From 8a0e2b2d69141ebb9f82be365afb92297fb24ce4 Mon Sep 17 00:00:00 2001
From: Rudi Heitbaum <rudi@heitbaum.com>
Date: Mon, 5 Sep 2022 10:46:36 +0000
Subject: [PATCH] linux (Generic): Enable Indirect Branch Tracking
 (X86_KERNEL_IBT)

Supported on Tigerlake CPUs and newer

Build the kernel with support for Indirect Branch Tracking, a
hardware support course-grain forward-edge Control Flow Integrity
protection. It enforces that all indirect calls must land on
an ENDBR instruction, as such, the compiler will instrument the
code with them to make this happen.

In addition to building the kernel with IBT, seal all functions that
are not indirect call targets, avoiding them ever becoming one.

This requires LTO like objtool runs and will slow down the build. It
does significantly reduce the number of ENDBR instructions in the
kernel image.
---
 projects/Generic/linux/linux.x86_64.conf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/projects/Generic/linux/linux.x86_64.conf b/projects/Generic/linux/linux.x86_64.conf
index 469108ddc1..1641fb0d04 100644
--- a/projects/Generic/linux/linux.x86_64.conf
+++ b/projects/Generic/linux/linux.x86_64.conf
@@ -422,7 +422,7 @@ CONFIG_ARCH_USES_PG_UNCACHED=y
 CONFIG_ARCH_RANDOM=y
 CONFIG_X86_UMIP=y
 CONFIG_CC_HAS_IBT=y
-# CONFIG_X86_KERNEL_IBT is not set
+CONFIG_X86_KERNEL_IBT=y
 CONFIG_X86_INTEL_MEMORY_PROTECTION_KEYS=y
 CONFIG_X86_INTEL_TSX_MODE_OFF=y
 # CONFIG_X86_INTEL_TSX_MODE_ON is not set