Intel CET Indirect Branch Tracking Submitted For Linux 5.18
Intel's Peter Zijlstra recently wrapped up work on the latest IBT patches for the Linux kernel as this newest CPU security feature. IBT helps protect against JUMP/CALL oriented attacks. IBT is hardware-based, course-grain forward-edge Control Flow Integrity (CFI) protection. When enabled for the kernel build, it ensures indirect calls land on an ENDBR instruction. Besides all of the Linux kernel patches to make IBT a reality, there is compiler-side support necessary that means GCC 9 and newer or LLVM Clang 14 and newer.
Zijlstra sums up the CET-IBT functionality for the Linux kernel as:
Add support for Intel CET-IBT, available since Tigerlake (11th gen), which is a coarse grained, hardware based, forward edge Control-Flow-Integrity mechanism where any indirect CALL/JMP must target an ENDBR instruction or suffer #CP.
Additionally, since Alderlake (12th gen)/Sapphire-Rapids, speculation is limited to 2 instructions (and typically fewer) on branch targets not starting with ENDBR. CET-IBT also limits speculation of the next sequential instruction after the indirect CALL/JMP.
CET-IBT is fundamentally incompatible with retpolines, but provides, as described above, speculation limits itself.
Intel has been working on both Shadow Stack and Indirect Branch Tracking support for the Linux kernel.
With this pull IBT is ready to go for Linux 5.18 on Intel's latest processors.