[PATCH v2] x86/shstk: Provide kernel command line knob to disable

[PATCH v2] x86/shstk: Provide kernel command line knob to disable

[Mathias Krause]

Provide a kernel command line option 'shstk=off' to disable CET shadow
stacks, much like 'ibt=off' can be used to disable CET IBT.

With both set to off, it avoids setting CR4.CET on capable hardware to
allow debugging related issues during early boot which I happened to
have done way too many times in the recent past.

Document it along with its sibling option 'ibt' in kernel-parameters.txt
to allow others to find it more easily.

Signed-off-by: Mathias Krause <minipli@grsecurity.net>
Acked-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Acked-by: Rick Edgecombe <rick.p.edgecombe@intel.com>
---
v2:
- pick up Ack's
- document the new option as well as ibt=
- tweak changelog accordingly

 Documentation/admin-guide/kernel-parameters.txt | 14 ++++++++++++++
 arch/x86/kernel/shstk.c                         |  9 +++++++++
 2 files changed, 23 insertions(+)

diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt
index 03a550630644..43bdf72f6495 100644
--- a/Documentation/admin-guide/kernel-parameters.txt
+++ b/Documentation/admin-guide/kernel-parameters.txt
@@ -2248,6 +2248,16 @@ Kernel parameters
 			syscalls, essentially overriding IA32_EMULATION_DEFAULT_DISABLED at
 			boot time. When false, unconditionally disables IA32 emulation.
 
+	ibt=		[X86-64]
+			Format: ibt=warn, ibt=off
+			Changes the handling of CET IBT violations in the kernel.
+
+			The 'warn' setting makes CET IBT violations emit a
+			warning only instead of being fatal while the 'off'
+			setting completely disables CET IBT for the kernel.
+
+			To fully disable CET, use 'ibt=off shstk=off'.
+
 	icn=		[HW,ISDN]
 			Format: <io>[,<membase>[,<icn_id>[,<icn_id2>]]]
 
@@ -6924,6 +6934,10 @@ Kernel parameters
 			Specify the MCLK divider for Intel SoundWire buses in
 			case the BIOS does not provide the clock rate properly.
 
+	shstk=off	[X86-64] Disable CET userspace shadow stack support.
+
+			To fully disable CET, use 'ibt=off shstk=off'.
+
 	skew_tick=	[KNL,EARLY] Offset the periodic timer tick per cpu to mitigate
 			xtime_lock contention on larger systems, and/or RCU lock
 			contention on all systems with CONFIG_MAXSMP set.
diff --git a/arch/x86/kernel/shstk.c b/arch/x86/kernel/shstk.c
index 978232b6d48d..68b46bf1540b 100644
--- a/arch/x86/kernel/shstk.c
+++ b/arch/x86/kernel/shstk.c
@@ -542,6 +542,15 @@ static int shstk_disable(void)
 	return 0;
 }
 
+static int __init shstk_configure(char *str)
+{
+	if (!strcmp(str, "off"))
+		setup_clear_cpu_cap(X86_FEATURE_SHSTK);
+
+	return 1;
+}
+__setup("shstk=", shstk_configure);
+
 SYSCALL_DEFINE3(map_shadow_stack, unsigned long, addr, unsigned long, size, unsigned int, flags)
 {
 	bool set_tok = flags & SHADOW_STACK_SET_TOKEN;
-- 
2.47.3

Re: [PATCH v2] x86/shstk: Provide kernel command line knob to disable

[Mathias Krause]

On 02.04.26 19:36, Mathias Krause wrote:
> Provide a kernel command line option 'shstk=off' to disable CET shadow
> stacks, much like 'ibt=off' can be used to disable CET IBT.
> 
> With both set to off, it avoids setting CR4.CET on capable hardware to
> allow debugging related issues during early boot which I happened to
> have done way too many times in the recent past.
> 
> Document it along with its sibling option 'ibt' in kernel-parameters.txt
> to allow others to find it more easily.
> 
> Signed-off-by: Mathias Krause <minipli@grsecurity.net>
> Acked-by: Peter Zijlstra (Intel) <peterz@infradead.org>
> Acked-by: Rick Edgecombe <rick.p.edgecombe@intel.com>
> ---
> v2:
> - pick up Ack's
> - document the new option as well as ibt=
> - tweak changelog accordingly
> 

Ping!

