arch/x86/Kconfig
>>> @@ -1963,6 +1963,22 @@ config X86_INTEL_SHADOW_STACK_USER
>>>
>>> If unsure, say y.
>>>
>>> +config X86_INTEL_BRANCH_TRACKING_USER
>>> + prompt "Intel Indirect Branch Tracking for user-mode"
>>> + def_bool n
>>> + depends on CPU_SUP_INTEL && X86_64
>>> + depends on $(cc-option,-fcf-protection)
>>> + select X86_INTEL_CET
>>> + help
>>> + Indirect Branch Tracking (IBT) provides protection against
>>> + CALL-/JMP-oriented programming attacks. It is active when
>>> + the kernel has this feature enabled, and the processor and
>>> + the application support it. When this feature is enabled,
>>> + legacy non-IBT applications continue to work, but without
>>> + IBT protection.
>>> +
>>> + If unsure, say y
>>
>> If unsure, say y.
>
> Actually, it would be "If unsure, say Y.", to be consistent with the
> rest of the Kconfig.
>
> But I wonder if Yes by default is good idea. Only very new CPUs will
> support this, right? Are they even available at the market? Should the
> help text say "if your CPU is Whatever Lake or newer, ...." :-) ?
I will revise the wording if there is another version. But a
CET-capable kernel can run on legacy systems. We have been testing that
combination.
Yu-cheng
On Fri, Sep 18, 2020 at 2:24 PM Pavel Machek <[email protected]> wrote:
>
> Hi!
>
> > > > > + help
> > > > > + Indirect Branch Tracking (IBT) provides protection against
> > > > > + CALL-/JMP-oriented programming attacks. It is active when
> > > > > + the kernel has this feature enabled, and the processor and
> > > > > + the application support it. When this feature is enabled,
> > > > > + legacy non-IBT applications continue to work, but without
> > > > > + IBT protection.
> > > > > +
> > > > > + If unsure, say y
> > > >
> > > > If unsure, say y.
> > >
> > > Actually, it would be "If unsure, say Y.", to be consistent with the
> > > rest of the Kconfig.
> > >
> > > But I wonder if Yes by default is good idea. Only very new CPUs will
> > > support this, right? Are they even available at the market? Should the
> > > help text say "if your CPU is Whatever Lake or newer, ...." :-) ?
> > >
> >
> > CET enabled kernel runs on all x86-64 processors. All my machines
> > are running the same CET enabled kernel binary.
>
> I believe that.
>
> But enabling CET in kernel is useless on Core 2 Duo machine, right?
>
This is very important for CET kernel to run on Core 2 Duo machine.
Otherwise, a distro needs to provide 2 kernel binaries, one for CET
CPU and one for non-CET CPU.
--
H.J.
On Fri 2020-09-18 14:25:12, Yu, Yu-cheng wrote:
> On 9/18/2020 1:59 PM, Pavel Machek wrote:
> > On Fri 2020-09-18 13:24:13, Randy Dunlap wrote:
> > > Hi,
> > >
> > > If you do another version of this:
> > >
> > > On 9/18/20 12:23 PM, Yu-cheng Yu wrote:
> > > > Introduce Kconfig option X86_INTEL_BRANCH_TRACKING_USER.
> > > >
> > > > Indirect Branch Tracking (IBT) provides protection against CALL-/JMP-
> > > > oriented programming attacks. It is active when the kernel has this
> > > > feature enabled, and the processor and the application support it.
> > > > When this feature is enabled, legacy non-IBT applications continue to
> > > > work, but without IBT protection.
> > > >
> > > > Signed-off-by: Yu-cheng Yu <[email protected]>
> > > > ---
> > > > v10:
> > > > - Change build-time CET check to config depends on.
> > > >
> > > > arch/x86/Kconfig | 16 ++++++++++++++++
> > > > 1 file changed, 16 insertions(+)
> > > >
> > > > diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig
> > > > index 6b6dad011763..b047e0a8d1c2 100644
> > > > --- a/arch/x86/Kconfig
> > > > +++ b/arch/x86/Kconfig
> > > > @@ -1963,6 +1963,22 @@ config X86_INTEL_SHADOW_STACK_USER
> > > > If unsure, say y.
