From: Richard Patel <ripatel@wii.dev>
To: "H. Peter Anvin" <hpa@zytor.com>
Cc: x86@kernel.org, Rick Edgecombe <rick.p.edgecombe@intel.com>,
Yu-cheng Yu <yu-cheng.yu@intel.com>,
Dave Hansen <dave.hansen@linux.intel.com>,
Thomas Gleixner <tglx@kernel.org>, Ingo Molnar <mingo@redhat.com>,
Borislav Petkov <bp@alien8.de>, Andy Lutomirski <luto@kernel.org>,
Kees Cook <kees@kernel.org>,
Peter Zijlstra <peterz@infradead.org>,
Shuah Khan <shuah@kernel.org>,
linux-kselftest@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: Re: [PATCH 4/7] x86: ban 32-bit sigreturn when user IBT enabled
Date: Sun, 24 May 2026 21:53:09 +0000 [thread overview]
Message-ID: <ahNzRYro0gOkaXDZ@wii.dev> (raw)
In-Reply-To: <F10D66BF-C851-4B14-81D7-E5F1E15A325B@zytor.com>
On Mon, May 18, 2026 at 01:22:19PM -0700, H. Peter Anvin wrote:
> On May 17, 2026 11:30:21 AM PDT, Richard Patel <ripatel@wii.dev> wrote:
> >diff --git a/arch/x86/kernel/signal_32.c b/arch/x86/kernel/signal_32.c
> >index e55cf19e68fe..7cb76d794366 100644
> >--- a/arch/x86/kernel/signal_32.c
> >+++ b/arch/x86/kernel/signal_32.c
> >@@ -143,6 +143,11 @@ static bool ia32_restore_sigcontext(struct pt_regs *regs,
> > regs->ds = fixup_rpl(sc.ds);
> > #endif
> >
> >+#ifdef CONFIG_X86_USER_IBT
> >+ if (current->thread.ibt)
> >+ return false;
> >+#endif
> >+
> > return fpu__restore_sig(compat_ptr(sc.fpstate), 1);
> > }
> >
>
> Dumb question: is there any reason not to just enable it for 32 bits? It doesn't seem that it would be that big of a delta to Just Do It.™
>
> That being said, I suspect the number of users will be very small if any.
Hello Peter,
I researched 32-bit user IBT support a bit more.
Intel's original patches used uc_flags, which is not available in the
legacy 32-bit frame (breaks sigreturn(2)).
But you could also store Intel CET state via XSAVE into sigframe
fpstate, like for Arm64 BTI.
Unfortunately though, this includes both CET control flags ("is IBT
enabled?") and user state (WAIT_FOR_ENDBR). Since fpstate is writable,
XFEATURE_USER_CET is in XFEATURE_MASK_SUPERVISOR_ALL.
So, we have 3 options:
1. Include CET in both XSAVE and XRSTOR, but revert user changes to
control bits before restoring.
2. Include CET in XSAVE, exclude CET from XRSTOR.
Parse XSAVE and restore IBT state "by hand".
* Breaking XSAVE/XRSTOR symmetry seems like a bad idea?
But the user can already remove xfeatures bits, I think.
3. No CET in XSAVE, instead abuse uc_flags to save this state bit
(this patch series).
* uc_flags does not exist in sigframe_ia32, which hasn't been touched
in 10 years
IMO: Option 1 seems crazy. Option 2 worth a sketch. Option 3 is ugly.
Really curious what you think. I'm going to send out v2 today with
option 2 (CET XSAVE, software restore), and if anyone hates it,
I will revert to option 3 (CET software backup and restore), and at
least add rt_sigreturn ia32 support.
Btw, OpenBSD doesn't do any of these and discards IBT state.
So, if you spam signals on OpenBSD, you can bypass their IBT.
That is, uh, option 4, I guess.
Thanks,
-Richard
next prev parent reply other threads:[~2026-05-24 21:53 UTC|newest]
Thread overview: 22+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-17 18:30 [PATCH 0/7] Usermode Indirect Branch Tracking Richard Patel
2026-05-17 18:30 ` [PATCH 1/7] x86: add userspace IBT config option Richard Patel
2026-05-17 18:30 ` [PATCH 2/7] x86: shstk: don't clobber IBT bits in U_CET MSR Richard Patel
2026-05-17 18:30 ` [PATCH 3/7] x86: signal handler support for IBT Richard Patel
2026-05-17 18:30 ` [PATCH 4/7] x86: ban 32-bit sigreturn when user IBT enabled Richard Patel
2026-05-18 20:22 ` H. Peter Anvin
2026-05-19 0:14 ` Richard Patel
2026-05-24 21:53 ` Richard Patel [this message]
2026-05-25 11:05 ` David Laight
2026-05-17 18:30 ` [PATCH 5/7] x86: expose user IBT via PR_CFI_BRANCH_LANDING_PADS Richard Patel
2026-05-18 6:46 ` Richard Patel
2026-05-17 18:30 ` [PATCH 6/7] x86/entry/vdso: build with IBT support Richard Patel
2026-05-17 18:30 ` [PATCH 7/7] selftests/x86: test usermode IBT Richard Patel
2026-05-18 7:36 ` [PATCH 0/7] Usermode Indirect Branch Tracking Peter Zijlstra
2026-05-18 16:25 ` Richard Patel
2026-05-18 19:31 ` Peter Zijlstra
2026-05-19 9:33 ` David Laight
2026-05-19 9:40 ` Peter Zijlstra
2026-05-19 13:14 ` Richard Patel
2026-05-19 13:28 ` David Laight
2026-05-19 14:18 ` Richard Patel
2026-05-19 14:42 ` Peter Zijlstra
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ahNzRYro0gOkaXDZ@wii.dev \
--to=ripatel@wii.dev \
--cc=bp@alien8.de \
--cc=dave.hansen@linux.intel.com \
--cc=hpa@zytor.com \
--cc=kees@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-kselftest@vger.kernel.org \
--cc=luto@kernel.org \
--cc=mingo@redhat.com \
--cc=peterz@infradead.org \
--cc=rick.p.edgecombe@intel.com \
--cc=shuah@kernel.org \
--cc=tglx@kernel.org \
--cc=x86@kernel.org \
--cc=yu-cheng.yu@intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.