Anything still to fix with this or is it ready to get merged?

Thanks,
Mathias


>  Documentation/admin-guide/kernel-parameters.txt | 14 ++++++++++++++
>  arch/x86/kernel/shstk.c                         |  9 +++++++++
>  2 files changed, 23 insertions(+)
> 
> diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt
> index 03a550630644..43bdf72f6495 100644
> --- a/Documentation/admin-guide/kernel-parameters.txt
> +++ b/Documentation/admin-guide/kernel-parameters.txt
> @@ -2248,6 +2248,16 @@ Kernel parameters
>  			syscalls, essentially overriding IA32_EMULATION_DEFAULT_DISABLED at
>  			boot time. When false, unconditionally disables IA32 emulation.
>  
> +	ibt=		[X86-64]
> +			Format: ibt=warn, ibt=off
> +			Changes the handling of CET IBT violations in the kernel.
> +
> +			The 'warn' setting makes CET IBT violations emit a
> +			warning only instead of being fatal while the 'off'
> +			setting completely disables CET IBT for the kernel.
> +
> +			To fully disable CET, use 'ibt=off shstk=off'.
> +
>  	icn=		[HW,ISDN]
>  			Format: <io>[,<membase>[,<icn_id>[,<icn_id2>]]]
>  
> @@ -6924,6 +6934,10 @@ Kernel parameters
>  			Specify the MCLK divider for Intel SoundWire buses in
>  			case the BIOS does not provide the clock rate properly.
>  
> +	shstk=off	[X86-64] Disable CET userspace shadow stack support.
> +
> +			To fully disable CET, use 'ibt=off shstk=off'.
> +
>  	skew_tick=	[KNL,EARLY] Offset the periodic timer tick per cpu to mitigate
>  			xtime_lock contention on larger systems, and/or RCU lock
>  			contention on all systems with CONFIG_MAXSMP set.
> diff --git a/arch/x86/kernel/shstk.c b/arch/x86/kernel/shstk.c
> index 978232b6d48d..68b46bf1540b 100644
> --- a/arch/x86/kernel/shstk.c
> +++ b/arch/x86/kernel/shstk.c
> @@ -542,6 +542,15 @@ static int shstk_disable(void)
>  	return 0;
>  }
>  
> +static int __init shstk_configure(char *str)
> +{
> +	if (!strcmp(str, "off"))
> +		setup_clear_cpu_cap(X86_FEATURE_SHSTK);
> +
> +	return 1;
> +}
> +__setup("shstk=", shstk_configure);
> +
>  SYSCALL_DEFINE3(map_shadow_stack, unsigned long, addr, unsigned long, size, unsigned int, flags)
>  {
>  	bool set_tok = flags & SHADOW_STACK_SET_TOKEN;

Re: [PATCH v2] x86/shstk: Provide kernel command line knob to disable

[Dave Hansen]

On 5/4/26 05:09, Mathias Krause wrote:
> +static int __init shstk_configure(char *str)
> +{
> +	if (!strcmp(str, "off"))
> +		setup_clear_cpu_cap(X86_FEATURE_SHSTK);
> +
> +	return 1;
> +}
> +__setup("shstk=", shstk_configure);

Is there a reason that clearcpuid=shstk doesn't work in this case? I
guess shstk and ibt are peers, but I was kinda hoping we'd stop adding
these for every single CPU feature at _some_ point.

Adding the documentation for ibt= is definitely a good idea, though.

Re: [PATCH v2] x86/shstk: Provide kernel command line knob to disable

[Edgecombe, Rick P]

On Wed, 2026-05-06 at 12:03 -0700, Dave Hansen wrote:
> Is there a reason that clearcpuid=shstk doesn't work in this case? I
> guess shstk and ibt are peers, but I was kinda hoping we'd stop adding
> these for every single CPU feature at _some_ point.

Oh yea, for the reason of "debugging related issues during early boot"
clearcpuid of shstk and ibt should be fine. It taints the kernel, but should be
fine for debugging? If I'm reading this right, the kernel does the clearcpuid
processing before setting up CET bits.

I'm remembering we actually already have a "nousershstk" too, which covers the
"userspace init cet violations break boot" usage.

What that doesn't do though, is clear CR4.CET. With nousershstk, KVM can still
use CET. So that is what is missing. A way to clear CR4.CET without tainting the
kernel when HW supports CET. Do we need it?