From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-qv1-f47.google.com (mail-qv1-f47.google.com [209.85.219.47]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id B99EF3B9600 for ; Mon, 4 May 2026 12:09:13 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.219.47 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777896555; cv=none; b=lfBrdaYNVzyytLYIHHMLl32zPwtCtT2N35NcTxOdFHt7bfn3/FsY4wdC/Ibq3glvAMlC6UwJE/CwcBoGySdSAZ/soLNNZ8P7Jp9KVHCUAQ5sANHLzb1dCtXaZHUGJd2SIcCvwTPs7LEE69bleyZk+6+VQYaBMsjag1TWC1SVaJY= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777896555; c=relaxed/simple; bh=guDrUts+cE1ZxyNsfiJlCsVS0hA76adQGgVAbRglQCo=; h=Message-ID:Date:MIME-Version:Subject:To:Cc:References:From: In-Reply-To:Content-Type; b=b4wyz077tOGBzjAJfvpnR4td/U7ppyKoa/egC602GYSu3sjO+C1MDtc5NvOXONz4qHHkplAD/EvD+D2+LEXvB6GnomlkwI0Xsah8n7SkOou4Ekvx8vbYCJgrie0FHv0/xxnEmEkxcaCkAe/f0JUEBLfqLPCYjm8lECPdryJfyeo= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=grsecurity.net; spf=pass smtp.mailfrom=opensrcsec.com; dkim=pass (2048-bit key) header.d=grsecurity.net header.i=@grsecurity.net header.b=NMp5WY/P; arc=none smtp.client-ip=209.85.219.47 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=grsecurity.net Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=opensrcsec.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=grsecurity.net header.i=@grsecurity.net header.b="NMp5WY/P" Received: by mail-qv1-f47.google.com with SMTP id 6a1803df08f44-8b4000e51fdso38781886d6.1 for ; Mon, 04 May 2026 05:09:13 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=grsecurity.net; s=grsec; t=1777896552; x=1778501352; darn=vger.kernel.org; h=content-transfer-encoding:in-reply-to:autocrypt:from :content-language:references:cc:to:subject:user-agent:mime-version :date:message-id:from:to:cc:subject:date:message-id:reply-to; bh=AwWYhmZ+Ryow09gJpUQ45USGyBCtOruV4A493UbKoI8=; b=NMp5WY/PH4kemlVeLJ2HwwQ8F2m0kPaUPgCnXyyG/MjKt1dmUhXbCMp3I4XJsSTQTg T/McrHmYvcnAsKKjtztbF/SICxZpydW4Ke5NEXHdO/I+tyjWjAJKVzjxdHZ2Gw5HXkD3 DOvs2eqnBvKbiRN/BaoOEsplZCFDLs30PyqRfvx+u8qw7JRt7LWDRpb4bMdxfgxguwqO X4V2jvLhlnZMm4IPfpzxImgW6fycpsZ+9Q0tLiaKEEdMeiFniJFq3Bc7tQFt8y/JdJnf bMZEjNYnrLLF1Ig4TKHpHY7SBb8gEZirBDPEtiPBxgdKuEIKbv1VSOk7PCwAiqnK59lN IAgg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1777896552; x=1778501352; h=content-transfer-encoding:in-reply-to:autocrypt:from :content-language:references:cc:to:subject:user-agent:mime-version :date:message-id:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=AwWYhmZ+Ryow09gJpUQ45USGyBCtOruV4A493UbKoI8=; b=WK8NOcceacSFA1gVx5kuzozfYovRJVztXMP1SzR3B4L/iO9Fx84btHJD20aZrAzmkJ pIY5bJLb+2WIj4XIiSd5CFrl/ApvmdS3pIJz5MCkrA0ibHkISubBf0Lp8cWLriJxiVLR DDSdgkpUntRm9V67PW/EgN3h9DJzIOuLAywlYde2E59kNSFfCkgbTZFflS74MNFFaYmK SZe3zTn5SwxJdzsyXeJmqwdGrBhMMR58D2eXCcB8nZHjvW1yksDLTqlJcxukq1jRnjft Cb9aSdGFTXVl/DRajJDo9z7qexxd554tKhwaaYuGSmDNoNNYMiq8s74lHSBPBZoevPmR cvMg== X-Gm-Message-State: AOJu0YwVrT3/WfBfgZBM2O5wXHbydmw9Smsmsz8/Xag/iUGrugDJt+cd L6+XefgIV2o+hOOM0MJ6EU0yPD1ww+4WSKB5+U7Z31ncID6rDuhcaMILBdRaxM3wxA8= X-Gm-Gg: AeBDievNJs8QjOGOWgnsasaXrITtMQs8xovjdXPU62ekcTpK8OOyLEdTciKTFAz/ssX +r3HHLmyJbWsLV/5EGRJ3MrxCxmCYF+6VJ0S9FK0IoJ9CjMK8nnstXzPD8PRJ3AmtZhtx7eVIGY 3LYejHNJ1q0aEQORJtOOwBjoWA+9srd+7056pImrXNcS0653ZUh9J1bKM6z95Dy1LJXDQ8ZTp3a xoSadrhFoSQPaeJpTDu7pj3IqqKtrea4/l4ddYdrwlLqZGEWFfWg0rp7Pv3DUsNggeX6TiayqT2 psyVbFSjQvyt3aaIbpuUYbjVgONtC0QtpG15nPKlHj8x5+n5MDkVjj6Oj5GANprGpFqIT9XcX7N +P+ZQdJr31V9+zOD/WB8hZ1Bmf555+SdXGyil54Xz7doWOcA38TbZt2f/IRTTsUwR1nBITHYh+i pvzK5uaN3fAskyg/SApBe6Z5HpweCKMXHujU1QbMu+JcDjeepMjiwGilvXrxasaW2etPhC90yQ X-Received: by 2002:a05:6214:3bc7:b0:8a5:fced:6af2 with SMTP id 6a1803df08f44-8b668d14d5cmr175478396d6.38.1777896552424; Mon, 04 May 2026 05:09:12 -0700 (PDT) Received: from [192.168.24.155] (pd9ed7009.dip0.t-ipconnect.de. [217.237.112.9]) by smtp.gmail.com with ESMTPSA id 6a1803df08f44-8b5390ec38asm116991016d6.11.2026.05.04.05.09.09 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Mon, 04 May 2026 05:09:11 -0700 (PDT) Message-ID: <3d7c8d26-558d-40ef-9ad9-3a5100eed9e5@grsecurity.net> Date: Mon, 4 May 2026 14:09:13 +0200 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: [PATCH v2] x86/shstk: Provide kernel command line knob to disable To: Thomas Gleixner , Ingo Molnar , Borislav Petkov , Dave Hansen , x86@kernel.org, Rick Edgecombe , Peter Zijlstra Cc: linux-kernel@vger.kernel.org References: <20260402173606.1096172-1-minipli@grsecurity.net> Content-Language: en-US, de-DE From: Mathias Krause Autocrypt: addr=minipli@grsecurity.net; keydata= xsDNBF4u6F8BDAC1kCIyATzlCiDBMrbHoxLywJSUJT9pTbH9MIQIUW8K1m2Ney7a0MTKWQXp 64/YTQNzekOmta1eZFQ3jqv+iSzfPR/xrDrOKSPrw710nVLC8WL993DrCfG9tm4z3faBPHjp zfXBIOuVxObXqhFGvH12vUAAgbPvCp9wwynS1QD6RNUNjnnAxh3SNMxLJbMofyyq5bWK/FVX 897HLrg9bs12d9b48DkzAQYxcRUNfL9VZlKq1fRbMY9jAhXTV6lcgKxGEJAVqXqOxN8DgZdU aj7sMH8GKf3zqYLDvndTDgqqmQe/RF/hAYO+pg7yY1UXpXRlVWcWP7swp8OnfwcJ+PiuNc7E