Intel CET Indirect Branch Tracking Submitted For Linux 5.18

Written by Michael Larabel in Intel on 26 March 2022 at 01:45 PM EDT. 4 Comments
INTEL
Indirect Branch Tracking (IBT) that is part of Intel's Control-Flow Enforcement Technology (CET) found with Tiger Lake CPUs and newer is landing for the Linux 5.18 kernel.

Intel's Peter Zijlstra recently wrapped up work on the latest IBT patches for the Linux kernel as this newest CPU security feature. IBT helps protect against JUMP/CALL oriented attacks. IBT is hardware-based, course-grain forward-edge Control Flow Integrity (CFI) protection. When enabled for the kernel build, it ensures indirect calls land on an ENDBR instruction. Besides all of the Linux kernel patches to make IBT a reality, there is compiler-side support necessary that means GCC 9 and newer or LLVM Clang 14 and newer.

Zijlstra sums up the CET-IBT functionality for the Linux kernel as:
Add support for Intel CET-IBT, available since Tigerlake (11th gen), which is a coarse grained, hardware based, forward edge Control-Flow-Integrity mechanism where any indirect CALL/JMP must target an ENDBR instruction or suffer #CP.

Additionally, since Alderlake (12th gen)/Sapphire-Rapids, speculation is limited to 2 instructions (and typically fewer) on branch targets not starting with ENDBR. CET-IBT also limits speculation of the next sequential instruction after the indirect CALL/JMP.

CET-IBT is fundamentally incompatible with retpolines, but provides, as described above, speculation limits itself.


Intel has been working on both Shadow Stack and Indirect Branch Tracking support for the Linux kernel.


With this pull IBT is ready to go for Linux 5.18 on Intel's latest processors.
4 Comments
Related News
Intel Lands "Round Robin Strict" Driver Optimization For Helping Battlemage/Xe2
Intel Looking To Raise SPIR-V Backend To Becoming An Official LLVM Target
Intel Panther Lake & Clearwater Forest Power Management Patches For Linux 6.14
Intel Begins Readying Graphics Driver Changes For The Linux 6.14 Kernel
UMD Direct Submission "Proof Of Concept" For The Intel Xe Linux Driver
Intel Linux Display Driver Being Adapted For DRM Panic "Blue Screen of Death" Support
About The Author
Michael Larabel

Michael Larabel is the principal author of Phoronix.com and founded the site in 2004 with a focus on enriching the Linux hardware experience. Michael has written more than 20,000 articles covering the state of Linux hardware support, Linux performance, graphics drivers, and other topics. Michael is also the lead developer of the Phoronix Test Suite, Phoromatic, and OpenBenchmarking.org automated benchmarking software. He can be followed via Twitter, LinkedIn, or contacted via MichaelLarabel.com.

Popular News This Week
OpenWrt Affected By Security Issue That Could Have Led To Compromised Build Artifacts
Linus Torvalds Comes Out Against "Completely Broken" x86_64 Feature Levels
How AMD Is Taking Standard C/C++ Code To Run Directly On GPUs
Linux EFI Zboot Abandoning "Compression Library Museum", Focusing On Gzip & Zstd
Ptyxis Becomes Ubuntu's Recommended Replacement To GNOME Terminal
COSMIC Alpha 4 Released For System76's Rust-Based Desktop
GNU Shepherd 1.0 Service Manager Released As "Solid Tool" Alternative To systemd
KDE Starts December By Landing A Number Of New Features