> > > > +config X86_INTEL_BRANCH_TRACKING_USER
> > > > + prompt "Intel Indirect Branch Tracking for user-mode"
> > > > + def_bool n
> > > > + depends on CPU_SUP_INTEL && X86_64
> > > > + depends on $(cc-option,-fcf-protection)
> > > > + select X86_INTEL_CET
> > > > + help
> > > > + Indirect Branch Tracking (IBT) provides protection against
> > > > + CALL-/JMP-oriented programming attacks. It is active when
> > > > + the kernel has this feature enabled, and the processor and
> > > > + the application support it. When this feature is enabled,
> > > > + legacy non-IBT applications continue to work, but without
> > > > + IBT protection.
> > > > +
> > > > + If unsure, say y
> > >
> > > If unsure, say y.
> >
> > Actually, it would be "If unsure, say Y.", to be consistent with the
> > rest of the Kconfig.
> >
> > But I wonder if Yes by default is good idea. Only very new CPUs will
> > support this, right? Are they even available at the market? Should the
> > help text say "if your CPU is Whatever Lake or newer, ...." :-) ?
>
> I will revise the wording if there is another version. But a CET-capable
> kernel can run on legacy systems. We have been testing that combination.
Yes, but enabling CET is unneccessary overhead on older systems. And
Kconfig is great place to explain that.
Best regards,
Pavel
--
(english) http://www.livejournal.com/~pavelmachek
(cesky, pictures) http://atrey.karlin.mff.cuni.cz/~pavel/picture/horses/blog.html
On Fri, Sep 18, 2020 at 2:40 PM Pavel Machek <[email protected]> wrote:
>
> On Fri 2020-09-18 14:25:12, Yu, Yu-cheng wrote:
> > On 9/18/2020 1:59 PM, Pavel Machek wrote:
> > > On Fri 2020-09-18 13:24:13, Randy Dunlap wrote:
> > > > Hi,
> > > >
> > > > If you do another version of this:
> > > >
> > > > On 9/18/20 12:23 PM, Yu-cheng Yu wrote:
> > > > > Introduce Kconfig option X86_INTEL_BRANCH_TRACKING_USER.
> > > > >
> > > > > Indirect Branch Tracking (IBT) provides protection against CALL-/JMP-
> > > > > oriented programming attacks. It is active when the kernel has this
> > > > > feature enabled, and the processor and the application support it.
> > > > > When this feature is enabled, legacy non-IBT applications continue to
> > > > > work, but without IBT protection.
> > > > >
> > > > > Signed-off-by: Yu-cheng Yu <[email protected]>
> > > > > ---
> > > > > v10:
> > > > > - Change build-time CET check to config depends on.
> > > > >
> > > > > arch/x86/Kconfig | 16 ++++++++++++++++
> > > > > 1 file changed, 16 insertions(+)
> > > > >
> > > > > diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig
> > > > > index 6b6dad011763..b047e0a8d1c2 100644
> > > > > --- a/arch/x86/Kconfig
> > > > > +++ b/arch/x86/Kconfig
> > > > > @@ -1963,6 +1963,22 @@ config X86_INTEL_SHADOW_STACK_USER
> > > > > If unsure, say y.
> > > > > +config X86_INTEL_BRANCH_TRACKING_USER
> > > > > + prompt "Intel Indirect Branch Tracking for user-mode"
> > > > > + def_bool n
> > > > > + depends on CPU_SUP_INTEL && X86_64
> > > > > + depends on $(cc-option,-fcf-protection)
> > > > > + select X86_INTEL_CET
> > > > > + help
> > > > > + Indirect Branch Tracking (IBT) provides protection against
> > > > > + CALL-/JMP-oriented programming attacks. It is active when
> > > > > + the kernel has this feature enabled, and the processor and
> > > > > + the application support it. When this feature is enabled,
> > > > > + legacy non-IBT applications continue to work, but without
> > > > > + IBT protection.
