From: Richard Patel <ripatel@wii.dev>
To: x86@kernel.org
Cc: Rick Edgecombe <rick.p.edgecombe@intel.com>,
Yu-cheng Yu <yu-cheng.yu@intel.com>,
Dave Hansen <dave.hansen@linux.intel.com>,
Thomas Gleixner <tglx@kernel.org>, Ingo Molnar <mingo@redhat.com>,
Borislav Petkov <bp@alien8.de>, "H. Peter Anvin" <hpa@zytor.com>,
Andy Lutomirski <luto@kernel.org>, Kees Cook <kees@kernel.org>,
Peter Zijlstra <peterz@infradead.org>,
Shuah Khan <shuah@kernel.org>,
linux-kselftest@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: [PATCH 1/7] x86: add userspace IBT config option
Date: Sun, 17 May 2026 13:30:18 -0500 [thread overview]
Message-ID: <20260517183024.16292-2-ripatel@wii.dev> (raw)
In-Reply-To: <20260517183024.16292-1-ripatel@wii.dev>
Adds a X86_USER_IBT Kconfig option and "nouseribt" command-line
option. Default disabled for now.
These prepare for userspace support for IBT (forward-edge control
flow integrity protection).
User IBT works even if kernel IBT is disabled. However, ibt=off
also disables user IBT.
Signed-off-by: Richard Patel <ripatel@wii.dev>
---
arch/x86/Kconfig | 17 +++++++++++++++++
arch/x86/include/asm/cpufeatures.h | 1 +
arch/x86/kernel/cet.c | 3 ++-
arch/x86/kernel/cpu/common.c | 14 ++++++++++++--
tools/arch/x86/include/asm/cpufeatures.h | 1 +
5 files changed, 33 insertions(+), 3 deletions(-)
diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig
index f3f7cb01d69d..12cc944b63c7 100644
--- a/arch/x86/Kconfig
+++ b/arch/x86/Kconfig
@@ -1901,6 +1901,23 @@ config X86_USER_SHADOW_STACK
If unsure, say N.
+config X86_USER_IBT
+ bool "X86 userspace indirect branch tracking"
+ depends on X86_64
+ select X86_CET
+ help
+ Support Indirect Branch Tracking protection for userspace
+ applications. IBT is a hardware-supported coarse-grained
+ forward-edge Control Flow Integrity protection feature.
+ It enforces that all indirect calls must land on an ENDBR
+ instruction. Applications must be enabled to use it, and old
+ userspace does not get protection "for free". Enables the
+ PR_CFI_BRANCH_LANDING_PADS prctl CFI option.
+
+ CPUs supporting IBT were first released in 2021.
+
+ If unsure, say N.
+
config INTEL_TDX_HOST
bool "Intel Trust Domain Extensions (TDX) host support"
depends on CPU_SUP_INTEL
diff --git a/arch/x86/include/asm/cpufeatures.h b/arch/x86/include/asm/cpufeatures.h
index 1d506e5d6f46..1825cbf864c0 100644
--- a/arch/x86/include/asm/cpufeatures.h
+++ b/arch/x86/include/asm/cpufeatures.h
@@ -516,6 +516,7 @@
* and purposes if CLEAR_CPU_BUF_VM is set).
*/
#define X86_FEATURE_X2AVIC_EXT (21*32+20) /* AMD SVM x2AVIC support for 4k vCPUs */
+#define X86_FEATURE_USER_IBT (21*32+21) /* Indirect Branch Tracking for user mode applications */
/*
* BUG word(s)
diff --git a/arch/x86/kernel/cet.c b/arch/x86/kernel/cet.c
index 99444409c026..3ccf47e82da1 100644
--- a/arch/x86/kernel/cet.c
+++ b/arch/x86/kernel/cet.c
@@ -149,7 +149,8 @@ __setup("ibt=", ibt_setup);
DEFINE_IDTENTRY_ERRORCODE(exc_control_protection)
{
if (user_mode(regs)) {
- if (cpu_feature_enabled(X86_FEATURE_USER_SHSTK))
+ if (cpu_feature_enabled(X86_FEATURE_USER_SHSTK) ||
+ cpu_feature_enabled(X86_FEATURE_USER_IBT))
do_user_cp_fault(regs, error_code);
else
do_unexpected_cp(regs, error_code);
diff --git a/arch/x86/kernel/cpu/common.c b/arch/x86/kernel/cpu/common.c
index a4268c47f2bc..2839edd92331 100644
--- a/arch/x86/kernel/cpu/common.c
+++ b/arch/x86/kernel/cpu/common.c
@@ -634,7 +634,7 @@ __noendbr void ibt_restore(u64 save)
static __always_inline void setup_cet(struct cpuinfo_x86 *c)
{
- bool user_shstk, kernel_ibt;
+ bool user_shstk, kernel_ibt, user_ibt;
if (!IS_ENABLED(CONFIG_X86_CET))
return;
@@ -642,13 +642,19 @@ static __always_inline void setup_cet(struct cpuinfo_x86 *c)
