Linux Still Eyes Better Security By Default Enabling Indirect Branch Tracking (IBT)

Written by Michael Larabel in Linux Security on 1 November 2022 at 01:49 PM EDT. Add A Comment
LINUX SECURITY
Indirect Branch Tracking (IBT) is still being eyed for enabling as part of the default Linux x86_64 kernel configurations to provide better out-of-the-box security on supported processors. A patch sent out today continues the upstream discussion over flipping on this feature by default that is part of Intel's Control-flow Enforcement Technology (CET) for helping to defend against jump/call oriented programming attacks.

Indirect Branch Tracking is part of CET found with Intel Tigerlake CPUs and newer. The Linux kernel support for IBT was merged in Linux 5.18 but to this point hasn't been enabled by default as part of the stock kernel configuration.


Kees Cook with Google has sent out his latest proposal arguing for it to see being enabled by default as part of the Linux kernel configuration. Back in early September he originally proposed this change while sent out today was the v2 patch to reignite the discussion. In there he sums up the situation:
The kernel IBT defense strongly mitigates the common "first step" of ROP attacks, by eliminating arbitrary stack pivots (that appear either at the end of a function or in immediate values), which cannot be reached if indirect calls must be to marked function entry addresses. IBT is also required to be enabled to gain the FineIBT feature when built with Kernel Control Flow Integrity.

Additionally, given that this feature is runtime enabled via CPU ID, it clearly should be built in by default; it will only be enabled if the CPU supports it. The build takes 2 seconds longer, which seems a small price to pay for gaining this coverage by default.

If all goes well it's possible we could see this enabled by default with the v6.2 kernel cycle meanwhile many Linux distribution vendors are already enabling X86_KERNEL_IBT as part of their provided kernel builds.
Add A Comment
Related News
New Linux Patch Lets You Force CPU Bugs/Mitigations Even When Not Vulnerable
Linux To Allow Disabling TPM PCR Integrity Protection Due To Performance Bottleneck
OpenPaX Announced As "Open-Source Alternative To GrSecurity" With Free Kernel Patch
Unauthenticated RCE Flaw With CVSS 9.9 Rating For Linux Systems Affects CUPS
Landlock Sandboxing Now Supports More Controls Around Unix Sockets
Linux 6.12 Adds Build Options For Greater Control Over CPU Security Mitigations
About The Author
Michael Larabel

Michael Larabel is the principal author of Phoronix.com and founded the site in 2004 with a focus on enriching the Linux hardware experience. Michael has written more than 20,000 articles covering the state of Linux hardware support, Linux performance, graphics drivers, and other topics. Michael is also the lead developer of the Phoronix Test Suite, Phoromatic, and OpenBenchmarking.org automated benchmarking software. He can be followed via Twitter, LinkedIn, or contacted via MichaelLarabel.com.

Popular News This Week
OpenWrt Affected By Security Issue That Could Have Led To Compromised Build Artifacts
Linus Torvalds Comes Out Against "Completely Broken" x86_64 Feature Levels
How AMD Is Taking Standard C/C++ Code To Run Directly On GPUs
Linux EFI Zboot Abandoning "Compression Library Museum", Focusing On Gzip & Zstd
Ptyxis Becomes Ubuntu's Recommended Replacement To GNOME Terminal
COSMIC Alpha 4 Released For System76's Rust-Based Desktop
GNU Shepherd 1.0 Service Manager Released As "Solid Tool" Alternative To systemd
KDE Starts December By Landing A Number Of New Features