arm64: bti: Provide Kconfig for kernel mode BTI (97fed779) · Commits · 戴 / test

Now that all the code is in place provide a Kconfig option allowing users to enable BTI for the kernel if their toolchain supports it, defaulting it on since this has security benefits. This is a separate configuration option since we currently don't support secondary CPUs that lack BTI if the boot CPU supports it. Code generation issues mean that current GCC 9 versions are not able to produce usable BTI binaries so we disable support for building with GCC versions prior to 10, once a fix is backported to GCC 9 the dependencies will be updated. Signed-off-by:

Mark Brown <broonie@kernel.org> Reviewed-by:

Catalin Marinas <catalin.marinas@arm.com> Link: https://lore.kernel.org/r/20200506195138.22086-8-broonie@kernel.org Signed-off-by:

Will Deacon <will@kernel.org>

arch/arm64/Kconfig

+19 −0

Original line number	Diff line number	Diff line
		@@ -1610,6 +1610,25 @@ config ARM64_BTI
		BTI, such binaries can still run, but you get no additional
		enforcement of branch destinations.

		config ARM64_BTI_KERNEL
		bool "Use Branch Target Identification for kernel"
		default y
		depends on ARM64_BTI
		depends on ARM64_PTR_AUTH
		depends on CC_HAS_BRANCH_PROT_PAC_RET_BTI
		depends on !CC_IS_GCC \|\| GCC_VERSION >= 100000
		depends on !(CC_IS_CLANG && GCOV_KERNEL)
		depends on (!FUNCTION_GRAPH_TRACER \|\| DYNAMIC_FTRACE_WITH_REGS)
		help
		Build the kernel with Branch Target Identification annotations
		and enable enforcement of this for kernel code. When this option
		is enabled and the system supports BTI all kernel code including
		modular code must have BTI enabled.

		config CC_HAS_BRANCH_PROT_PAC_RET_BTI
		# GCC 9 or later, clang 8 or later
		def_bool $(cc-option,-mbranch-protection=pac-ret+leaf+bti)

		config ARM64_E0PD
		bool "Enable support for E0PD"
		default y

Admin message