[PATCH] hardening: Refresh KCFI options, add some more
Kees Cook
keescook at chromium.org
Tue Apr 30 10:48:36 PDT 2024
On Tue, Apr 30, 2024 at 11:21:40AM +0200, Peter Zijlstra wrote:
> On Fri, Apr 26, 2024 at 03:29:44PM -0700, Kees Cook wrote:
>
> > - CONFIG_CFI_CLANG=y for x86 and arm64. (And disable FINEIBT since
> > it isn't as secure as straight KCFI.)
>
> Oi ?
Same objection I always had[1]: moving the check into the destination
means attacks with control over executable memory contents can just omit
the check.
But now that I went to go look I see 0c3e806ec0f9 ("x86/cfi: Add boot
time hash randomization") is only enabled under FINEIBT... seems better
if that were always enabled...
-Kees
[1] https://lore.kernel.org/all/202210181020.79AF7F7@keescook/
--
Kees Cook
More information about the linux-arm-kernel
mailing list