arm64: bti: Provide Kconfig for kernel mode BTI
Now that all the code is in place provide a Kconfig option allowing users to enable BTI for the kernel if their toolchain supports it, defaulting it on since this has security benefits. This is a separate configuration option since we currently don't support secondary CPUs that lack BTI if the boot CPU supports it. Code generation issues mean that current GCC 9 versions are not able to produce usable BTI binaries so we disable support for building with GCC versions prior to 10, once a fix is backported to GCC 9 the dependencies will be updated. Signed-off-by: Mark Brown <broonie@kernel.org> Reviewed-by: Catalin Marinas <catalin.marinas@arm.com> Link: https://lore.kernel.org/r/20200506195138.22086-8-broonie@kernel.org Signed-off-by: Will Deacon <will@kernel.org>
This commit is contained in:
parent
67d4a1cd09
commit
97fed779f2
|
@ -1610,6 +1610,25 @@ config ARM64_BTI
|
|||
BTI, such binaries can still run, but you get no additional
|
||||
enforcement of branch destinations.
|
||||
|
||||
config ARM64_BTI_KERNEL
|
||||
bool "Use Branch Target Identification for kernel"
|
||||
default y
|
||||
depends on ARM64_BTI
|
||||
depends on ARM64_PTR_AUTH
|
||||
depends on CC_HAS_BRANCH_PROT_PAC_RET_BTI
|
||||
depends on !CC_IS_GCC || GCC_VERSION >= 100000
|
||||
depends on !(CC_IS_CLANG && GCOV_KERNEL)
|
||||
depends on (!FUNCTION_GRAPH_TRACER || DYNAMIC_FTRACE_WITH_REGS)
|
||||
help
|
||||
Build the kernel with Branch Target Identification annotations
|
||||
and enable enforcement of this for kernel code. When this option
|
||||
is enabled and the system supports BTI all kernel code including
|
||||
modular code must have BTI enabled.
|
||||
|
||||
config CC_HAS_BRANCH_PROT_PAC_RET_BTI
|
||||
# GCC 9 or later, clang 8 or later
|
||||
def_bool $(cc-option,-mbranch-protection=pac-ret+leaf+bti)
|
||||
|
||||
config ARM64_E0PD
|
||||
bool "Enable support for E0PD"
|
||||
default y
|
||||
|
|
Loading…
Reference in New Issue