From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from casper.infradead.org (casper.infradead.org [90.155.50.34]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 724DE2FFF8F for ; Thu, 2 Apr 2026 16:04:55 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=90.155.50.34 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775145897; cv=none; b=fwSuCjkC4kEuwyH4DjgNsRDnQpRffhT6LgGokLkd3cu4/eVJrH+1KtaSaB7FoL2BxYB1onTnx7bRZ+aFuANbeiYjrrQMxqYogKWwt1Drald1KEZorDvFSLSBfp0XTnxlcY0Yk65+ZmN0SkvqFceIobsMDShtw6eqsZszkEmht1Q= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775145897; c=relaxed/simple; bh=PUhaABZmDs7UjYq2Hhz94SxEp2GLbBmhzr/QJvijH38=; h=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version: Content-Type:Content-Disposition:In-Reply-To; b=PAVt3WXmmfFw+F0l1FEfM1ll+i06oUZxyGN20BIxPa8cDl8O09A4AskDENlWO+sdqbrlqxrVK71C2R6KdrjxdnQlFAx7P9LbMmHf7iVQ7je7nmygq+K0V4YknmqDbhsdtSyLKYNYZ7bNPA6gwBu+dfVIvv3su9T932Gi5yBiKBs= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=infradead.org; spf=none smtp.mailfrom=infradead.org; dkim=pass (2048-bit key) header.d=infradead.org header.i=@infradead.org header.b=AENxaDl5; arc=none smtp.client-ip=90.155.50.34 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=infradead.org Authentication-Results: smtp.subspace.kernel.org; spf=none smtp.mailfrom=infradead.org Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=infradead.org header.i=@infradead.org header.b="AENxaDl5" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=infradead.org; s=casper.20170209; h=In-Reply-To:Content-Type:MIME-Version: References:Message-ID:Subject:Cc:To:From:Date:Sender:Reply-To: Content-Transfer-Encoding:Content-ID:Content-Description; bh=RibR/PRrxSrvkf4v4Uxqild0iCnRBPTox2TlKRj9Pes=; b=AENxaDl57aXV/MgFja6CMLQsFX hWya+fMvmZ4iX7RMnJ/Ui9oRmiM++UYUdYZLi6jwTFsTLWDrIkHFt5mJq0uvUNvajUWOzJOgGER+9 EEPQJ89Rs4MEt3R9SR6e4wc8l/xY0Xxg3j6R/bfe6nLE5gsRuI6vABk5MegcWmuxPia/7b+q0+g03 WmYbL8eDEkiBCIhPHA7ldFZ/tOFnDN5ESEKgi59TQhldMHfoJDm5rAbjbiXDW27Z8sDyaKulbyXXF QTX5uh9cudUmRudjDh/RnJLojDZV8OlTQTviBKPXHGVpy+AMPVZlFUyNC6eN466frs7PgrnVRyV4H /8oWydjw==; Received: from 2001-1c00-8d85-4b00-266e-96ff-fe07-7dcc.cable.dynamic.v6.ziggo.nl ([2001:1c00:8d85:4b00:266e:96ff:fe07:7dcc] helo=noisy.programming.kicks-ass.net) by casper.infradead.org with esmtpsa (Exim 4.98.2 #2 (Red Hat Linux)) id 1w8KXI-0000000CZLt-2Q2c; Thu, 02 Apr 2026 16:04:48 +0000 Received: by noisy.programming.kicks-ass.net (Postfix, from userid 1000) id 1C1843032D8; Thu, 02 Apr 2026 18:04:48 +0200 (CEST) Date: Thu, 2 Apr 2026 18:04:48 +0200 From: Peter Zijlstra To: Mathias Krause Cc: Thomas Gleixner , Ingo Molnar , Borislav Petkov , Dave Hansen , x86@kernel.org, Rick Edgecombe , linux-kernel@vger.kernel.org Subject: Re: [PATCH] x86/shstk: Provide kernel command line knob to disable Message-ID: <20260402160448.GD3738786@noisy.programming.kicks-ass.net> References: <20260402154405.1090935-1-minipli@grsecurity.net> <20260402155452.GD3739027@noisy.programming.kicks-ass.net> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: On Thu, Apr 02, 2026 at 05:59:46PM +0200, Mathias Krause wrote: > On 02.04.26 17:54, Peter Zijlstra wrote: > > On Thu, Apr 02, 2026 at 05:44:05PM +0200, Mathias Krause wrote: > >> Provide a kernel command line option 'shstk=off' to disable CET shadow > >> stacks, much like 'ibt=off' can be used to disable CET IBT. > >> > >> With both set to off, it avoids setting CR4.CET on capable hardware to > >> allow debugging related issues during early boot. > > > > Why though? > > I ran into related issues three times in the past now, where the lack of > early exception handling and the lack of a knob to disable CR4.CET=1 > enabling made debugging this a real PITA. Now, with QEMU having gained > CET virtualization support, that may be less of an issue. Ah, I wrote the kernel IBT code using a host/qemu patched with very early versions of those patches. It did indeed take ages for that stuff to land upstream. > However, in at least one case the UEFI firmware was involved and I had > to test&debug on bare metal. Having such a knob allows ruling out or > pin-pointing CET as the cause more easily. Fair enough, although this should probably have made it in the Changelog. Other than that, Acked-by: Peter Zijlstra (Intel)