]> www.infradead.org Git - users/jedix/linux-maple.git/commit
x86/ibt: Add paranoid FineIBT mode
authorPeter Zijlstra <peterz@infradead.org>
Wed, 26 Feb 2025 11:25:17 +0000 (12:25 +0100)
committerIngo Molnar <mingo@kernel.org>
Wed, 26 Feb 2025 11:27:45 +0000 (12:27 +0100)
commit97e59672a9d2aec0c27f6cd6a6b0edfdd6e5a85c
tree67e510c3bfdf0f606266b1c801d2b762d5da79f3
parent029f718fedd72872f7475604fe71b2a841108834
x86/ibt: Add paranoid FineIBT mode

Due to concerns about circumvention attacks against FineIBT on 'naked'
ENDBR, add an additional caller side hash check to FineIBT. This
should make it impossible to pivot over such a 'naked' ENDBR
instruction at the cost of an additional load.

The specific pivot reported was against the SYSCALL entry site and
FRED will have all those holes fixed up.

  https://lore.kernel.org/linux-hardening/Z60NwR4w%2F28Z7XUa@ubun/

This specific fineibt_paranoid_start[] sequence was concocted by
Scott.

Suggested-by: Scott Constable <scott.d.constable@intel.com>
Reported-by: Jennifer Miller <jmill@asu.edu>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Reviewed-by: Kees Cook <kees@kernel.org>
Link: https://lore.kernel.org/r/20250224124200.598033084@infradead.org
arch/x86/kernel/alternative.c