x86/alternatives: Make FineIBT mode Kconfig selectable

Since FineIBT performs checking at the destination, it is weaker against attacks that can construct arbitrary executable memory contents. As such, some system builders want to run with FineIBT disabled by default. Allow the "cfi=kcfi" boot param mode to be selectable through Kconfig via the newly introduced CONFIG_CFI_AUTO_DEFAULT. Reviewed-by: Sami Tolvanen <samitolvanen@google.com> Reviewed-by: Nathan Chancellor <nathan@kernel.org> Tested-by: Nathan Chancellor <nathan@kernel.org> Link: https://lore.kernel.org/r/20240501000218.work.998-kees@kernel.org Signed-off-by: Kees Cook <kees@kernel.org>
author: Kees Cook <keescook@chromium.org> 2024-04-30 17:02:22 -0700
committer: Kees Cook <kees@kernel.org> 2024-06-19 12:41:08 -0700
commit: d6f635bcaca8d38dfa47ee20658705f9eff156b5 (patch)
tree: 22797324cba2df59d8c04d42d95e71884bc39e85 /arch/x86/Kconfig
parent: 51005a59bcbe1add8802105437b3707ea257f2ea (diff)
1 files changed, 9 insertions, 0 deletions
diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig
index 1d7122a1883e..56e301921d2a 100644
--- a/arch/x86/Kconfig
+++ b/arch/x86/Kconfig
@@ -2427,6 +2427,15 @@ config STRICT_SIGALTSTACK_SIZE
 
 	  Say 'N' unless you want to really enforce this check.
 
+config CFI_AUTO_DEFAULT
+	bool "Attempt to use FineIBT by default at boot time"
+	depends on FINEIBT
+	default y
+	help
+	  Attempt to use FineIBT by default at boot time. If enabled,
+	  this is the same as booting with "cfi=auto". If disabled,
+	  this is the same as booting with "cfi=kcfi".
+
 source "kernel/livepatch/Kconfig"
 
 endmenu
author	Kees Cook <keescook@chromium.org>	2024-04-30 17:02:22 -0700
committer	Kees Cook <kees@kernel.org>	2024-06-19 12:41:08 -0700
commit	d6f635bcaca8d38dfa47ee20658705f9eff156b5 (patch)
tree	22797324cba2df59d8c04d42d95e71884bc39e85 /arch/x86/Kconfig
parent	51005a59bcbe1add8802105437b3707ea257f2ea (diff)