mirrors/linux
1
0
Fork 1
mirror of https://github.com/torvalds/linux.git synced 2025-11-03 01:59:51 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions
linux/scripts
History
Linus Torvalds 7001052160 Add support for Intel CET-IBT, available since Tigerlake (11th gen), which is a 
coarse grained, hardware based, forward edge Control-Flow-Integrity mechanism
 where any indirect CALL/JMP must target an ENDBR instruction or suffer #CP.
 
 Additionally, since Alderlake (12th gen)/Sapphire-Rapids, speculation is
 limited to 2 instructions (and typically fewer) on branch targets not starting
 with ENDBR. CET-IBT also limits speculation of the next sequential instruction
 after the indirect CALL/JMP [1].
 
 CET-IBT is fundamentally incompatible with retpolines, but provides, as
 described above, speculation limits itself.
 
 [1] https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/technical-documentation/branch-history-injection.html
 -----BEGIN PGP SIGNATURE-----
 
 iQJJBAABCgAzFiEEv3OU3/byMaA0LqWJdkfhpEvA5LoFAmI/LI8VHHBldGVyekBp
 bmZyYWRlYWQub3JnAAoJEHZH4aRLwOS6ZnkP/2QCgQLTu6oRxv9O020CHwlaSEeD
 1Hoy3loum5q5hAi1Ik3dR9p0H5u64c9qbrBVxaFoNKaLt5GKrtHaDSHNk2L/CFHX
 urpH65uvTLxbyZzcahkAahoJ71XU+m7PcrHLWMunw9sy10rExYVsUOlFyoyG6XCF
 BDCNZpdkC09ZM3vwlWGMZd5Pp+6HcZNPyoV9tpvWAS2l+WYFWAID7mflbpQ+tA8b
 y/hM6b3Ud0rT2ubuG1iUpopgNdwqQZ+HisMPGprh+wKZkYwS2l8pUTrz0MaBkFde
 go7fW16kFy2HQzGm6aIEBmfcg0palP/mFVaWP0zS62LwhJSWTn5G6xWBr3yxSsht
 9gWCiI0oDZuTg698MedWmomdG2SK6yAuZuqmdKtLLoWfWgviPEi7TDFG/cKtZdAW
 ag8GM8T4iyYZzpCEcWO9GWbjo6TTGq30JBQefCBG47GjD0csv2ubXXx0Iey+jOwT
 x3E8wnv9dl8V9FSd/tMpTFmje8ges23yGrWtNpb5BRBuWTeuGiBPZED2BNyyIf+T
 dmewi2ufNMONgyNp27bDKopY81CPAQq9cVxqNm9Cg3eWPFnpOq2KGYEvisZ/rpEL
 EjMQeUBsy/C3AUFAleu1vwNnkwP/7JfKYpN00gnSyeQNZpqwxXBCKnHNgOMTXyJz
 beB/7u2KIUbKEkSN
 =jZfK
 -----END PGP SIGNATURE-----

Merge tag 'x86_core_for_5.18_rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip

Pull x86 CET-IBT (Control-Flow-Integrity) support from Peter Zijlstra:
 "Add support for Intel CET-IBT, available since Tigerlake (11th gen),
  which is a coarse grained, hardware based, forward edge
  Control-Flow-Integrity mechanism where any indirect CALL/JMP must
  target an ENDBR instruction or suffer #CP.

  Additionally, since Alderlake (12th gen)/Sapphire-Rapids, speculation
  is limited to 2 instructions (and typically fewer) on branch targets
  not starting with ENDBR. CET-IBT also limits speculation of the next
  sequential instruction after the indirect CALL/JMP [1].

  CET-IBT is fundamentally incompatible with retpolines, but provides,
  as described above, speculation limits itself"

[1] https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/technical-documentation/branch-history-injection.html

