From: Borislav Petkov <bp@kernel.org>
To: X86 ML <x86@kernel.org>
Cc: Nikunj A Dadhania <nikunj@amd.com>,
LKML <linux-kernel@vger.kernel.org>,
Peter Zijlstra <peterz@infradead.org>,
"Borislav Petkov (AMD)" <bp@alien8.de>
Subject: [PATCH 4/4] x86/cpu: Add comment clarifying CRn pinning
Date: Fri, 20 Mar 2026 12:54:17 +0100 [thread overview]
Message-ID: <20260320115417.4156-5-bp@kernel.org> (raw)
In-Reply-To: <20260320115417.4156-1-bp@kernel.org>
From: Peter Zijlstra <peterz@infradead.org>
To avoid future confusion on the purpose and design of the CRn pinning code.
Also note that if the attacker controls page-tables, the CRn bits lose much of
the attraction anyway.
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de>
Link: https://patch.msgid.link/20260320092521.GG3739106@noisy.programming.kicks-ass.net
---
arch/x86/kernel/cpu/common.c | 13 +++++++++++++
1 file changed, 13 insertions(+)
diff --git a/arch/x86/kernel/cpu/common.c b/arch/x86/kernel/cpu/common.c
index c57e8972d30f..ec0670114efa 100644
--- a/arch/x86/kernel/cpu/common.c
+++ b/arch/x86/kernel/cpu/common.c
@@ -434,6 +434,19 @@ static __always_inline void setup_lass(struct cpuinfo_x86 *c)
/* These bits should not change their value after CPU init is finished. */
static const unsigned long cr4_pinned_mask = X86_CR4_SMEP | X86_CR4_SMAP | X86_CR4_UMIP |
X86_CR4_FSGSBASE | X86_CR4_CET;
+
+/*
+ * The CR pinning protects against ROP on the 'mov %reg, %CRn' instruction(s).
+ * Since you can ROP directly to these instructions (barring shadow stack),
+ * any protection must follow immediately and unconditionally after that.
+ *
+ * Specifically, the CR[04] write functions below will have the value
+ * validation controlled by the @cr_pinning static_branch which is
+ * __ro_after_init, just like the cr4_pinned_bits value.
+ *
+ * Once set, an attacker will have to defeat page-tables to get around these
+ * restrictions. Which is a much bigger ask than 'simple' ROP.
+ */
static DEFINE_STATIC_KEY_FALSE_RO(cr_pinning);
static unsigned long cr4_pinned_bits __ro_after_init;
--
2.51.0
prev parent reply other threads:[~2026-03-20 11:54 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-03-20 11:54 [PATCH 0/4] x86/CPU: Fix CR4 pinning and FRED in CoCo guests Borislav Petkov
2026-03-20 11:54 ` [PATCH 1/4] x86/cpu: Enable FSGSBASE early in cpu_init_exception_handling() Borislav Petkov
2026-03-20 11:54 ` [PATCH 2/4] x86/cpu: Remove X86_CR4_FRED from the CR4 pinned bits mask Borislav Petkov
2026-03-20 17:49 ` Sohil Mehta
2026-03-20 11:54 ` [PATCH 3/4] x86/fred: Fix early boot failures on SEV-ES/SNP guests Borislav Petkov
2026-03-20 11:54 ` Borislav Petkov [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260320115417.4156-5-bp@kernel.org \
--to=bp@kernel.org \
--cc=bp@alien8.de \
--cc=linux-kernel@vger.kernel.org \
--cc=nikunj@amd.com \
--cc=peterz@infradead.org \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox