linux: Enable Indirect Branch Tracking by default

This became upstream default (see https://www.phoronix.com/news/Linux-IBT-By-Default-Tip for IT news media coverage), and given its security-relevance, we should adopt this setting as well. Signed-off-by: Peter Müller <peter.mueller@ipfire.org> Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
2026-04-27 19:23:24 +02:00 · 2023-07-09 14:55:00 +00:00
parent f7447b1b8e
commit c084d8f970
2 changed files with 2 additions and 1 deletions
--- a/config/kernel/kernel.config.x86_64-ipfire
+++ b/config/kernel/kernel.config.x86_64-ipfire
@@ -431,7 +431,7 @@ CONFIG_X86_PAT=y
 CONFIG_ARCH_USES_PG_UNCACHED=y
 CONFIG_X86_UMIP=y
 CONFIG_CC_HAS_IBT=y
-# CONFIG_X86_KERNEL_IBT is not set
+CONFIG_X86_KERNEL_IBT=y
 CONFIG_X86_INTEL_MEMORY_PROTECTION_KEYS=y
 CONFIG_X86_INTEL_TSX_MODE_OFF=y
 # CONFIG_X86_INTEL_TSX_MODE_ON is not set
--- a/config/rootfiles/common/x86_64/linux
+++ b/config/rootfiles/common/x86_64/linux
@@ -11324,6 +11324,7 @@ etc/modprobe.d/ipv6.conf
 #lib/modules/KVER-ipfire/build/include/config/X86_INTERNODE_CACHE_SHIFT
 #lib/modules/KVER-ipfire/build/include/config/X86_IOPL_IOPERM
 #lib/modules/KVER-ipfire/build/include/config/X86_IO_APIC
+#lib/modules/KVER-ipfire/build/include/config/X86_KERNEL_IBT
 #lib/modules/KVER-ipfire/build/include/config/X86_L1_CACHE_SHIFT
 #lib/modules/KVER-ipfire/build/include/config/X86_LOCAL_APIC
 #lib/modules/KVER-ipfire/build/include/config/X86_MCE