From: "CKI@GitLab" cki-project@redhat.com
Hi,
As part of the ongoing rebase effort, the following configuration options need to be reviewed.
As a reminder, the ARK configuration flow involves moving unreviewed configuration options from the pending directory to the ark directory. In the diff below, options are removed from the pending directory and added to the ark hierarchy. The final options that need to be ACKed are the files that are being added to the ark hierarchy.
If the value for a file that is added should be changed, please reply with a better option.
CONFIG_ARM64_BTI:
Branch Target Identification (part of the ARMv8.5 Extensions) provides a mechanism to limit the set of locations to which computed branch instructions such as BR or BLR can jump.
To make use of BTI on CPUs that support it, say Y.
BTI is intended to provide complementary protection to other control flow integrity protection mechanisms, such as the Pointer authentication mechanism provided as part of the ARMv8.3 Extensions. For this reason, it does not make sense to enable this option without also enabling support for pointer authentication. Thus, when enabling this option you should also select ARM64_PTR_AUTH=y.
Userspace binaries must also be specifically compiled to make use of this mechanism. If you say N here or the hardware does not support BTI, such binaries can still run, but you get no additional enforcement of branch destinations.
Symbol: ARM64_BTI [=y] Type : bool Defined at arch/arm64/Kconfig:1594 Prompt: Branch Target Identification support Location: -> Kernel Features -> ARMv8.5 architectural features
---
Cc: Mark Salter msalter@redhat.com Signed-off-by: CKI@GitLab cki-project@redhat.com --- .../configs/common/generic/CONFIG_ARM64_BTI | 1 + .../pending-common/generic/CONFIG_ARM64_BTI | 31 ------------------- 2 files changed, 1 insertion(+), 31 deletions(-) create mode 100644 redhat/configs/common/generic/CONFIG_ARM64_BTI delete mode 100644 redhat/configs/pending-common/generic/CONFIG_ARM64_BTI
diff --git a/redhat/configs/common/generic/CONFIG_ARM64_BTI b/redhat/configs/common/generic/CONFIG_ARM64_BTI new file mode 100644 index 000000000000..fb0274de0d49 --- /dev/null +++ b/redhat/configs/common/generic/CONFIG_ARM64_BTI @@ -0,0 +1 @@ +CONFIG_ARM64_BTI=y diff --git a/redhat/configs/pending-common/generic/CONFIG_ARM64_BTI b/redhat/configs/pending-common/generic/CONFIG_ARM64_BTI deleted file mode 100644 index 5af4d535b648..000000000000 --- a/redhat/configs/pending-common/generic/CONFIG_ARM64_BTI +++ /dev/null @@ -1,31 +0,0 @@ -# CONFIG_ARM64_BTI: -# -# Branch Target Identification (part of the ARMv8.5 Extensions) -# provides a mechanism to limit the set of locations to which computed -# branch instructions such as BR or BLR can jump. -# -# To make use of BTI on CPUs that support it, say Y. -# -# BTI is intended to provide complementary protection to other control -# flow integrity protection mechanisms, such as the Pointer -# authentication mechanism provided as part of the ARMv8.3 Extensions. -# For this reason, it does not make sense to enable this option without -# also enabling support for pointer authentication. Thus, when -# enabling this option you should also select ARM64_PTR_AUTH=y. -# -# Userspace binaries must also be specifically compiled to make use of -# this mechanism. If you say N here or the hardware does not support -# BTI, such binaries can still run, but you get no additional -# enforcement of branch destinations. -# -# Symbol: ARM64_BTI [=y] -# Type : bool -# Defined at arch/arm64/Kconfig:1594 -# Prompt: Branch Target Identification support -# Location: -# -> Kernel Features -# -> ARMv8.5 architectural features -# -# -# -CONFIG_ARM64_BTI=y
From: Patrick Talbert on gitlab.com https://gitlab.com/cki-project/kernel-ark/-/merge_requests/391#note_48094689...
This merge request has not been updated in over 30 days. Please review this MR's current changes regarding the following configuration option(s):
CONFIG_ARM64_BTI
From: Mark Salter on gitlab.com https://gitlab.com/cki-project/kernel-ark/-/merge_requests/391#note_53597357...
This needs to go in redhat/configs/common/generic/arm/aarch64
From: Patrick Talbert on gitlab.com https://gitlab.com/cki-project/kernel-ark/-/merge_requests/391#note_53998002...
Hey Mark,
I moved the config item.
I also noticed CONFIG_ARM64_BTI_KERNEL has been kicking around in pending-common since ffa224580f56 so I moved it out of pending here as well. I hope that is okay with everybody?
@jmflinuxtx ?
``` config ARM64_BTI_KERNEL bool "Use Branch Target Identification for kernel" default y depends on ARM64_BTI depends on ARM64_PTR_AUTH depends on CC_HAS_BRANCH_PROT_PAC_RET_BTI # https://gcc.gnu.org/bugzilla/show_bug.cgi?id=94697 depends on !CC_IS_GCC || GCC_VERSION >= 100100 depends on !(CC_IS_CLANG && GCOV_KERNEL) depends on (!FUNCTION_GRAPH_TRACER || DYNAMIC_FTRACE_WITH_REGS) help Build the kernel with Branch Target Identification annotations and enable enforcement of this for kernel code. When this option is enabled and the system supports BTI all kernel code including modular code must have BTI enabled. ```
Thank you,
Patrick
kernel@lists.fedoraproject.org