From: "Edgecombe, Rick P" <rick.p.edgecombe@intel.com>
To: "x86@kernel.org" <x86@kernel.org>,
"mingo@redhat.com" <mingo@redhat.com>,
"minipli@grsecurity.net" <minipli@grsecurity.net>,
"tglx@kernel.org" <tglx@kernel.org>,
"bp@alien8.de" <bp@alien8.de>,
"dave.hansen@linux.intel.com" <dave.hansen@linux.intel.com>
Cc: "peterz@infradead.org" <peterz@infradead.org>,
"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>
Subject: Re: [PATCH v3] x86/cpufeatures: Make X86_FEATURE_SHSTK clearcpuid-able
Date: Thu, 14 May 2026 17:01:58 +0000 [thread overview]
Message-ID: <bcc1b19041ec406a11a47a6feff598f76b0a3934.camel@intel.com> (raw)
In-Reply-To: <20260514160932.91556-1-minipli@grsecurity.net>
On Thu, 2026-05-14 at 18:09 +0200, Mathias Krause wrote:
> Allow X86_FEATURE_SHST to be disabled through the kernel commandline via
> 'clearcpuid=shstk' as 'nousershstk' would still enable CR4.CET even if
> no CET features are in use.
>
> This, in combination with disabling IBT as well, e.g. via
> 'clearcpuid=shstk,ibt' allows to fully disable CR4.CET enabling on
> capable hardware, which in turn allows debugging CET-related issues
> during early boot.
>
> Signed-off-by: Mathias Krause <minipli@grsecurity.net>
> ---
> v3:
> - switch to clearcpuid-based approach
> v2: https://lore.kernel.org/lkml/20260402173606.1096172-1-minipli@grsecurity.net/
>
> arch/x86/include/asm/cpufeatures.h | 2 +-
To the general approach:
Acked-by: Rick Edgecombe <rick.p.edgecombe@intel.com>
> tools/arch/x86/include/asm/cpufeatures.h | 2 +-
> 2 files changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/arch/x86/include/asm/cpufeatures.h b/arch/x86/include/asm/cpufeatures.h
> index 1d506e5d6f46..75cc39037df6 100644
> --- a/arch/x86/include/asm/cpufeatures.h
> +++ b/arch/x86/include/asm/cpufeatures.h
> @@ -393,7 +393,7 @@
> #define X86_FEATURE_OSPKE (16*32+ 4) /* "ospke" OS Protection Keys Enable */
> #define X86_FEATURE_WAITPKG (16*32+ 5) /* "waitpkg" UMONITOR/UMWAIT/TPAUSE Instructions */
> #define X86_FEATURE_AVX512_VBMI2 (16*32+ 6) /* "avx512_vbmi2" Additional AVX512 Vector Bit Manipulation Instructions */
> -#define X86_FEATURE_SHSTK (16*32+ 7) /* Shadow stack */
> +#define X86_FEATURE_SHSTK (16*32+ 7) /* "shstk" CET Shadow Stack */
I hate to generate another version but adding CET here is an unnecessary change.
IBT doesn't match then.
> #define X86_FEATURE_GFNI (16*32+ 8) /* "gfni" Galois Field New Instructions */
> #define X86_FEATURE_VAES (16*32+ 9) /* "vaes" Vector AES */
> #define X86_FEATURE_VPCLMULQDQ (16*32+10) /* "vpclmulqdq" Carry-Less Multiplication Double Quadword */
> diff --git a/tools/arch/x86/include/asm/cpufeatures.h b/tools/arch/x86/include/asm/cpufeatures.h
> index 86d17b195e79..fcbe633e1f76 100644
> --- a/tools/arch/x86/include/asm/cpufeatures.h
> +++ b/tools/arch/x86/include/asm/cpufeatures.h
> @@ -393,7 +393,7 @@
> #define X86_FEATURE_OSPKE (16*32+ 4) /* "ospke" OS Protection Keys Enable */
> #define X86_FEATURE_WAITPKG (16*32+ 5) /* "waitpkg" UMONITOR/UMWAIT/TPAUSE Instructions */
> #define X86_FEATURE_AVX512_VBMI2 (16*32+ 6) /* "avx512_vbmi2" Additional AVX512 Vector Bit Manipulation Instructions */
> -#define X86_FEATURE_SHSTK (16*32+ 7) /* Shadow stack */
> +#define X86_FEATURE_SHSTK (16*32+ 7) /* "shstk" CET Shadow Stack */
> #define X86_FEATURE_GFNI (16*32+ 8) /* "gfni" Galois Field New Instructions */
> #define X86_FEATURE_VAES (16*32+ 9) /* "vaes" Vector AES */
> #define X86_FEATURE_VPCLMULQDQ (16*32+10) /* "vpclmulqdq" Carry-Less Multiplication Double Quadword */
prev parent reply other threads:[~2026-05-14 17:02 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-14 16:09 [PATCH v3] x86/cpufeatures: Make X86_FEATURE_SHSTK clearcpuid-able Mathias Krause
2026-05-14 16:59 ` Borislav Petkov
2026-05-14 17:07 ` Edgecombe, Rick P
2026-05-14 17:12 ` Borislav Petkov
2026-05-14 17:15 ` Borislav Petkov
2026-05-14 18:23 ` Edgecombe, Rick P
2026-05-14 22:38 ` Borislav Petkov
2026-05-15 16:20 ` Mathias Krause
2026-05-14 17:30 ` Dave Hansen
2026-05-14 18:25 ` Edgecombe, Rick P
2026-05-15 16:11 ` Mathias Krause
2026-05-15 16:21 ` Edgecombe, Rick P
2026-05-14 17:01 ` Edgecombe, Rick P [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=bcc1b19041ec406a11a47a6feff598f76b0a3934.camel@intel.com \
--to=rick.p.edgecombe@intel.com \
--cc=bp@alien8.de \
--cc=dave.hansen@linux.intel.com \
--cc=linux-kernel@vger.kernel.org \
--cc=mingo@redhat.com \
--cc=minipli@grsecurity.net \
--cc=peterz@infradead.org \
--cc=tglx@kernel.org \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.