FineIBT-BHI as a means of tougher kernel defenses for fending off Branch History Injection (BHI) looks like it will be ready for upstreaming in next month’s Linux 6.15 merge window.
These patches pair with recent LLVM Clang compiler capabilities for further enhancing the security of the Linux kernel. FineIBT was previously added to the Linux kernel for combining Control-flow Enforcement Technology (CET) and Control Flow Integrity (CFI) as an alternative CFI implementation. FineIBT-BHI aims to address a weakness in needing BHI protections.
On the compiler side, LLVM now extends its KCFI (Kernel Control Flow Integrity) code with a 3-bit arity indicator. GCC does not yet have the needed KCFI functionality. On a patched Linux kernel build and built with a supported compiler, the FineIBT-BHI mitigation can be enabled with the “cfi=fineibt+bhi” boot option.
The news this morning is the FineIBT-BHI patches being queued into tip/tip.git’s x86/core branch. With the FineIBT-BHI mitigation patches now appearing in TIP x86/core, it’s likely to be submitted for the Linux 6.15 merge window in a few weeks — barring any last minute objections or show-stopping code problems from being reported.
More background information on FineIBT-BHI is available from the patch message on this patch for those curious about additional technical details.
