Re: [PATCH] x86/alternatives: Make FineIBT mode Kconfig selectable

From: jvoisin
Date: Mon Jul 29 2024 - 08:35:40 EST

Next message: Jason Gunthorpe: "Re: [PATCH] iommufd/device: Fix hwpt at err_unresv in iommufd_device_do_replace()"
Previous message: Artur Weber: "[PATCH RESEND v2 2/2] ARM: dts: bcm-mobile: Split out nodes used by both BCM21664 and BCM23550"
Next in thread: Kees Cook: "Re: [PATCH] x86/alternatives: Make FineIBT mode Kconfig selectable"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> Since FineIBT performs checking at the destination, it is weaker against
> attacks that can construct arbitrary executable memory contents. As such,
> some system builders want to run with FineIBT disabled by default. Allow
> the "cfi=kcfi" boot param mode to be selectable through Kconfig via the
> newly introduced CONFIG_CFI_AUTO_DEFAULT.

I'm confused as why you think that KCFI is stronger/better than FineIBT.
The latter is compatible with execute-only memory, makes use of hardware
support, doesn't need LTO, is faster, … moreover, I don't see why an
attacker able to "construct arbitrary executable memory contents"
wouldn't be able to bypass KCFI as well, since its threat model
(https://github.com/kcfi/docs/blob/master/kCFI_whitepaper.pdf)
explicitly says "We assume an OS that fully implements the W^X policy
[56,58,106] preventing direct code injection in kernel space."

Next message: Jason Gunthorpe: "Re: [PATCH] iommufd/device: Fix hwpt at err_unresv in iommufd_device_do_replace()"
Previous message: Artur Weber: "[PATCH RESEND v2 2/2] ARM: dts: bcm-mobile: Split out nodes used by both BCM21664 and BCM23550"
Next in thread: Kees Cook: "Re: [PATCH] x86/alternatives: Make FineIBT mode Kconfig selectable"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]