With what appears to be an unavoidable pivot gadget always present in the kernel (the entry code), FineIBT's lack of caller-side CFI hash validation leaves it critically flawed[1]. Require FRED for FineIBT[2] (and probably should also require eXecute-Only memory too), and default to kCFI when CFI is built in.
Link: https://lore.kernel.org/linux-hardening/Z60NwR4w%2F28Z7XUa@ubun/ [1] Link: https://lore.kernel.org/linux-hardening/[email protected]/ [2] Signed-off-by: Kees Cook <[email protected]> --- Cc: Peter Zijlstra <[email protected]> Cc: Jennifer Miller <[email protected]> Cc: Andrew Cooper <[email protected]> Cc: Sami Tolvanen <[email protected]> Cc: Jann Horn <[email protected]> Cc: Nathan Chancellor <[email protected]> Cc: Thomas Gleixner <[email protected]> Cc: Ingo Molnar <[email protected]> Cc: Borislav Petkov <[email protected]> Cc: Dave Hansen <[email protected]> Cc: [email protected] Cc: "H. Peter Anvin" <[email protected]> Cc: Alexei Starovoitov <[email protected]> Cc: Josh Poimboeuf <[email protected]> Cc: "Mike Rapoport (Microsoft)" <[email protected]> --- arch/x86/Kconfig | 9 +++++---- arch/x86/include/asm/cfi.h | 2 +- arch/x86/kernel/alternative.c | 4 +++- 3 files changed, 9 insertions(+), 6 deletions(-) diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig index c94dae634176..47aec3a497f6 100644 --- a/arch/x86/Kconfig +++ b/arch/x86/Kconfig @@ -2432,12 +2432,13 @@ config STRICT_SIGALTSTACK_SIZE config CFI_AUTO_DEFAULT bool "Attempt to use FineIBT by default at boot time" - depends on FINEIBT + depends on FINEIBT && X86_FRED default y help - Attempt to use FineIBT by default at boot time. If enabled, - this is the same as booting with "cfi=auto". If disabled, - this is the same as booting with "cfi=kcfi". + Attempt to use FineIBT by default at boot time if supported + and sensible for the hardware. If enabled, this is the same + as booting with "cfi=auto". If disabled, this is the same as + booting with "cfi=kcfi". source "kernel/livepatch/Kconfig" diff --git a/arch/x86/include/asm/cfi.h b/arch/x86/include/asm/cfi.h index ef5e0a698253..dfa2ba4cceca 100644 --- a/arch/x86/include/asm/cfi.h +++ b/arch/x86/include/asm/cfi.h @@ -93,7 +93,7 @@ * */ enum cfi_mode { - CFI_AUTO, /* FineIBT if hardware has IBT, otherwise kCFI */ + CFI_AUTO, /* FineIBT if hardware has IBT, FRED, and XOM */ CFI_OFF, /* Taditional / IBT depending on .config */ CFI_KCFI, /* Optionally CALL_PADDING, IBT, RETPOLINE */ CFI_FINEIBT, /* see arch/x86/kernel/alternative.c */ diff --git a/arch/x86/kernel/alternative.c b/arch/x86/kernel/alternative.c index 97422292b609..acc12a6efc18 100644 --- a/arch/x86/kernel/alternative.c +++ b/arch/x86/kernel/alternative.c @@ -1323,7 +1323,9 @@ static void __apply_fineibt(s32 *start_retpoline, s32 *end_retpoline, if (cfi_mode == CFI_AUTO) { cfi_mode = CFI_KCFI; - if (HAS_KERNEL_IBT && cpu_feature_enabled(X86_FEATURE_IBT)) + /* FineIBT requires IBT and will only be safe with FRED */ + if (HAS_KERNEL_IBT && cpu_feature_enabled(X86_FEATURE_IBT) && + cpu_feature_enabled(X86_FEATURE_FRED)) cfi_mode = CFI_FINEIBT; } -- 2.34.1
