On Tue, Apr 30, 2024 at 5:02 PM Kees Cook <keesc...@chromium.org> wrote: > > Since FineIBT performs checking at the destination, it is weaker against > attacks that can construct arbitrary executable memory contents. As such, > some system builders want to run with FineIBT disabled by default. Allow > the "cfi=kcfi" boot param mode to be selectable through Kconfig via the > newly introduced CONFIG_CFI_AUTO_DEFAULT. > > Signed-off-by: Kees Cook <keesc...@chromium.org> > ---
Reviewed-by: Sami Tolvanen <samitolva...@google.com> Sami
