Article 5XVHT Cook: Security things in Linux v5.10

Cook: Security things in Linux v5.10

by
corbet
from LWN.net on (#5XVHT)
Kees Cook catchesup with the security-related changes in the 5.10 kernel, released atthe end of 2020.

With static branches, an if/else choice can be hard-coded, insteadof being run-time evaluated every time. Such branches can beupdated too (the kernel just rewrites the code to switch around thebranch"). All these principles apply to static calls as well, butthey're for replacing indirect function calls (i.e. a call througha function pointer) with a direct call (i.e. a hard-coded calladdress). This eliminates the need for Spectre mitigations(e.g. RETPOLINE) for these indirect calls, and avoids a memorylookup for the pointer. For hot-path code (like the scheduler),this has a measurable performance impact. It also serves as a kindof Control Flow Integrity implementation: an indirect call gotremoved, and the potential destinations have been explicitlyidentified at compile-time.
External Content
Source RSS or Atom Feed
Feed Location http://lwn.net/headlines/rss
Feed Title LWN.net
Feed Link https://lwn.net/
Reply 0 comments