From: Borislav Petkov <bp@kernel.org>
To: X86 ML <x86@kernel.org>
Cc: Nikunj A Dadhania <nikunj@amd.com>,
LKML <linux-kernel@vger.kernel.org>,
Peter Zijlstra <peterz@infradead.org>,
"Borislav Petkov (AMD)" <bp@alien8.de>
Subject: [PATCH 4/4] x86/cpu: Add comment clarifying CRn pinning
Date: Fri, 20 Mar 2026 12:54:17 +0100 [thread overview]
Message-ID: <20260320115417.4156-5-bp@kernel.org> (raw)
In-Reply-To: <20260320115417.4156-1-bp@kernel.org>
From: Peter Zijlstra <peterz@infradead.org>
To avoid future confusion on the purpose and design of the CRn pinning code.
Also note that if the attacker controls page-tables, the CRn bits lose much of
the attraction anyway.
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de>
Link: https://patch.msgid.link/20260320092521.GG3739106@noisy.programming.kicks-ass.net
---
arch/x86/kernel/cpu/common.c | 13 +++++++++++++
1 file changed, 13 insertions(+)
diff --git a/arch/x86/kernel/cpu/common.c b/arch/x86/kernel/cpu/common.c
index c57e8972d30f..ec0670114efa 100644
--- a/arch/x86/kernel/cpu/common.c
+++ b/arch/x86/kernel/cpu/common.c
@@ -434,6 +434,19 @@ static __always_inline void setup_lass(struct cpuinfo_x86 *c)
/* These bits should not change their value after CPU init is finished. */
static const unsigned long cr4_pinned_mask = X86_CR4_SMEP | X86_CR4_SMAP | X86_CR4_UMIP |
X86_CR4_FSGSBASE | X86_CR4_CET;
+
+/*
+ * The CR pinning protects against ROP on the 'mov %reg, %CRn' instruction(s).
+ * Since you can ROP directly to these instructions (barring shadow stack),
+ * any protection must follow immediately and unconditionally after that.
+ *
+ * Specifically, the CR[04] write functions below will have the value
+ * validation controlled by the @cr_pinning static_branch which is
+ * __ro_after_init, just like the cr4_pinned_bits value.
+ *
+ * Once set, an attacker will have to defeat page-tables to get around these
+ * restrictions. Which is a much bigger ask than 'simple' ROP.
+ */
static DEFINE_STATIC_KEY_FALSE_RO(cr_pinning);
static unsigned long cr4_pinned_bits __ro_after_init;
--
2.51.0
prev parent reply other threads:[~2026-03-20 11:54 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-03-20 11:54 [PATCH 0/4] x86/CPU: Fix CR4 pinning and FRED in CoCo guests Borislav Petkov
2026-03-20 11:54 ` [PATCH 1/4] x86/cpu: Enable FSGSBASE early in cpu_init_exception_handling() Borislav Petkov
2026-03-20 11:54 ` [PATCH 2/4] x86/cpu: Remove X86_CR4_FRED from the CR4 pinned bits mask Borislav Petkov
2026-03-20 17:49 ` Sohil Mehta
2026-03-20 11:54 ` [PATCH 3/4] x86/fred: Fix early boot failures on SEV-ES/SNP guests Borislav Petkov
2026-03-20 11:54 ` Borislav Petkov [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260320115417.4156-5-bp@kernel.org \
--to=bp@kernel.org \
--cc=bp@alien8.de \
--cc=linux-kernel@vger.kernel.org \
--cc=nikunj@amd.com \
--cc=peterz@infradead.org \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.