Intel Linux engineer Peter Zijlstra has updated his set of patches implementing FineIBT-BHI mitigations for toughening up the FineIBT kernel protections previously introduced. This FineIBT-BHI code depends upon newly-merged code for the LLVM Clang compiler as part of the compiler defenses.

Following the [1]FineIBT code having been merged two years ago for combining the best of Control-flow Enforcement Technology (CET) and Control Flow Integrity (CFI) as an alternative CFI implementation for the Linux kernel, FineIBT-BHI has been baking. FineIBT-BHI is to address a FineIBT weakness needing Branch History Injection (BHI) mitigation.

FineIBT-BHI patches were posted last September while the patches were re-based and sent out this week as a result of updated code merged for LLVM. LLVM now extends its KCFI (Kernel Control Flow Integrity) code with a 3-bit arity indicator. Details on that [2]here . GCC still lacks KCFI support but with LLVM's code path now updated, it unblocks Peter Zijlstra to continuing work on upstreaming FineIBT-BHI.

With [3]this new patch series he has FineIBT-BHI successfully working with a patched kernel and built using the newest LLVM code on an Intel Alder Lake system. This new mode can be activated with the "cfi=fineibt+bhi" option.

The patch series is still waiting on documentation to cover how the mitigation works and hopefully some benchmark numbers on the performance impact.



[1] https://www.phoronix.com/search/FineIBT

[2] https://github.com/llvm/llvm-project/commit/e223485c9b38a5579991b8cebb6a200153eee245

[3] https://lore.kernel.org/lkml/20250207121529.222723073@infradead.org/T/#m56c16a0e95114a6701dd182bc6f910a3faeecdb0