Linux May Flip On Indirect Branch Tracking By Default (IBT)
Indirect Branch Tracking is part of Intel Control-Flow Enforcement Technology (CET) with Tigerlake CPUs and newer. IBT provides indirect branch protection to defend against JOP/COP attacks by ensuring indirect calls land on an ENDBR instruction.
Indirect Branch Tracking on the kernel side was upstreamed for Linux 5.18 and also requires a newer version of the GCC or LLVM Clang code compilers.
While IBT is already enabled by default for some distribution vendor kernels, Google's Kees Cook has suggested it be enabled by default for x86/x86_64 Linux kernel builds.
With this patch he justifies the default change as:
This security defense is runtime enabled via CPU ID, so build it in by default. It will be enabled if the CPU supports it. The build takes 2 seconds longer, which seems a small price to pay for gaining this coverage by default.
We'll see if this default kernel security change gets picked up for the v6.1 cycle this autumn.