Intel CET Indirect Branch Tracking Submitted For Linux 5.18

Written by Michael Larabel in Intel on 26 March 2022 at 01:45 PM EDT. 4 Comments
INTEL
Indirect Branch Tracking (IBT) that is part of Intel's Control-Flow Enforcement Technology (CET) found with Tiger Lake CPUs and newer is landing for the Linux 5.18 kernel.

Intel's Peter Zijlstra recently wrapped up work on the latest IBT patches for the Linux kernel as this newest CPU security feature. IBT helps protect against JUMP/CALL oriented attacks. IBT is hardware-based, course-grain forward-edge Control Flow Integrity (CFI) protection. When enabled for the kernel build, it ensures indirect calls land on an ENDBR instruction. Besides all of the Linux kernel patches to make IBT a reality, there is compiler-side support necessary that means GCC 9 and newer or LLVM Clang 14 and newer.

Zijlstra sums up the CET-IBT functionality for the Linux kernel as:
Add support for Intel CET-IBT, available since Tigerlake (11th gen), which is a coarse grained, hardware based, forward edge Control-Flow-Integrity mechanism where any indirect CALL/JMP must target an ENDBR instruction or suffer #CP.

Additionally, since Alderlake (12th gen)/Sapphire-Rapids, speculation is limited to 2 instructions (and typically fewer) on branch targets not starting with ENDBR. CET-IBT also limits speculation of the next sequential instruction after the indirect CALL/JMP.

CET-IBT is fundamentally incompatible with retpolines, but provides, as described above, speculation limits itself.


Intel has been working on both Shadow Stack and Indirect Branch Tracking support for the Linux kernel.


With this pull IBT is ready to go for Linux 5.18 on Intel's latest processors.
4 Comments
Related News
Intel Has Many Improvements For The Xe Graphics Driver In Linux 6.10
Intel Enabling Linux Driver Display Support For Upcoming "Battlemage" GPUs
Intel Media Driver 2024Q1 Brings Arrow Lake H Support
Intel Compute Runtime 24.13.29138.7 Brings Improved OpenCL/OpenGL Sharing
Intel oneVPL GPU Runtime 2024Q1 Brings VP9 Fix & AV1 Refinements
Intel Preps Adaptive Sync SDP, Lunar Lake Display & More DG2 PCI IDs In Linux 6.10
About The Author
Michael Larabel

Michael Larabel is the principal author of Phoronix.com and founded the site in 2004 with a focus on enriching the Linux hardware experience. Michael has written more than 20,000 articles covering the state of Linux hardware support, Linux performance, graphics drivers, and other topics. Michael is also the lead developer of the Phoronix Test Suite, Phoromatic, and OpenBenchmarking.org automated benchmarking software. He can be followed via Twitter, LinkedIn, or contacted via MichaelLarabel.com.

Popular News This Week
Rust-Written LAVD Kernel Scheduler Shows Promising Results For Linux Gaming
Linus Torvalds Injects Tabs To Thwart Kconfig Parsers Not Correctly Handling Them
Former Nouveau Lead Developer Joins NVIDIA, Continues Working On Open-Source Driver
Fedora Linux 40 Cleared For Release Next Week
Mozilla Finally Begins Offering Firefox ARM64 Linux Binaries
Ubuntu 24.04 Supports Easy Installation Of OpenZFS Root File-System With Encryption
openSUSE Factory Achieves Bit-By-Bit Reproducible Builds
Linux 6.10 Preps A Kernel Panic Screen - Sort Of A "Blue Screen of Death"