* tag 'x86_core_for_5.18_rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip: (53 commits)
  kvm/emulate: Fix SETcc emulation for ENDBR
  x86/Kconfig: Only allow CONFIG_X86_KERNEL_IBT with ld.lld >= 14.0.0
  x86/Kconfig: Only enable CONFIG_CC_HAS_IBT for clang >= 14.0.0
  kbuild: Fixup the IBT kbuild changes
  x86/Kconfig: Do not allow CONFIG_X86_X32_ABI=y with llvm-objcopy
  x86: Remove toolchain check for X32 ABI capability
  x86/alternative: Use .ibt_endbr_seal to seal indirect calls
  objtool: Find unused ENDBR instructions
  objtool: Validate IBT assumptions
  objtool: Add IBT/ENDBR decoding
  objtool: Read the NOENDBR annotation
  x86: Annotate idtentry_df()
  x86,objtool: Move the ASM_REACHABLE annotation to objtool.h
  x86: Annotate call_on_stack()
  objtool: Rework ASM_REACHABLE
  x86: Mark __invalid_creds() __noreturn
  exit: Mark do_group_exit() __noreturn
  x86: Mark stop_this_cpu() __noreturn
  objtool: Ignore extra-symbol code
  objtool: Rename --duplicate to --lto
  ...
2022-03-27 10:17:23 -07:00
..
atomic atomics: Fix atomic64_{read_acquire,set_release} fallbacks 2022-02-11 12:13:56 +01:00
basic .gitignore: prefix local generated files with a slash 2021-05-02 00:43:35 +09:00
clang-tools gen_compile_commands: fix missing 'sys' package 2021-09-19 10:13:03 +09:00
coccinelle drop fen.cocci 2022-01-15 12:15:35 +01:00
dtc Devicetree updates for v5.18: 2022-03-26 11:41:53 -07:00
dummy-tools kbuild: dummy-tools: adjust to stricter stackprotector check 2021-05-17 12:10:03 +09:00
gcc-plugins gcc-plugins/stackleak: Ignore .noinstr.text and .entry.text 2022-02-06 10:55:03 -08:00
gdb scripts/gdb: lx-dmesg: read records individually 2021-12-16 15:52:38 +01:00
genksyms .gitignore: prefix local generated files with a slash 2021-05-02 00:43:35 +09:00
kconfig kconfig: fix failing to generate auto.conf 2022-02-12 23:24:19 +09:00
ksymoops
mod Add support for Intel CET-IBT, available since Tigerlake (11th gen), which is a 2022-03-27 10:17:23 -07:00
package kbuild: Add make tarzst-pkg build option 2021-10-12 11:50:46 +09:00
selinux
tracing scripts/tracing: fix the bug that can't parse raw_trace_func 2021-08-04 17:49:26 -04:00
.gitignore certs: move scripts/extract-cert to certs/ 2022-01-08 18:28:21 +09:00
adjust_autoksyms.sh kbuild: redo fake deps at include/ksym/*.h 2021-09-03 08:17:21 +09:00
as-version.sh kbuild: Switch to 'f' variants of integrated assembler flag 2021-09-03 08:17:20 +09:00
asn1_compiler.c
bin2c.c
bloat-o-meter scripts: switch explicitly to Python 3 2021-01-22 06:34:44 +09:00
bootgraph.pl
bpf_doc.py bpf/scripts: Raise an exception if the correct number of sycalls are not generated 2022-01-19 10:24:50 -08:00
cc-can-link.sh
cc-version.sh kbuild: collect minimum tool versions into scripts/min-tool-version.sh 2021-04-25 05:14:26 +09:00
check-sysctl-docs
check_extable.sh scripts: check_extable: fix typo in user error message 2021-09-08 11:50:28 -07:00
checkdeclares.pl scripts: make some scripts executable 2021-08-10 09:13:25 +09:00
checkincludes.pl
checkkconfigsymbols.py checkkconfigsymbols.py: Remove skipping of help lines in parse_kconfig_file 2021-09-19 10:13:03 +09:00
checkpatch.pl checkpatch: use python3 to find codespell dictionary 2022-03-23 19:00:34 -07:00
checkstack.pl
checksyscalls.sh checksyscalls: Unconditionally ignore fstat{,at}64 2021-10-07 17:16:28 -07:00
checkversion.pl scripts: checkversion: modernize linux/version.h search strings 2021-08-05 20:55:39 +09:00
cleanfile
cleanpatch
coccicheck scripts: coccicheck: fix troubles on non-English builds 2021-05-18 11:09:59 +02:00
