linux (Generic): Enable Indirect Branch Tracking (X86_KERNEL_IBT)

Supported on Tigerlake CPUs and newer Build the kernel with support for Indirect Branch Tracking, a hardware support course-grain forward-edge Control Flow Integrity protection. It enforces that all indirect calls must land on an ENDBR instruction, as such, the compiler will instrument the code with them to make this happen. In addition to building the kernel with IBT, seal all functions that are not indirect call targets, avoiding them ever becoming one. This requires LTO like objtool runs and will slow down the build. It does significantly reduce the number of ENDBR instructions in the kernel image.
2025-07-24 11:16:51 +00:00 · 2022-09-05 10:46:36 +00:00 · 2022-09-05 10:46:36 +00:00 · 8a0e2b2d69
commit 8a0e2b2d69
parent 48d38896a4
1 changed files with 1 additions and 1 deletions
--- a/projects/Generic/linux/linux.x86_64.conf
+++ b/projects/Generic/linux/linux.x86_64.conf
@ -422,7 +422,7 @@ CONFIG_ARCH_USES_PG_UNCACHED=y
 CONFIG_ARCH_RANDOM=y
 CONFIG_X86_UMIP=y
 CONFIG_CC_HAS_IBT=y
-# CONFIG_X86_KERNEL_IBT is not set
+CONFIG_X86_KERNEL_IBT=y
 CONFIG_X86_INTEL_MEMORY_PROTECTION_KEYS=y
 CONFIG_X86_INTEL_TSX_MODE_OFF=y
 # CONFIG_X86_INTEL_TSX_MODE_ON is not set