Linux FineIBT-BHI Updated For Toughening Up FineIBT Kernel Defenses
Intel Linux engineer Peter Zijlstra has updated his set of patches implementing FineIBT-BHI mitigations for toughening up the FineIBT kernel protections previously introduced. This FineIBT-BHI code depends upon newly-merged code for the LLVM Clang compiler as part of the compiler defenses.
Following the FineIBT code having been merged two years ago for combining the best of Control-flow Enforcement Technology (CET) and Control Flow Integrity (CFI) as an alternative CFI implementation for the Linux kernel, FineIBT-BHI has been baking. FineIBT-BHI is to address a FineIBT weakness needing Branch History Injection (BHI) mitigation.
FineIBT-BHI patches were posted last September while the patches were re-based and sent out this week as a result of updated code merged for LLVM. LLVM now extends its KCFI (Kernel Control Flow Integrity) code with a 3-bit arity indicator. Details on that here. GCC still lacks KCFI support but with LLVM's code path now updated, it unblocks Peter Zijlstra to continuing work on upstreaming FineIBT-BHI.
With this new patch series he has FineIBT-BHI successfully working with a patched kernel and built using the newest LLVM code on an Intel Alder Lake system. This new mode can be activated with the "cfi=fineibt+bhi" option.
The patch series is still waiting on documentation to cover how the mitigation works and hopefully some benchmark numbers on the performance impact.
Following the FineIBT code having been merged two years ago for combining the best of Control-flow Enforcement Technology (CET) and Control Flow Integrity (CFI) as an alternative CFI implementation for the Linux kernel, FineIBT-BHI has been baking. FineIBT-BHI is to address a FineIBT weakness needing Branch History Injection (BHI) mitigation.
FineIBT-BHI patches were posted last September while the patches were re-based and sent out this week as a result of updated code merged for LLVM. LLVM now extends its KCFI (Kernel Control Flow Integrity) code with a 3-bit arity indicator. Details on that here. GCC still lacks KCFI support but with LLVM's code path now updated, it unblocks Peter Zijlstra to continuing work on upstreaming FineIBT-BHI.
With this new patch series he has FineIBT-BHI successfully working with a patched kernel and built using the newest LLVM code on an Intel Alder Lake system. This new mode can be activated with the "cfi=fineibt+bhi" option.
The patch series is still waiting on documentation to cover how the mitigation works and hopefully some benchmark numbers on the performance impact.