Re: [PATCH v18 02/25] x86/cet/shstk: Add Kconfig option for user-mode control-flow protection

From: Dave Hansen
Date: Fri Jan 29 2021 - 14:43:29 EST

Next message: Nick Desaulniers: "[PATCH v6 0/2] Kbuild: DWARF v5 support"
Previous message: Pavel Tatashin: "Re: dax alignment problem on arm64 (and other achitectures)"
In reply to: Yu-cheng Yu: "[PATCH v18 02/25] x86/cet/shstk: Add Kconfig option for user-mode control-flow protection"
Next in thread: Andy Lutomirski: "Re: [PATCH v18 02/25] x86/cet/shstk: Add Kconfig option for user-mode control-flow protection"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 1/27/21 1:25 PM, Yu-cheng Yu wrote:
> + help
> + Control-flow protection is a hardware security hardening feature
> + that detects function-return address or jump target changes by
> + malicious code.

It's not really one feature. I also think it's not worth talking about
shadow stacks or indirect branch tracking in *here*. Leave that for
Documentation/.

Just say:

Control-flow protection is a set of hardware features which
place additional restrictions on indirect branches. These help
mitigate ROP attacks.

... and add more in the IBT patches.

> Applications must be enabled to use it, and old
> + userspace does not get protection "for free".
> + Support for this feature is present on processors released in
> + 2020 or later. Enabling this feature increases kernel text size
> + by 3.7 KB.

Did any CPUs ever get released that have this? If so, name them. If
not, time to change this to 2021, I think.

Next message: Nick Desaulniers: "[PATCH v6 0/2] Kbuild: DWARF v5 support"
Previous message: Pavel Tatashin: "Re: dax alignment problem on arm64 (and other achitectures)"
In reply to: Yu-cheng Yu: "[PATCH v18 02/25] x86/cet/shstk: Add Kconfig option for user-mode control-flow protection"
Next in thread: Andy Lutomirski: "Re: [PATCH v18 02/25] x86/cet/shstk: Add Kconfig option for user-mode control-flow protection"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]