Linux May Flip On Indirect Branch Tracking By Default (IBT)

Written by Michael Larabel in Intel on 5 September 2022 at 06:14 AM EDT. 14 Comments
INTEL --
A new patch floated by a Google Chrome OS / Linux kernel engineer would enable support for the Intel-led Indirect Branch Tracking (IBT) by default as part of the standard kernel configuration for this security feature.

Indirect Branch Tracking is part of Intel Control-Flow Enforcement Technology (CET) with Tigerlake CPUs and newer. IBT provides indirect branch protection to defend against JOP/COP attacks by ensuring indirect calls land on an ENDBR instruction.


Indirect Branch Tracking on the kernel side was upstreamed for Linux 5.18 and also requires a newer version of the GCC or LLVM Clang code compilers.

While IBT is already enabled by default for some distribution vendor kernels, Google's Kees Cook has suggested it be enabled by default for x86/x86_64 Linux kernel builds.

With this patch he justifies the default change as:
This security defense is runtime enabled via CPU ID, so build it in by default. It will be enabled if the CPU supports it. The build takes 2 seconds longer, which seems a small price to pay for gaining this coverage by default.

We'll see if this default kernel security change gets picked up for the v6.1 cycle this autumn.
Related News
About The Author
Author picture

Michael Larabel is the principal author of Phoronix.com and founded the site in 2004 with a focus on enriching the Linux hardware experience. Michael has written more than 20,000 articles covering the state of Linux hardware support, Linux performance, graphics drivers, and other topics. Michael is also the lead developer of the Phoronix Test Suite, Phoromatic, and OpenBenchmarking.org automated benchmarking software. He can be followed via Twitter, LinkedIn, or contacted via MichaelLarabel.com.

Popular News This Week