gyK2QEY3z5luqFfyQ7308bsawvQcFjiwg+0aPgWawJ422WG8bILV5ylC8y6xqYUeSKv/KTM1 4zq2vq3Wow63Cd/qyWo6S4IVaEdfdGKVkUFn6FihJD/GxnDJkYJThwBYJpFAqJLj7FtDEiFz LXAkv0VBedKwHeBaOAVH6QEAEQEAAc0nTWF0aGlhcyBLcmF1c2UgPG1pbmlwbGlAZ3JzZWN1 cml0eS5uZXQ+wsERBBMBCgA7AhsDBQsJCAcCBhUKCQgLAgQWAgMBAh4BAheAFiEEd7J359B9 wKgGsB94J4hPxYYBGYYFAmBbH/cCGQEACgkQJ4hPxYYBGYaX/gv/WYhaehD88XjpEO+yC6x7 bNWQbk7ea+m82fU2x/x6A9L4DN/BXIxqlONzk3ehvW3wt1hcHeF43q1M/z6IthtxSRi059RO SarzX3xfXC1pc5YMgCozgE0VRkxH4KXcijLyFFjanXe0HzlnmpIJB6zTT2jgI70q0FvbRpgc rs3VKSFb+yud17KSSN/ir1W2LZPK6er6actK03L92A+jaw+F8fJ9kJZfhWDbXNtEE0+94bMa cdDWTaZfy6XJviO3ymVe3vBnSDakVE0HwLyIKvfAEok+YzuSYm1Nbd2T0UxgSUZHYlrUUH0y tVxjEFyA+iJRSdm0rbAvzpwau5FOgxRQDa9GXH6ie6/ke2EuZc3STNS6EBciJm1qJ7xb2DTf SNyOiWdvop+eQZoznJJte931pxkRaGwV+JXDM10jGTfyV7KT9751xdn6b6QjQANTgNnGP3qs TO5oU3KukRHgDcivzp6CWb0X/WtKy0Y/54bTJvI0e5KsAz/0iwH19IB0vpYLzsDNBF4u6F8B DADwcu4TPgD5aRHLuyGtNUdhP9fqhXxUBA7MMeQIY1kLYshkleBpuOpgTO/ikkQiFdg13yIv q69q/feicsjaveIEe7hUI9lbWcB9HKgVXW3SCLXBMjhCGCNLsWQsw26gRxDy62UXRCTCT3iR qHP82dxPdNwXuOFG7IzoGBMm3vZbBeKn0pYYWz2MbTeyRHn+ZubNHqM0cv5gh0FWsQxrg1ss pnhcd+qgoynfuWAhrPD2YtNB7s1Vyfk3OzmL7DkSDI4+SzS56cnl9Q4mmnsVh9eyae74pv5w kJXy3grazD1lLp+Fq60Iilc09FtWKOg/2JlGD6ZreSnECLrawMPTnHQZEIBHx/VLsoyCFMmO 5P6gU0a9sQWG3F2MLwjnQ5yDPS4IRvLB0aCu+zRfx6mz1zYbcVToVxQqWsz2HTqlP2ZE5cdy BGrQZUkKkNH7oQYXAQyZh42WJo6UFesaRAPc3KCOCFAsDXz19cc9l6uvHnSo/OAazf/RKtTE 0xGB6mQN34UAEQEAAcLA9gQYAQoAIAIbDBYhBHeyd+fQfcCoBrAfeCeIT8WGARmGBQJeORkW AAoJECeIT8WGARmGXtgL/jM4NXaPxaIptPG6XnVWxhAocjk4GyoUx14nhqxHmFi84DmHUpMz 8P0AEACQ8eJb3MwfkGIiauoBLGMX2NroXcBQTi8gwT/4u4Gsmtv6P27Isn0hrY7hu7AfgvnK owfBV796EQo4i26ZgfSPng6w7hzCR+6V2ypdzdW8xXZlvA1D+gLHr1VGFA/ZCXvVcN1lQvIo S9yXo17bgy+/Xxi2YZGXf9AZ9C+g/EvPgmKrUPuKi7ATNqloBaN7S2UBJH6nhv618bsPgPqR SV11brVF8s5yMiG67WsogYl/gC2XCj5qDVjQhs1uGgSc9LLVdiKHaTMuft5gSR9hS5sMb/cL zz3lozuC5nsm1nIbY62mR25Kikx7N6uL7TAZQWazURzVRe1xq2MqcF+18JTDdjzn53PEbg7L VeNDGqQ5lJk+rATW2VAy8zasP2/aqCPmSjlCogC6vgCot9mj+lmMkRUxspxCHDEms13K41tH RzDVkdgPJkL/NFTKZHo5foFXNi89kA== In-Reply-To: <20260402173606.1096172-1-minipli@grsecurity.net> Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit On 02.04.26 19:36, Mathias Krause wrote: > Provide a kernel command line option 'shstk=off' to disable CET shadow > stacks, much like 'ibt=off' can be used to disable CET IBT. > > With both set to off, it avoids setting CR4.CET on capable hardware to > allow debugging related issues during early boot which I