kernel_ibt = HAS_KERNEL_IBT && cpu_feature_enabled(X86_FEATURE_IBT);
user_shstk = cpu_feature_enabled(X86_FEATURE_SHSTK) &&
IS_ENABLED(CONFIG_X86_USER_SHADOW_STACK);
+ /* User IBT only needs hardware IBT, not kernel-enabled IBT. */
+ user_ibt = cpu_has(c, X86_FEATURE_IBT) &&
+ IS_ENABLED(CONFIG_X86_USER_IBT);
- if (!kernel_ibt && !user_shstk)
+ if (!kernel_ibt && !user_shstk && !user_ibt)
return;
if (user_shstk)
set_cpu_cap(c, X86_FEATURE_USER_SHSTK);
+ if (user_ibt)
+ set_cpu_cap(c, X86_FEATURE_USER_IBT);
+
if (kernel_ibt)
wrmsrq(MSR_IA32_S_CET, CET_ENDBR_EN);
else
@@ -666,6 +672,7 @@ static __always_inline void setup_cet(struct cpuinfo_x86 *c)
__noendbr void cet_disable(void)
{
if (!(cpu_feature_enabled(X86_FEATURE_IBT) ||
+ cpu_feature_enabled(X86_FEATURE_USER_IBT) ||
cpu_feature_enabled(X86_FEATURE_SHSTK)))
return;
@@ -1760,6 +1767,9 @@ static void __init cpu_parse_early_param(void)
if (cmdline_find_option_bool(boot_command_line, "nousershstk"))
setup_clear_cpu_cap(X86_FEATURE_USER_SHSTK);
+ if (cmdline_find_option_bool(boot_command_line, "nouseribt"))
+ setup_clear_cpu_cap(X86_FEATURE_USER_IBT);
+
/* Minimize the gap between FRED is available and available but disabled. */
arglen = cmdline_find_option(boot_command_line, "fred", arg, sizeof(arg));
if (arglen == 3 && !strncmp(arg, "off", 3))
diff --git a/tools/arch/x86/include/asm/cpufeatures.h b/tools/arch/x86/include/asm/cpufeatures.h
index 86d17b195e79..1cf22d27c7a1 100644
--- a/tools/arch/x86/include/asm/cpufeatures.h
+++ b/tools/arch/x86/include/asm/cpufeatures.h
@@ -515,6 +515,7 @@
* and purposes if CLEAR_CPU_BUF_VM is set).
*/
#define X86_FEATURE_X2AVIC_EXT (21*32+20) /* AMD SVM x2AVIC support for 4k vCPUs */
+#define X86_FEATURE_USER_IBT (21*32+21) /* Indirect Branch Tracking for user mode applications */
/*
* BUG word(s)
--
2.47.3
next prev parent reply other threads:[~2026-05-17 18:35 UTC|newest]
Thread overview: 22+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-17 18:30 [PATCH 0/7] Usermode Indirect Branch Tracking Richard Patel
2026-05-17 18:30 ` Richard Patel [this message]
2026-05-17 18:30 ` [PATCH 2/7] x86: shstk: don't clobber IBT bits in U_CET MSR Richard Patel
2026-05-17 18:30 ` [PATCH 3/7] x86: signal handler support for IBT Richard Patel
2026-05-17 18:30 ` [PATCH 4/7] x86: ban 32-bit sigreturn when user IBT enabled Richard Patel
2026-05-18 20:22 ` H. Peter Anvin
2026-05-19 0:14 ` Richard Patel
2026-05-24 21:53 ` Richard Patel
2026-05-25 11:05 ` David Laight
2026-05-17 18:30 ` [PATCH 5/7] x86: expose user IBT via PR_CFI_BRANCH_LANDING_PADS Richard Patel
2026-05-18 6:46 ` Richard Patel
2026-05-17 18:30 ` [PATCH 6/7] x86/entry/vdso: build with IBT support Richard Patel
2026-05-17 18:30 ` [PATCH 7/7] selftests/x86: test usermode IBT Richard Patel
2026-05-18 7:36 ` [PATCH 0/7] Usermode Indirect Branch Tracking Peter Zijlstra
2026-05-18 16:25 ` Richard Patel
2026-05-18 19:31 ` Peter Zijlstra
2026-05-19 9:33 ` David Laight
2026-05-19 9:40 ` Peter Zijlstra
2026-05-19 13:14 ` Richard Patel
2026-05-19 13:28 ` David Laight
2026-05-19 14:18 ` Richard Patel
2026-05-19 14:42 ` Peter Zijlstra
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260517183024.16292-2-ripatel@wii.dev \
--to=ripatel@wii.dev \
--cc=bp@alien8.de \
--cc=dave.hansen@linux.intel.com \
--cc=hpa@zytor.com \
--cc=kees@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-kselftest@vger.kernel.org \
--cc=luto@kernel.org \
--cc=mingo@redhat.com \
--cc=peterz@infradead.org \
--cc=rick.p.edgecombe@intel.com \
--cc=shuah@kernel.org \
--cc=tglx@kernel.org \
--cc=x86@kernel.org \
--cc=yu-cheng.yu@intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.