Re: [PATCH v2] x86/shstk: Provide kernel command line knob to disable

[Mathias Krause <minipli@grsecurity.net>]

[-- Attachment #1.1: Type: text/plain, Size: 1634 bytes --]


On 5/14/26 02:31, Edgecombe, Rick P wrote:
> On Wed, 2026-05-13 at 22:51 +0200, Mathias Krause wrote:
>> On 08.05.26 18:35, Edgecombe, Rick P wrote:
>>> On Fri, 2026-05-08 at 09:23 +0200, Mathias Krause wrote:
>>>>> Now that KVM uses this this feature independently of X86_FEATURE_USER_SHSTK,
>>>>> it might be good to have the plain HW shstk feature exposed for just normal
>>>>> runtime user use. (+Chao, for KVM CET)
>>>>
>>>> But that sounds more like having the need for an official chicken bit,
>>>> like I was proposing, no? Using 'clearcpuid=shstk' as a workaround for
>>>> whatever KVM bugs, similar in spirit to 'nousershstk', but without the
>>>> kernel taint?
>>>
>>> For users to turn off shadow stack for guests? You can do this via the KVM API
>>> in the normal way you customize guests.
>>
>> https://git.kernel.org/linus/2d5d3fc593c9b7e41bee86175d7b9e11f470072e
>>
>> Oh, well....
> 
> Heh, well, the clearcpuid would have helped debugging I guess. And that module
> param turns off shadow stack for KVM, but not for userspace. So doesn't help
> your CR4.CET problems I guess.

Yeah, I was more trying to say that if the initial version of my patch
would have landed, it could be used to workaround the KVM issue in the
meantime as well. Anyhow!

> 
> Are you planning to send another revision of the clearcpuid approach? I'm
> convinced something like this is a good thing to have, so I'll probably pick it
> up if you don't.

Sorry, I was busy with holidays and travel. Here we go:
https://lore.kernel.org/lkml/20260514160932.91556-1-minipli@grsecurity.net/

Thanks,
Mathias

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 665 bytes --]