> > > > > +
> > > > > + If unsure, say y
> > > >
> > > > If unsure, say y.
> > >
> > > Actually, it would be "If unsure, say Y.", to be consistent with the
> > > rest of the Kconfig.
> > >
> > > But I wonder if Yes by default is good idea. Only very new CPUs will
> > > support this, right? Are they even available at the market? Should the
> > > help text say "if your CPU is Whatever Lake or newer, ...." :-) ?
> >
> > I will revise the wording if there is another version. But a CET-capable
> > kernel can run on legacy systems. We have been testing that combination.
>
> Yes, but enabling CET is unneccessary overhead on older systems. And
> Kconfig is great place to explain that.
>
I can't tell any visible CET kernel overhead on my non-CET machines.
--
H.J.
On Fri 2020-09-18 14:46:12, H.J. Lu wrote:
> On Fri, Sep 18, 2020 at 2:40 PM Pavel Machek <[email protected]> wrote:
> >
> > On Fri 2020-09-18 14:25:12, Yu, Yu-cheng wrote:
> > > On 9/18/2020 1:59 PM, Pavel Machek wrote:
> > > > On Fri 2020-09-18 13:24:13, Randy Dunlap wrote:
> > > > > Hi,
> > > > >
> > > > > If you do another version of this:
> > > > >
> > > > > On 9/18/20 12:23 PM, Yu-cheng Yu wrote:
> > > > > > Introduce Kconfig option X86_INTEL_BRANCH_TRACKING_USER.
> > > > > >
> > > > > > Indirect Branch Tracking (IBT) provides protection against CALL-/JMP-
> > > > > > oriented programming attacks. It is active when the kernel has this
> > > > > > feature enabled, and the processor and the application support it.
> > > > > > When this feature is enabled, legacy non-IBT applications continue to
> > > > > > work, but without IBT protection.
> > > > > >
> > > > > > Signed-off-by: Yu-cheng Yu <[email protected]>
> > > > > > ---
> > > > > > v10:
> > > > > > - Change build-time CET check to config depends on.
> > > > > >
> > > > > > arch/x86/Kconfig | 16 ++++++++++++++++
> > > > > > 1 file changed, 16 insertions(+)
> > > > > >
> > > > > > diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig
> > > > > > index 6b6dad011763..b047e0a8d1c2 100644
> > > > > > --- a/arch/x86/Kconfig
> > > > > > +++ b/arch/x86/Kconfig
> > > > > > @@ -1963,6 +1963,22 @@ config X86_INTEL_SHADOW_STACK_USER
> > > > > > If unsure, say y.
> > > > > > +config X86_INTEL_BRANCH_TRACKING_USER
> > > > > > + prompt "Intel Indirect Branch Tracking for user-mode"
> > > > > > + def_bool n
> > > > > > + depends on CPU_SUP_INTEL && X86_64
> > > > > > + depends on $(cc-option,-fcf-protection)
> > > > > > + select X86_INTEL_CET
> > > > > > + help
> > > > > > + Indirect Branch Tracking (IBT) provides protection against
> > > > > > + CALL-/JMP-oriented programming attacks. It is active when
> > > > > > + the kernel has this feature enabled, and the processor and
> > > > > > + the application support it. When this feature is enabled,
> > > > > > + legacy non-IBT applications continue to work, but without
> > > > > > + IBT protection.
> > > > > > +
> > > > > > + If unsure, say y
> > > > >
> > > > > If unsure, say y.
> > > >
> > > > Actually, it would be "If unsure, say Y.", to be consistent with the
> > > > rest of the Kconfig.
> > > >
> > > > But I wonder if Yes by default is good idea. Only very new CPUs will
> > > > support this, right? Are they even available at the market? Should the
> > > > help text say "if your CPU is Whatever Lake or newer, ...." :-) ?
