From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 9DCF23ACA4A for ; Fri, 20 Mar 2026 11:54:29 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1774007669; cv=none; b=YGiiaSsjIDzVU4FhOsgnPev+LnHWYxETYR9XtcjkZhg+a/48cqp85U8N0UzS1JFpOrEKxiLDDyah87LobcVBVDOctzbhhG5HlrGpuHWEpNBnPNWIIAETLW0JaH77YBvyrHRHdDQUcg6kpYEBMdVn9pshfGLmlszNwZgZnWYsouo= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1774007669; c=relaxed/simple; bh=ru9VTnMqOkY6IbxTJnIEh/kXclIdjI/M0uE98QSk9TU=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=Cd81UQ4sRpz0TYavSh5/LmKs4rIpuswAHuRMx/4QddXSvq7lUwIHnRz7h0miVuS60zhAniR+dLULwVL/xPzY3xaSqTtc/isku3l7UHf/Pdl0wqPWOuD3LLgqiMR5JEu0LUrRw6IxLptMYkQPF1LFmpBoyfQOVLBZqOYL9B6lTLY= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=uzg1//rd; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="uzg1//rd" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 0AA41C2BC9E; Fri, 20 Mar 2026 11:54:27 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1774007669; bh=ru9VTnMqOkY6IbxTJnIEh/kXclIdjI/M0uE98QSk9TU=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=uzg1//rd/5MgdK6hCK/XiqaxqAYM9E0rhcmdEVl3fYJ//wuO/hcdx3Ekk8A4ujfeP jGAFxHZ2BZvmFuLIZ99mbX3s6EbKvM1wJNDhK//mywZqJQ11BTUuEx3Fy3HGBFRQzt cAdQ4/StDuNbmflHD5/6VwxeSKAQplIE0wuCDQJwngVaszHTPsBr0KlTPN0PfPFOau BJJdP8V92f0p3uxzIaH9+WKgM5Dw4t5y0bL9CeUzdCw28zD+cEd0vQyeE0al8SQTBo vZHDymXst5bdKP7zGOIjLixQ5js/4rB2o9+VayJN9LAs4Ox26xdYTYiBIUdHYtfXK7 jOY5jE7u43DDg== From: Borislav Petkov To: X86 ML Cc: Nikunj A Dadhania , LKML , Peter Zijlstra , "Borislav Petkov (AMD)" Subject: [PATCH 4/4] x86/cpu: Add comment clarifying CRn pinning Date: Fri, 20 Mar 2026 12:54:17 +0100 Message-ID: <20260320115417.4156-5-bp@kernel.org> X-Mailer: git-send-email 2.51.0 In-Reply-To: <20260320115417.4156-1-bp@kernel.org> References: <20260320115417.4156-1-bp@kernel.org> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit From: Peter Zijlstra To avoid future confusion on the purpose and design of the CRn pinning code. Also note that if the attacker controls page-tables, the CRn bits lose much of the attraction anyway. Signed-off-by: Peter Zijlstra (Intel) Signed-off-by: Borislav Petkov (AMD) Link: https://patch.msgid.link/20260320092521.GG3739106@noisy.programming.kicks-ass.net --- arch/x86/kernel/cpu/common.c | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/arch/x86/kernel/cpu/common.c b/arch/x86/kernel/cpu/common.c index c57e8972d30f..ec0670114efa 100644 --- a/arch/x86/kernel/cpu/common.c +++ b/arch/x86/kernel/cpu/common.c @@ -434,6 +434,19 @@ static __always_inline void setup_lass(struct cpuinfo_x86 *c) /* These bits should not change their value after CPU init is finished. */ static const unsigned long cr4_pinned_mask = X86_CR4_SMEP | X86_CR4_SMAP | X86_CR4_UMIP | X86_CR4_FSGSBASE | X86_CR4_CET; + +/* + * The CR pinning protects against ROP on the 'mov %reg, %CRn' instruction(s). + * Since you can ROP directly to these instructions (barring shadow stack), + * any protection must follow immediately and unconditionally after that. + * + * Specifically, the CR[04] write functions below will have the value + * validation controlled by the @cr_pinning static_branch which is + * __ro_after_init, just like the cr4_pinned_bits value. + * + * Once set, an attacker will have to defeat page-tables to get around these + * restrictions. Which is a much bigger ask than 'simple' ROP. + */ static DEFINE_STATIC_KEY_FALSE_RO(cr_pinning); static unsigned long cr4_pinned_bits __ro_after_init; -- 2.51.0