On Mon, Jul 14, 2025 at 12:20:27PM +0200, Peter Zijlstra wrote: > Validate that all indirect calls adhere to kCFI rules. Notably doing > nocfi indirect call to a cfi function is broken. > > Apparently some Rust 'core' code violates this and explodes when ran > with FineIBT. > > All the ANNOTATE_NOCFI_SYM sites are prime targets for attackers. > > - runtime EFI is especially henous because it also needs to disable > IBT. Basically calling unknown code without CFI protection at > runtime is a massice security issue. > > - Kexec image handover; if you can exploit this, you get to keep it :-) > > Signed-off-by: Peter Zijlstra (Intel) <peterz@xxxxxxxxxxxxx> Acked-by: Josh Poimboeuf <jpoimboe@xxxxxxxxxx> -- Josh