happened to > have done way too many times in the recent past. > > Document it along with its sibling option 'ibt' in kernel-parameters.txt > to allow others to find it more easily. > > Signed-off-by: Mathias Krause > Acked-by: Peter Zijlstra (Intel) > Acked-by: Rick Edgecombe > --- > v2: > - pick up Ack's > - document the new option as well as ibt= > - tweak changelog accordingly > Ping! Anything still to fix with this or is it ready to get merged? Thanks, Mathias > Documentation/admin-guide/kernel-parameters.txt | 14 ++++++++++++++ > arch/x86/kernel/shstk.c | 9 +++++++++ > 2 files changed, 23 insertions(+) > > diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt > index 03a550630644..43bdf72f6495 100644 > --- a/Documentation/admin-guide/kernel-parameters.txt > +++ b/Documentation/admin-guide/kernel-parameters.txt > @@ -2248,6 +2248,16 @@ Kernel parameters > syscalls, essentially overriding IA32_EMULATION_DEFAULT_DISABLED at > boot time. When false, unconditionally disables IA32 emulation. > > + ibt= [X86-64] > + Format: ibt=warn, ibt=off > + Changes the handling of CET IBT violations in the kernel. > + > + The 'warn' setting makes CET IBT violations emit a > + warning only instead of being fatal while the 'off' > + setting completely disables CET IBT for the kernel. > + > + To fully disable CET, use 'ibt=off shstk=off'. > + > icn= [HW,ISDN] > Format: [,[,[,]]] > > @@ -6924,6 +6934,10 @@ Kernel parameters > Specify the MCLK divider for Intel SoundWire buses in > case the BIOS does not provide the clock rate properly. > > + shstk=off [X86-64] Disable CET userspace shadow stack support. > + > + To fully disable CET, use 'ibt=off shstk=off'. > + > skew_tick= [KNL,EARLY] Offset the periodic timer tick per cpu to mitigate > xtime_lock contention on larger systems, and/or RCU lock > contention on all systems with CONFIG_MAXSMP set. > diff --git a/arch/x86/kernel/shstk.c b/arch/x86/kernel/shstk.c > index 978232b6d48d..68b46bf1540b 100644 > --- a/arch/x86/kernel/shstk.c > +++ b/arch/x86/kernel/shstk.c > @@ -542,6 +542,15 @@ static int shstk_disable(void) > return 0; > } > > +static int __init shstk_configure(char *str) > +{ > + if (!strcmp(str, "off")) > + setup_clear_cpu_cap(X86_FEATURE_SHSTK); > + > + return 1; > +} > +__setup("shstk=", shstk_configure); > + > SYSCALL_DEFINE3(map_shadow_stack, unsigned long, addr, unsigned long, size, unsigned int, flags) > { > bool set_tok = flags & SHADOW_STACK_SET_TOKEN;