You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
{{ message }}
This repository was archived by the owner on Nov 8, 2023. It is now read-only.
The kernel is currently configured to patch itself to use FineIBT
instead of the traditional kCFI implementation when the hardware
supports IBT. However, due to recent security concerns with the design
of FineIBT [1], enabling FineIBT is currently considered a security
downgrade. Thus, disable this option and always use traditional kCFI.
This issue was discovered in relation to an issue with Rust drivers (see
the referenced bug). That issue has already been fixed [2][3][4].
The enablement of FineIBT happens at runtime, and it's controlled by
the cfi= kernel parameter. cfi=auto always enables FineIBT if the CPU
supports IBT, whereas cfi=kcfi tells the kernel not to use FineIBT.
The default value for this parameter depends on CONFIG_CFI_AUTO_DEFAULT.
If set, it's cfi=auto, if unset, it's cfi=kcfi.
This patch does not modify arch/arm64/configs/gki_defconfig because
FineIBT does not exist on ARM, as it relies on the hardware feature IBT
that only exists on x86.
Link: https://lore.kernel.org/linux-hardening/Z60NwR4w%2F28Z7XUa@ubun/ [1]
Link: rust-lang/rust#139632 [2]
Link: https://r.android.com/3602350 [3]
Link: https://lore.kernel.org/all/[email protected] [4]
Bug: 404795641
Change-Id: Idfb23c122e53d2d46612cceff0d1dbf5c1c0c813
Signed-off-by: Paweł Anikiel <[email protected]>
0 commit comments