Re: [PATCH v3 07/10] x86/ibt: Add paranoid FineIBT mode
From: Kees Cook
Date: Wed Feb 19 2025 - 13:06:14 EST
On Wed, Feb 19, 2025 at 05:21:14PM +0100, Peter Zijlstra wrote:
> Due to concerns about circumvention attacks against FineIBT on 'naked'
> ENDBR, add an additional caller side hash check to FineIBT. This
> should make it impossible to pivot over such a 'naked' ENDBR
> instruction at the cost of an additional load.
>
> The specific pivot reported was against the SYSCALL entry site and
> FRED will have all those holes fixed up.
>
> This specific fineibt_paranoid_start[] sequence was concocted by
> Scott.
>
> Reported-by: Jennifer Miller <jmill@xxxxxxx>
> Signed-off-by: Peter Zijlstra (Intel) <peterz@xxxxxxxxxxxxx>
With patch 6's misplaced chunk moved, looks good:
Reviewed-by: Kees Cook <kees@xxxxxxxxxx>
--
Kees Cook