From: Peter Zijlstra <peterz@infradead.org>
To: Mathias Krause <minipli@grsecurity.net>
Cc: Thomas Gleixner <tglx@kernel.org>, Ingo Molnar <mingo@redhat.com>,
Borislav Petkov <bp@alien8.de>,
Dave Hansen <dave.hansen@linux.intel.com>,
x86@kernel.org, Rick Edgecombe <rick.p.edgecombe@intel.com>,
linux-kernel@vger.kernel.org
Subject: Re: [PATCH] x86/shstk: Provide kernel command line knob to disable
Date: Thu, 2 Apr 2026 18:04:48 +0200 [thread overview]
Message-ID: <20260402160448.GD3738786@noisy.programming.kicks-ass.net> (raw)
In-Reply-To: <c935b113-95e5-4a93-85a2-333a4649793e@grsecurity.net>
On Thu, Apr 02, 2026 at 05:59:46PM +0200, Mathias Krause wrote:
> On 02.04.26 17:54, Peter Zijlstra wrote:
> > On Thu, Apr 02, 2026 at 05:44:05PM +0200, Mathias Krause wrote:
> >> Provide a kernel command line option 'shstk=off' to disable CET shadow
> >> stacks, much like 'ibt=off' can be used to disable CET IBT.
> >>
> >> With both set to off, it avoids setting CR4.CET on capable hardware to
> >> allow debugging related issues during early boot.
> >
> > Why though?
>
> I ran into related issues three times in the past now, where the lack of
> early exception handling and the lack of a knob to disable CR4.CET=1
> enabling made debugging this a real PITA. Now, with QEMU having gained
> CET virtualization support, that may be less of an issue.
Ah, I wrote the kernel IBT code using a host/qemu patched with very
early versions of those patches. It did indeed take ages for that stuff
to land upstream.
> However, in at least one case the UEFI firmware was involved and I had
> to test&debug on bare metal. Having such a knob allows ruling out or
> pin-pointing CET as the cause more easily.
Fair enough, although this should probably have made it in the
Changelog.
Other than that,
Acked-by: Peter Zijlstra (Intel) <peterz@infradead.org>
next prev parent reply other threads:[~2026-04-02 16:04 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-04-02 15:44 [PATCH] x86/shstk: Provide kernel command line knob to disable Mathias Krause
2026-04-02 15:54 ` Peter Zijlstra
2026-04-02 15:59 ` Mathias Krause
2026-04-02 16:04 ` Peter Zijlstra [this message]
2026-04-02 16:53 ` Edgecombe, Rick P
2026-04-02 16:57 ` Dave Hansen
2026-04-02 17:38 ` Mathias Krause
2026-04-02 17:01 ` Mathias Krause
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260402160448.GD3738786@noisy.programming.kicks-ass.net \
--to=peterz@infradead.org \
--cc=bp@alien8.de \
--cc=dave.hansen@linux.intel.com \
--cc=linux-kernel@vger.kernel.org \
--cc=mingo@redhat.com \
--cc=minipli@grsecurity.net \
--cc=rick.p.edgecombe@intel.com \
--cc=tglx@kernel.org \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.