> > >
> > > I will revise the wording if there is another version. But a CET-capable
> > > kernel can run on legacy systems. We have been testing that combination.
> >
> > Yes, but enabling CET is unneccessary overhead on older systems. And
> > Kconfig is great place to explain that.
> >
>
> I can't tell any visible CET kernel overhead on my non-CET machines.
I assume you are not a troll but you sound a bit like one.
Please list kernel size before and after enabling
X86_INTEL_CET option(s).
That's the overhead I'm talking about, and that's why Kconfig should
explain what machines this is useful on.
Best regards,
Pavel
--
(english) http://www.livejournal.com/~pavelmachek
(cesky, pictures) http://atrey.karlin.mff.cuni.cz/~pavel/picture/horses/blog.html
On 9/18/2020 2:40 PM, Pavel Machek wrote:
> On Fri 2020-09-18 14:25:12, Yu, Yu-cheng wrote:
>> On 9/18/2020 1:59 PM, Pavel Machek wrote:
>>> On Fri 2020-09-18 13:24:13, Randy Dunlap wrote:
>>>> Hi,
>>>>
>>>> If you do another version of this:
>>>>
>>>> On 9/18/20 12:23 PM, Yu-cheng Yu wrote:
>>>>> Introduce Kconfig option X86_INTEL_BRANCH_TRACKING_USER.
>>>>>
>>>>> Indirect Branch Tracking (IBT) provides protection against CALL-/JMP-
>>>>> oriented programming attacks. It is active when the kernel has this
>>>>> feature enabled, and the processor and the application support it.
>>>>> When this feature is enabled, legacy non-IBT applications continue to
>>>>> work, but without IBT protection.
>>>>>
>>>>> Signed-off-by: Yu-cheng Yu <[email protected]>
>>>>> ---
>>>>> v10:
>>>>> - Change build-time CET check to config depends on.
>>>>>
>>>>> arch/x86/Kconfig | 16 ++++++++++++++++
>>>>> 1 file changed, 16 insertions(+)
>>>>>
>>>>> diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig
>>>>> index 6b6dad011763..b047e0a8d1c2 100644
>>>>> --- a/arch/x86/Kconfig
>>>>> +++ b/arch/x86/Kconfig
>>>>> @@ -1963,6 +1963,22 @@ config X86_INTEL_SHADOW_STACK_USER
>>>>> If unsure, say y.
>>>>> +config X86_INTEL_BRANCH_TRACKING_USER
>>>>> + prompt "Intel Indirect Branch Tracking for user-mode"
>>>>> + def_bool n
>>>>> + depends on CPU_SUP_INTEL && X86_64
>>>>> + depends on $(cc-option,-fcf-protection)
>>>>> + select X86_INTEL_CET
>>>>> + help
>>>>> + Indirect Branch Tracking (IBT) provides protection against
>>>>> + CALL-/JMP-oriented programming attacks. It is active when
>>>>> + the kernel has this feature enabled, and the processor and
>>>>> + the application support it. When this feature is enabled,
>>>>> + legacy non-IBT applications continue to work, but without
>>>>> + IBT protection.
>>>>> +
>>>>> + If unsure, say y
>>>>
>>>> If unsure, say y.
>>>
>>> Actually, it would be "If unsure, say Y.", to be consistent with the
>>> rest of the Kconfig.
>>>
>>> But I wonder if Yes by default is good idea. Only very new CPUs will
>>> support this, right? Are they even available at the market? Should the
>>> help text say "if your CPU is Whatever Lake or newer, ...." :-) ?
>>
>> I will revise the wording if there is another version. But a CET-capable
>> kernel can run on legacy systems. We have been testing that combination.
>
> Yes, but enabling CET is unneccessary overhead on older systems. And
> Kconfig is great place to explain that.
Maybe I'll add:
If the kernel is to be used only on older systems that do not support
IBT, and the size of the binary is important, you can save 900 KB by
disabling this feature.
