www.infradead.org Git - users/jedix/linux-maple.git/commit

author	Kees Cook <keescook@chromium.org>
	Wed, 1 May 2024 00:02:22 +0000 (17:02 -0700)
committer	Kees Cook <kees@kernel.org>
	Wed, 19 Jun 2024 19:41:08 +0000 (12:41 -0700)
commit	d6f635bcaca8d38dfa47ee20658705f9eff156b5
tree	22797324cba2df59d8c04d42d95e71884bc39e85	tree
parent	51005a59bcbe1add8802105437b3707ea257f2ea	commit \| diff

x86/alternatives: Make FineIBT mode Kconfig selectable

Since FineIBT performs checking at the destination, it is weaker against
attacks that can construct arbitrary executable memory contents. As such,
some system builders want to run with FineIBT disabled by default. Allow
the "cfi=kcfi" boot param mode to be selectable through Kconfig via the
newly introduced CONFIG_CFI_AUTO_DEFAULT.

Reviewed-by: Sami Tolvanen <samitolvanen@google.com>
Reviewed-by: Nathan Chancellor <nathan@kernel.org>
Tested-by: Nathan Chancellor <nathan@kernel.org>
Link: https://lore.kernel.org/r/20240501000218.work.998-kees@kernel.org
Signed-off-by: Kees Cook <kees@kernel.org>

arch/x86/Kconfig		diff \| blob \| history
arch/x86/include/asm/cfi.h		diff \| blob \| history
arch/x86/kernel/alternative.c		diff \| blob \| history