[v1] x86/Kconfig: Enable kernel IBT by default

[PATCH] x86/Kconfig: Enable kernel IBT by default

Kees Cook posted 1 patch 3 years, 7 months ago

Diff against v1 v2
Download mbox

There is a newer version of this series

arch/x86/Kconfig | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

Expand all Fold all

[PATCH] x86/Kconfig: Enable kernel IBT by default

Posted by Kees Cook 3 years, 7 months ago

This security defense is runtime enabled via CPU ID, so build it in by
default. It will be enabled if the CPU supports it. The build takes
2 seconds longer, which seems a small price to pay for gaining this
coverage by default.

Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: Ingo Molnar <mingo@redhat.com>
Cc: Borislav Petkov <bp@alien8.de>
Cc: Dave Hansen <dave.hansen@linux.intel.com>
Cc: x86@kernel.org
Cc: "H. Peter Anvin" <hpa@zytor.com>
Suggested-by: Sami Tolvanen <samitolvanen@google.com>
Signed-off-by: Kees Cook <keescook@chromium.org>
---
 arch/x86/Kconfig | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig
index f9920f1341c8..b48fd28cba4a 100644
--- a/arch/x86/Kconfig
+++ b/arch/x86/Kconfig
@@ -1837,7 +1837,7 @@ config CC_HAS_IBT
 
 config X86_KERNEL_IBT
 	prompt "Indirect Branch Tracking"
-	bool
+	def_bool y
 	depends on X86_64 && CC_HAS_IBT && HAVE_OBJTOOL
 	# https://github.com/llvm/llvm-project/commit/9d7001eba9c4cb311e03cd8cdc231f9e579f2d0f
 	depends on !LD_IS_LLD || LLD_VERSION >= 140000
-- 
2.34.1