Indirect Branch Tracking
configname: CONFIG_X86_KERNEL_IBT
Linux Kernel Configuration
└─>Processor type and features
└─>Indirect Branch Tracking
In linux kernel since version 4.14.326 (release Date: 2023-09-23)
Build the kernel with support for Indirect Branch Tracking, a
hardware support course-grain forward-edge Control Flow Integrity
protection. It enforces that all indirect calls must land on
an ENDBR instruction, as such, the compiler will instrument the
code with them to make this happen.
In addition to building the kernel with IBT, seal all functions that
are not indirect call targets, avoiding them ever becoming one.
This requires LTO like objtool runs and will slow down the build. It
does significantly reduce the number of ENDBR instructions in the
kernel image.
hardware support course-grain forward-edge Control Flow Integrity
protection. It enforces that all indirect calls must land on
an ENDBR instruction, as such, the compiler will instrument the
code with them to make this happen.
In addition to building the kernel with IBT, seal all functions that
are not indirect call targets, avoiding them ever becoming one.
This requires LTO like objtool runs and will slow down the build. It
does significantly reduce the number of ENDBR instructions in the
kernel image.
depends
CONFIG_CC_HAS_IBTCONFIG_HAVE_OBJTOOL
CONFIG_X86_64
CONFIG_LLD_VERSIONCONFIG_140000 or NOT CONFIG_LD_IS_LLD