config kconfig: config script: add a little user help 2021-01-04 10:38:11 +09:00
const_structs.checkpatch const_structs.checkpatch: add frequently used ops structs 2022-01-20 08:52:54 +02:00
decode_stacktrace.sh scripts/decode_stacktrace.sh: indicate 'auto' can be used for base path 2021-07-08 11:48:22 -07:00
decodecode scripts/decodecode: fix faulting instruction no print when opps.file is DOS format 2021-11-06 13:30:32 -07:00
depmod.sh depmod: handle the case of /sbin/depmod without /sbin in PATH 2021-01-01 12:26:39 -08:00
dev-needs.sh
diffconfig scripts: switch explicitly to Python 3 2021-01-22 06:34:44 +09:00
documentation-file-ref-check scripts: documentation-file-ref-check: fix bpf selftests path 2021-10-26 09:42:29 -06:00
export_report.pl
extract-ikconfig
extract-module-sig.pl
extract-sys-certs.pl
extract-vmlinux
extract_xc3028.pl
faddr2line
file-size.sh
find-unused-docs.sh
gcc-goto.sh
gcc-ld
gcc-x86_32-has-stack-protector.sh x86/stackprotector/32: Make the canary into a regular percpu variable 2021-03-08 13:19:05 +01:00
gcc-x86_64-has-stack-protector.sh
gen_autoksyms.sh kbuild: do not quote string values in include/config/auto.conf 2022-01-08 18:03:57 +09:00
gen_ksymdeps.sh kbuild: redo fake deps at include/ksym/*.h 2021-09-03 08:17:21 +09:00
generate_initcall_order.pl init: lto: ensure initcall ordering 2021-01-14 08:21:09 -08:00
get_abi.pl scripts: get_abi.pl: better generate regex from what fields 2021-10-05 16:23:38 +02:00
get_dvb_firmware
get_feat.pl scripts: get_feat.pl: reduce table width for all features output 2020-12-04 14:34:27 -07:00
get_maintainer.pl get_maintainer: don't remind about no git repo when --nogit is used 2022-01-20 08:52:53 +02:00
gfp-translate
headerdep.pl
headers_install.sh
insert-sys-cert.c
jobserver-exec scripts/jobserver-exec: Fix a typo ("envirnoment") 2021-05-17 12:10:03 +09:00
kallsyms.c kallsyms: fix nonconverging kallsyms table with lld 2021-02-05 17:53:28 +09:00
Kbuild.include certs: simplify $(srctree)/ handling and remove config_filename macro 2022-01-08 17:46:35 +09:00
Kconfig.include kbuild: check the minimum assembler version in Kconfig 2021-04-25 05:14:41 +09:00
kernel-doc docs: scripts/kernel-doc: Detect absence of FILE arg 2022-02-24 12:13:19 -07:00
ld-version.sh kbuild: collect minimum tool versions into scripts/min-tool-version.sh 2021-04-25 05:14:26 +09:00
leaking_addresses.pl leaking_addresses: Always print a trailing newline 2021-10-15 11:25:13 +02:00
Lindent
link-vmlinux.sh x86/alternative: Use .ibt_endbr_seal to seal indirect calls 2022-03-15 10:32:47 +01:00
Makefile ftrace: Have architectures opt-in for mcount build time sorting 2022-01-27 19:15:44 -05:00
Makefile.asm-generic kbuild: prefix $(srctree)/ to some included Makefiles 2021-03-15 19:20:48 +09:00
Makefile.build kbuild: Fixup the IBT kbuild changes 2022-03-22 21:12:04 +01:00
Makefile.clang um: Allow builds with Clang 2022-03-21 08:13:03 -07:00
Makefile.clean kbuild: prefix $(srctree)/ to some included Makefiles 2021-03-15 19:20:48 +09:00
Makefile.compiler kbuild: remove TMPO from try-run 2021-04-25 05:25:56 +09:00
Makefile.debug kbuild: split DEBUG_CFLAGS out to scripts/Makefile.debug 2021-10-24 13:48:33 +09:00
Makefile.dtbinst kbuild: prefix $(srctree)/ to some included Makefiles 2021-03-15 19:20:48 +09:00
Makefile.extrawarn Kbuild: add -Wno-shift-negative-value where -Wextra is used 2022-03-13 17:30:31 +09:00
Makefile.gcc-plugins gcc-plugins/stackleak: Provide verbose mode 2022-02-06 10:49:57 -08:00
Makefile.headersinst kbuild: prefix $(srctree)/ to some included Makefiles 2021-03-15 19:20:48 +09:00
Makefile.host
