x86/alternatives: Make FineIBT mode Kconfig selectable

Since FineIBT performs checking at the destination, it is weaker against attacks that can construct arbitrary executable memory contents. As such, some system builders want to run with FineIBT disabled by default. Allow the "cfi=kcfi" boot param mode to be selectable through Kconfig via the newly introduced CONFIG_CFI_AUTO_DEFAULT. Reviewed-by: Sami Tolvanen <samitolvanen@google.com> Reviewed-by: Nathan Chancellor <nathan@kernel.org> Tested-by: Nathan Chancellor <nathan@kernel.org> Link: https://lore.kernel.org/r/20240501000218.work.998-kees@kernel.org Signed-off-by: Kees Cook <kees@kernel.org>
author: Kees Cook <keescook@chromium.org> 2024-04-30 17:02:22 -0700
committer: Kees Cook <kees@kernel.org> 2024-06-19 12:41:08 -0700
commit: d6f635bcaca8d38dfa47ee20658705f9eff156b5 (patch)
tree: 22797324cba2df59d8c04d42d95e71884bc39e85 /arch/x86/include/asm/cfi.h
parent: 51005a59bcbe1add8802105437b3707ea257f2ea (diff)
1 files changed, 1 insertions, 1 deletions
diff --git a/arch/x86/include/asm/cfi.h b/arch/x86/include/asm/cfi.h
index 7cd752557905..31d19c815f99 100644
--- a/arch/x86/include/asm/cfi.h
+++ b/arch/x86/include/asm/cfi.h
@@ -93,7 +93,7 @@
  *
  */
 enum cfi_mode {
-	CFI_DEFAULT,	/* FineIBT if hardware has IBT, otherwise kCFI */
+	CFI_AUTO,	/* FineIBT if hardware has IBT, otherwise kCFI */
 	CFI_OFF,	/* Taditional / IBT depending on .config */
 	CFI_KCFI,	/* Optionally CALL_PADDING, IBT, RETPOLINE */
 	CFI_FINEIBT,	/* see arch/x86/kernel/alternative.c */
author	Kees Cook <keescook@chromium.org>	2024-04-30 17:02:22 -0700
committer	Kees Cook <kees@kernel.org>	2024-06-19 12:41:08 -0700
commit	d6f635bcaca8d38dfa47ee20658705f9eff156b5 (patch)
tree	22797324cba2df59d8c04d42d95e71884bc39e85 /arch/x86/include/asm/cfi.h
parent	51005a59bcbe1add8802105437b3707ea257f2ea (diff)