Kees Cook has submitted the hardening updates for the Linux 6.11, aiming to strengthen the kernel’s defenses against various attack vectors and vulnerabilities.

Most of these updates are minor, with a few random changes. One notable update is the addition of a Kconfig option for selecting the FineIBT mode at build-time. FineIBT, introduced in 2022, is an alternative implementation of Control Flow Integrity (CFI) that combines software and hardware techniques, utilizing Indirect Branch Tracking (IBT).

By default, the Linux kernel will use FineIBT if the processor supports IBT. However, users can override this by using the “cfi=kcfi” boot parameter to enforce kCFI instead. There has been a demand to allow setting the default CFI method at build-time through Kconfig, and Linux 6.11 introduces this option with the “CONFIG_CFI_AUTO_DEFAULT” build switch.

commit