Thread (49 messages) 49 messages, 4 authors, 2021-02-03

Re: [PATCH v18 02/25] x86/cet/shstk: Add Kconfig option for user-mode control-flow protection

From: Andy Lutomirski <luto@amacapital.net>
Date: 2021-01-29 20:02:27
Also in: linux-api, linux-arch, linux-mm, lkml

On Jan 29, 2021, at 11:42 AM, Dave Hansen [off-list ref] wrote:

On 1/27/21 1:25 PM, Yu-cheng Yu wrote:
quoted
+    help
+      Control-flow protection is a hardware security hardening feature
+      that detects function-return address or jump target changes by
+      malicious code.
It's not really one feature.  I also think it's not worth talking about
shadow stacks or indirect branch tracking in *here*.  Leave that for
Documentation/.

Just say:

   Control-flow protection is a set of hardware features which
   place additional restrictions on indirect branches.  These help
   mitigate ROP attacks.

... and add more in the IBT patches.
quoted
Applications must be enabled to use it, and old
+      userspace does not get protection "for free".
+      Support for this feature is present on processors released in
+      2020 or later.  Enabling this feature increases kernel text size
+      by 3.7 KB.
Did any CPUs ever get released that have this?  If so, name them.  If
not, time to change this to 2021, I think.
Zen 3 :)
Keyboard shortcuts
hback out one level
jnext message in thread
kprevious message in thread
ldrill in
Escclose help / fold thread tree
?toggle this help