Makefile.kasan kasan: always respect CONFIG_KASAN_STACK 2021-09-24 16:13:35 -07:00
Makefile.kcov
Makefile.kcsan kcsan: Ignore GCC 11+ warnings about TSan runtime support 2021-12-09 16:42:27 -08:00
Makefile.lib Add support for Intel CET-IBT, available since Tigerlake (11th gen), which is a 2022-03-27 10:17:23 -07:00
Makefile.modfinal kbuild: Unify options for BTF generation for vmlinux and modules 2021-11-01 18:09:58 -07:00
Makefile.modinst kbuild: do not quote string values in include/config/auto.conf 2022-01-08 18:03:57 +09:00
Makefile.modpost kbuild: Fix comment typo in scripts/Makefile.modpost 2021-09-19 10:14:19 +09:00
Makefile.package kbuild: Add make tarzst-pkg build option 2021-10-12 11:50:46 +09:00
Makefile.ubsan ubsan: remove CONFIG_UBSAN_OBJECT_SIZE 2022-01-20 08:52:55 +02:00
Makefile.userprogs
makelst
markup_oops.pl
min-tool-version.sh Documentation: Raise the minimum supported version of LLVM to 11.0.0 2021-12-02 17:24:32 +09:00
mkcompile_h sched/preempt: Tell about PREEMPT_DYNAMIC on kernel headers 2022-03-11 15:36:35 +01:00
mksysmap
mkuboot.sh
module.lds.S module: combine constructors in module linker script 2021-07-19 14:51:40 +02:00
modules-check.sh kbuild: check module name conflict for external modules as well 2021-04-25 05:22:42 +09:00
nsdeps kbuild: replace LANG=C with LC_ALL=C 2021-05-02 00:43:35 +09:00
objdiff
pahole-flags.sh scripts/pahole-flags.sh: Parse DWARF and generate BTF with multithreading. 2022-02-22 14:32:44 -08:00
pahole-version.sh kbuild: Add CONFIG_PAHOLE_VERSION 2022-02-02 11:19:33 +01:00
parse-maintainers.pl
patch-kernel
profile2linkerlist.pl
prune-kernel
recordmcount.c ftrace: Have recordmcount use w8 to read relp->r_info in arm64_is_fake_mcount 2021-03-02 17:27:18 -05:00
recordmcount.h recordmcount: Correct st_shndx handling 2021-06-18 09:09:17 -04:00
recordmcount.pl nds32: Remove the architecture 2022-03-07 13:54:59 +01:00
remove-stale-files Kbuild updates for v5.17 2022-01-19 11:15:19 +02:00
setlocalversion kbuild: do not quote string values in include/config/auto.conf 2022-01-08 18:03:57 +09:00
show_delta tweewide: Fix most Shebang lines 2020-12-08 23:30:04 +09:00
sign-file.c
sorttable.c s390/extable: convert to relative table with data 2022-03-08 00:33:00 +01:00
sorttable.h script/sorttable: Fix some initialization problems 2022-01-18 10:17:18 -05:00
spdxcheck-test.sh scripts/spdxcheck-test.sh: Drop python2 2021-07-21 15:59:32 +02:00
spdxcheck.py scripts/spdxcheck.py: Strictly read license files in utf-8 2021-07-12 09:56:50 -06:00
spelling.txt scripts/spelling.txt: add more spellings to spelling.txt 2022-03-22 15:57:00 -07:00
sphinx-pre-install scripts: sphinx-pre-install: Fix ctex support on Debian 2022-01-07 09:33:13 -07:00
split-man.pl tweewide: Fix most Shebang lines 2020-12-08 23:30:04 +09:00
stackdelta
stackusage
subarch.include parisc: Fix compile failure when building 64-bit kernel natively 2021-09-01 21:52:02 +02:00
syscallhdr.sh scripts: check duplicated syscall number in syscall table 2021-07-09 04:00:39 +09:00
syscallnr.sh scripts: make some scripts executable 2021-08-10 09:13:25 +09:00
syscalltbl.sh scripts: check duplicated syscall number in syscall table 2021-07-09 04:00:39 +09:00
tags.sh scripts/tags: add space regexs to all regex_c 2021-11-26 16:58:55 +01:00
test_fortify.sh fortify: Update compile-time tests for Clang 14 2022-02-13 16:50:06 -08:00
tools-support-relr.sh Makefile: fix GDB warning with CONFIG_RELR 2021-06-08 13:09:34 +01:00
unifdef.c
ver_linux Removed the oprofiled version option 2021-05-03 17:23:06 -06:00
xen-hypercalls.sh scripts: make some scripts executable 2021-08-10 09:13:25 +09:00
xz_wrap.sh