lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Fri, 18 Sep 2020 14:36:11 -0700 From: "H.J. Lu" <hjl.tools@...il.com> To: Pavel Machek <pavel@....cz> Cc: Randy Dunlap <rdunlap@...radead.org>, Yu-cheng Yu <yu-cheng.yu@...el.com>, "the arch/x86 maintainers" <x86@...nel.org>, "H. Peter Anvin" <hpa@...or.com>, Thomas Gleixner <tglx@...utronix.de>, Ingo Molnar <mingo@...hat.com>, LKML <linux-kernel@...r.kernel.org>, "open list:DOCUMENTATION" <linux-doc@...r.kernel.org>, Linux-MM <linux-mm@...ck.org>, linux-arch <linux-arch@...r.kernel.org>, Linux API <linux-api@...r.kernel.org>, Arnd Bergmann <arnd@...db.de>, Andy Lutomirski <luto@...nel.org>, Balbir Singh <bsingharora@...il.com>, Borislav Petkov <bp@...en8.de>, Cyrill Gorcunov <gorcunov@...il.com>, Dave Hansen <dave.hansen@...ux.intel.com>, Eugene Syromiatnikov <esyr@...hat.com>, Florian Weimer <fweimer@...hat.com>, Jann Horn <jannh@...gle.com>, Jonathan Corbet <corbet@....net>, Kees Cook <keescook@...omium.org>, Mike Kravetz <mike.kravetz@...cle.com>, Nadav Amit <nadav.amit@...il.com>, Oleg Nesterov <oleg@...hat.com>, Peter Zijlstra <peterz@...radead.org>, "Ravi V. Shankar" <ravi.v.shankar@...el.com>, Vedvyas Shanbhogue <vedvyas.shanbhogue@...el.com>, Dave Martin <Dave.Martin@....com>, Weijiang Yang <weijiang.yang@...el.com> Subject: Re: [PATCH v12 1/8] x86/cet/ibt: Add Kconfig option for user-mode Indirect Branch Tracking On Fri, Sep 18, 2020 at 2:24 PM Pavel Machek <pavel@....cz> wrote: > > Hi! > > > > > > + help > > > > > + Indirect Branch Tracking (IBT) provides protection against > > > > > + CALL-/JMP-oriented programming attacks. It is active when > > > > > + the kernel has this feature enabled, and the processor and > > > > > + the application support it. When this feature is enabled, > > > > > + legacy non-IBT applications continue to work, but without > > > > > + IBT protection. > > > > > + > > > > > + If unsure, say y > > > > > > > > If unsure, say y. > > > > > > Actually, it would be "If unsure, say Y.", to be consistent with the > > > rest of the Kconfig. > > > > > > But I wonder if Yes by default is good idea. Only very new CPUs will > > > support this, right? Are they even available at the market? Should the > > > help text say "if your CPU is Whatever Lake or newer, ...." :-) ? > > > > > > > CET enabled kernel runs on all x86-64 processors. All my machines > > are running the same CET enabled kernel binary. > > I believe that. > > But enabling CET in kernel is useless on Core 2 Duo machine, right? > This is very important for CET kernel to run on Core 2 Duo machine. Otherwise, a distro needs to provide 2 kernel binaries, one for CET CPU and one for non-CET CPU. -- H.J.
Powered by blists - more mailing lists