Re: [PATCH v18 02/25] x86/cet/shstk: Add Kconfig option for user-mode control-flow protection

[Yu, Yu-cheng]

On 1/29/2021 11:42 AM, Dave Hansen wrote:
> On 1/27/21 1:25 PM, Yu-cheng Yu wrote:
> > +	help
> > +	  Control-flow protection is a hardware security hardening feature
> > +	  that detects function-return address or jump target changes by
> > +	  malicious code.
>
> It's not really one feature.  I also think it's not worth talking about
> shadow stacks or indirect branch tracking in *here*.  Leave that for
> Documentation/.
>
> Just say:
>
> 	Control-flow protection is a set of hardware features which
> 	place additional restrictions on indirect branches.  These help
> 	mitigate ROP attacks.
>
> ... and add more in the IBT patches.
>
> >   Applications must be enabled to use it, and old
> > +	  userspace does not get protection "for free".
> > +	  Support for this feature is present on processors released in
> > +	  2020 or later.  Enabling this feature increases kernel text size
> > +	  by 3.7 KB.
>
> Did any CPUs ever get released that have this?  If so, name them.  If
> not, time to change this to 2021, I think.

Ok.  I will update this.

Yu-cheng