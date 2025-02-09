Linux FineIBT-BHI Updated For Toughening Up FineIBT Kernel Defenses
Intel Linux engineer Peter Zijlstra has updated his set of patches implementing FineIBT-BHI mitigations for toughening up the FineIBT kernel protections previously introduced. This FineIBT-BHI code depends upon newly-merged code for the LLVM Clang compiler as part of the compiler defenses.
Following the FineIBT code having been merged two years ago for combining the best of Control-flow Enforcement Technology (CET) and Control Flow Integrity (CFI) as an alternative CFI implementation for the Linux kernel, FineIBT-BHI has been baking. FineIBT-BHI is to address a FineIBT weakness needing Branch History Injection (BHI) mitigation.
FineIBT-BHI patches were posted last September while the patches were re-based and sent out this week as a result of updated code merged for LLVM. LLVM now extends its KCFI (Kernel Control Flow Integrity) code with a 3-bit arity indicator. Details on that here. GCC still lacks KCFI support but with LLVM's code path now updated, it unblocks Peter Zijlstra to continuing work on upstreaming FineIBT-BHI.
With this new patch series he has FineIBT-BHI successfully working with a patched kernel and built using the newest LLVM code on an Intel Alder Lake system. This new mode can be activated with the "cfi=fineibt+bhi" option.
The patch series is still waiting on documentation to cover how the mitigation works and hopefully some benchmark numbers on the performance impact.