Otherwise, if unsure, say Y.
How is that?
Thanks,
Yu-cheng
On 9/21/20 3:30 PM, Yu, Yu-cheng wrote:
> +config X86_INTEL_BRANCH_TRACKING_USER
> + prompt "Intel Indirect Branch Tracking for user-mode"
Take the "Intel " and "INTEL_" out, please. It will only cause us all
pain later if some of our x86 compatriots decide to implement this.
> If the kernel is to be used only on older systems that do not support
> IBT, and the size of the binary is important, you can save 900 KB by
> disabling this feature.
>
> Otherwise, if unsure, say Y.
900k seems like a *lot*. Where the heck does that come from?
Also, comments like that don't age very well. Consider:
Support for this feature is only known to be present on Intel
processors released in 2020 or later. This feature is also
known to increase kernel text size substantially.
If unsure, say N.
The 900KB is probably wrong today in a lot of configurations, and will;
only get *more* wrong over time.
On 9/21/2020 3:41 PM, Dave Hansen wrote:
> On 9/21/20 3:30 PM, Yu, Yu-cheng wrote:
>> +config X86_INTEL_BRANCH_TRACKING_USER
>> + prompt "Intel Indirect Branch Tracking for user-mode"
>
> Take the "Intel " and "INTEL_" out, please. It will only cause us all
> pain later if some of our x86 compatriots decide to implement this.
>
>> If the kernel is to be used only on older systems that do not support
>> IBT, and the size of the binary is important, you can save 900 KB by
>> disabling this feature.
>>
>> Otherwise, if unsure, say Y.
>
> 900k seems like a *lot*. Where the heck does that come from?
>
> Also, comments like that don't age very well. Consider:
>
> Support for this feature is only known to be present on Intel
> processors released in 2020 or later. This feature is also
> known to increase kernel text size substantially.
>
> If unsure, say N.
>
Thanks!
> The 900KB is probably wrong today in a lot of configurations, and will;
> only get *more* wrong over time.
>
I was talking about the vmlinux file, and probably should have said
bzImage size, which has 14 KB increase when CET is enabled.
Yu-cheng
Hi!
> > +config X86_INTEL_BRANCH_TRACKING_USER
> > + prompt "Intel Indirect Branch Tracking for user-mode"
>
> Take the "Intel " and "INTEL_" out, please. It will only cause us all
> pain later if some of our x86 compatriots decide to implement this.
Are other x86 manufacturers legally allowed to implement that?
> > If the kernel is to be used only on older systems that do not support
> > IBT, and the size of the binary is important, you can save 900 KB by
> > disabling this feature.
> >
> > Otherwise, if unsure, say Y.
>
> 900k seems like a *lot*. Where the heck does that come from?
>
> Also, comments like that don't age very well. Consider:
>
> Support for this feature is only known to be present on Intel
> processors released in 2020 or later. This feature is also
> known to increase kernel text size substantially.
>
> If unsure, say N.
That is much better, thanks.
Pavel
--
(english) http://www.livejournal.com/~pavelmachek
(cesky, pictures) http://atrey.karlin.mff.cuni.cz/~pavel/picture/horses/blog.html
On 9/21/2020 3:54 PM, Dave Hansen wrote:
> On 9/21/20 3:47 PM, Yu, Yu-cheng wrote:
>>> The 900KB is probably wrong today in a lot of configurations, and will;
>>> only get *more* wrong over time.
>>
>> I was talking about the vmlinux file, and probably should have said
>> bzImage size, which has 14 KB increase when CET is enabled.
>
> Well, vmlinux size is important too. 1 page of vmlinux size means one
> fewer page of memory available for real use.
>
> I would really encourage you when you write to try to be specific and
> use as much plain language as possible without being verbose. Most
> people understand things like "this feature increases kernel text size".
> I wouldn't expect most folks who can type "make oldconfig; make
> install" to understands the difference between vmlinux and bzImage.
>
Ok, thanks!
Yu-cheng