From e5ea70aa2d6b39a7dccafd8a8ef0d5d123c7d0df Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Pawe=C5=82=20Anikiel?= Date: Tue, 29 Apr 2025 11:31:07 +0000 Subject: [PATCH] ANDROID: gki_defconfig: do not use FineIBT on x86 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The kernel is currently configured to patch itself to use FineIBT instead of the traditional kCFI implementation when the hardware supports IBT. However, due to recent security concerns with the design of FineIBT [1], enabling FineIBT is currently considered a security downgrade. Thus, disable this option and always use traditional kCFI. This issue was discovered in relation to an issue with Rust drivers (see the referenced bug). That issue has already been fixed [2][3][4]. The enablement of FineIBT happens at runtime, and it's controlled by the cfi= kernel parameter. cfi=auto always enables FineIBT if the CPU supports IBT, whereas cfi=kcfi tells the kernel not to use FineIBT. The default value for this parameter depends on CONFIG_CFI_AUTO_DEFAULT. If set, it's cfi=auto, if unset, it's cfi=kcfi. This patch does not modify arch/arm64/configs/gki_defconfig because FineIBT does not exist on ARM, as it relies on the hardware feature IBT that only exists on x86. Link: https://lore.kernel.org/linux-hardening/Z60NwR4w%2F28Z7XUa@ubun/ [1] Link: https://github.com/rust-lang/rust/pull/139632 [2] Link: https://r.android.com/3602350 [3] Link: https://lore.kernel.org/all/20250410115420.366349-1-panikiel@google.com [4] Bug: 404795641 Change-Id: Idfb23c122e53d2d46612cceff0d1dbf5c1c0c813 Signed-off-by: Paweł Anikiel --- arch/x86/configs/gki_defconfig | 1 + 1 file changed, 1 insertion(+) diff --git a/arch/x86/configs/gki_defconfig b/arch/x86/configs/gki_defconfig index f66006e3ab65..7cbde834df53 100644 --- a/arch/x86/configs/gki_defconfig +++ b/arch/x86/configs/gki_defconfig @@ -70,6 +70,7 @@ CONFIG_NR_CPUS=32 CONFIG_EFI=y CONFIG_CMDLINE_BOOL=y CONFIG_CMDLINE="console=ttynull stack_depot_disable=on cgroup_disable=pressure bootconfig" +# CONFIG_CFI_AUTO_DEFAULT is not set CONFIG_HIBERNATION=y CONFIG_PM_WAKELOCKS=y CONFIG_PM_WAKELOCKS_LIMIT=0