-
Kees Cook authored
Since FineIBT performs checking at the destination, it is weaker against attacks that can construct arbitrary executable memory contents. As such, some system builders want to run with FineIBT disabled by default. Allow the "cfi=kcfi" boot param mode to be selectable through Kconfig via the newly introduced CONFIG_CFI_AUTO_DEFAULT. Reviewed-by:
Sami Tolvanen <samitolvanen@google.com> Reviewed-by:
Nathan Chancellor <nathan@kernel.org> Tested-by:
Kees Cook <kees@kernel.org>
d6f635bc
