Discover Security Projects News
Linux Still Eyes Better Security By Default Enabling Indirect Branch Tracking (IBT)
Indirect Branch Tracking (IBT) is still being eyed for enabling as part of the default Linux x86_64 kernel configurations to provide better out-of-the-box security on supported processors. A patch sent out today continues the upstream discussion over flipping on this feature by default that is part of Intel's Control-flow Enforcement Technology (CET) for helping to defend against jump/call oriented programming attacks.
Indirect Branch Tracking is part of CET found with Intel Tigerlake CPUs and newer. The Linux kernel support for IBT was merged in Linux 5.18 but to this point hasn't been enabled by default as part of the stock kernel configuration.
Kees Cook with Google has sent out his latest proposal arguing for it to see being enabled by default as part of the Linux kernel configuration. Back in early September he originally proposed this change while sent out today was the v2 patch to reignite the discussion.