Commit d6f635bc authored by Kees Cook's avatar Kees Cook
Browse files

x86/alternatives: Make FineIBT mode Kconfig selectable 



Since FineIBT performs checking at the destination, it is weaker against
attacks that can construct arbitrary executable memory contents. As such,
some system builders want to run with FineIBT disabled by default. Allow
the "cfi=kcfi" boot param mode to be selectable through Kconfig via the
newly introduced CONFIG_CFI_AUTO_DEFAULT.

Reviewed-by: default avatarSami Tolvanen <samitolvanen@google.com>
Reviewed-by: default avatarNathan Chancellor <nathan@kernel.org>
Tested-by: default avatarNathan Chancellor <nathan@kernel.org>
Link: https://lore.kernel.org/r/20240501000218.work.998-kees@kernel.org


Signed-off-by: default avatarKees Cook <kees@kernel.org>
parent 51005a59

arch/x86/Kconfig

+9 −0
Original line number Diff line number Diff line
@@ -2427,6 +2427,15 @@ config STRICT_SIGALTSTACK_SIZE 


	  Say 'N' unless you want to really enforce this check.



config CFI_AUTO_DEFAULT

	bool "Attempt to use FineIBT by default at boot time"

	depends on FINEIBT

	default y

	help

	  Attempt to use FineIBT by default at boot time. If enabled,

	  this is the same as booting with "cfi=auto". If disabled,

	  this is the same as booting with "cfi=kcfi".



source "kernel/livepatch/Kconfig"



endmenu

arch/x86/include/asm/cfi.h

+1 −1
Original line number Diff line number Diff line
@@ -93,7 +93,7 @@ 
 *

 */

enum cfi_mode {

	CFI_DEFAULT,	/* FineIBT if hardware has IBT, otherwise kCFI */

	CFI_AUTO,	/* FineIBT if hardware has IBT, otherwise kCFI */

	CFI_OFF,	/* Taditional / IBT depending on .config */

	CFI_KCFI,	/* Optionally CALL_PADDING, IBT, RETPOLINE */

	CFI_FINEIBT,	/* see arch/x86/kernel/alternative.c */

arch/x86/kernel/alternative.c

+4 −4
Original line number Diff line number Diff line
@@ -885,8 +885,8 @@ void __init_or_module apply_seal_endbr(s32 *start, s32 *end) { } 


#endif /* CONFIG_X86_KERNEL_IBT */



#ifdef CONFIG_FINEIBT

#define __CFI_DEFAULT	CFI_DEFAULT

#ifdef CONFIG_CFI_AUTO_DEFAULT

#define __CFI_DEFAULT	CFI_AUTO

#elif defined(CONFIG_CFI_CLANG)

#define __CFI_DEFAULT	CFI_KCFI

#else
@@ -994,7 +994,7 @@ static __init int cfi_parse_cmdline(char *str) 
		}



		if (!strcmp(str, "auto")) {

			cfi_mode = CFI_DEFAULT;

			cfi_mode = CFI_AUTO;

		} else if (!strcmp(str, "off")) {

			cfi_mode = CFI_OFF;

			cfi_rand = false;
@@ -1254,7 +1254,7 @@ static void __apply_fineibt(s32 *start_retpoline, s32 *end_retpoline, 
		      "FineIBT preamble wrong size: %ld", fineibt_preamble_size))

		return;



	if (cfi_mode == CFI_DEFAULT) {

	if (cfi_mode == CFI_AUTO) {

		cfi_mode = CFI_KCFI;

		if (HAS_KERNEL_IBT && cpu_feature_enabled(X86_FEATURE_IBT))

			cfi_mode = CFI_FINEIBT;