FineIBT Looks Like It Could Be Ready For Linux 6.2

Written by Michael Larabel in Linux Kernel on 2 November 2022 at 05:54 AM EDT. Add A Comment
LINUX KERNEL
It looks like FineIBT as combining the best of Intel's Control-flow Enforcement Technology and Control Flow Integrity as an enhanced, alternative control flow integrity (CFI) implementation could be ready for mainline with the upcoming Linux 6.2 cycle.

The FineIBT support has been added to TIP's x86/core branch where the core x86 changes normally reside until being submitted as part of the next kernel cycle's merge window. Given the timing and barring any issues from being raised with FineIBT, now that it's reached TIP x86/core it's likely to then be submitted for the Linux 6.2 merge window in December.


Intel engineers worked on this "Fine Indirect Branch Tracking" code. As explained in the patch:
Implement an alternative CFI scheme that merges both the fine-grained nature of kCFI but also takes full advantage of the coarse grained hardware CFI as provided by IBT.

To contrast:

kCFI is a pure software CFI scheme and relies on being able to read text -- specifically the instruction *before* the target symbol, and does the hash validation *before* doing the call (otherwise control flow is compromised already).

FineIBT is a software and hardware hybrid scheme; by ensuring every branch target starts with a hash validation it is possible to place the hash validation after the branch. This has several advantages:

o the (hash) load is avoided; no memop; no RX requirement.

o IBT WAIT-FOR-ENDBR state is a speculation stop; by placing the hash validation in the immediate instruction after the branch target there is a minimal speculation window and the whole is a viable defence against SpectreBHB.

o Kees feels obliged to mention it is slightly more vulnerable when the attacker can write code.

Obviously this patch relies on kCFI, but additionally it also relies on the padding from the call-depth-tracking patches. It uses this padding to place the hash-validation while the call-sites are re-written to modify the indirect target to be 16 bytes in front of the original target, thus hitting this new preamble.

Notably, there is no hardware that needs call-depth-tracking (Skylake) and supports IBT (Tigerlake and onwards).

The config option for this kernel feature is under "FINEIBT".
Add A Comment
Related News
Linux 6.6.66 LTS Kernel Released With New Hardware Support & Many Fixes
NTSYNC Linux Driver Updated With API Design Improvements
New Linux Patch Establishes "CONFIG_X86_64_NATIVE" For -march=native Kernel Builds
Perf Support For 2,048 CPU Cores Is Becoming Not Enough - Patches Bump Kernel Limit
Linux 6.13-rc2 Released With An Initial Batch Of Fixes
Linux EFI Zboot Abandoning "Compression Library Museum", Focusing On Gzip & Zstd
About The Author
Michael Larabel

Michael Larabel is the principal author of Phoronix.com and founded the site in 2004 with a focus on enriching the Linux hardware experience. Michael has written more than 20,000 articles covering the state of Linux hardware support, Linux performance, graphics drivers, and other topics. Michael is also the lead developer of the Phoronix Test Suite, Phoromatic, and OpenBenchmarking.org automated benchmarking software. He can be followed via Twitter, LinkedIn, or contacted via MichaelLarabel.com.

Popular News This Week
OpenWrt Affected By Security Issue That Could Have Led To Compromised Build Artifacts
How AMD Is Taking Standard C/C++ Code To Run Directly On GPUs
Linux EFI Zboot Abandoning "Compression Library Museum", Focusing On Gzip & Zstd
Ptyxis Becomes Ubuntu's Recommended Replacement To GNOME Terminal
GNU Shepherd 1.0 Service Manager Released As "Solid Tool" Alternative To systemd
KDE Starts December By Landing A Number Of New Features
NTSYNC Linux Patches Revived To Help Boost Steam Play Gaming Performance
Rust-Based, Memory-Safe PNG Decoders "Vastly Outperform" C-Based PNG Libraries