From: Peter Zijlstra <peterz@infradead.org>
To: Andrew Cooper <Andrew.Cooper3@citrix.com>
Cc: "x86@kernel.org" <x86@kernel.org>,
"joao@overdrivepizza.com" <joao@overdrivepizza.com>,
"hjl.tools@gmail.com" <hjl.tools@gmail.com>,
"jpoimboe@redhat.com" <jpoimboe@redhat.com>,
"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
"ndesaulniers@google.com" <ndesaulniers@google.com>,
"keescook@chromium.org" <keescook@chromium.org>,
"samitolvanen@google.com" <samitolvanen@google.com>,
"mark.rutland@arm.com" <mark.rutland@arm.com>,
"alyssa.milburn@intel.com" <alyssa.milburn@intel.com>
Subject: Re: [PATCH 14/29] x86/ibt: Add IBT feature, MSR and #CP handling
Date: Fri, 18 Feb 2022 22:15:16 +0100 [thread overview]
Message-ID: <YhAMZNDJAjB69cEX@hirez.programming.kicks-ass.net> (raw)
In-Reply-To: <c96d394c-d98e-1ff9-4919-a561c585d4a6@citrix.com>
On Fri, Feb 18, 2022 at 07:31:38PM +0000, Andrew Cooper wrote:
> On 18/02/2022 16:49, Peter Zijlstra wrote:
> > --- a/arch/x86/kernel/cpu/common.c
> > +++ b/arch/x86/kernel/cpu/common.c
> > @@ -592,6 +593,27 @@ static __init int setup_disable_pku(char
> > __setup("nopku", setup_disable_pku);
> > #endif /* CONFIG_X86_64 */
> >
> > +static __always_inline void setup_cet(struct cpuinfo_x86 *c)
> > +{
> > + u64 msr;
> > +
> > + if (!IS_ENABLED(CONFIG_X86_IBT) ||
> > + !cpu_feature_enabled(X86_FEATURE_IBT))
> > + return;
> > +
> > + cr4_set_bits(X86_CR4_CET);
> > +
> > + rdmsrl(MSR_IA32_S_CET, msr);
> > + if (cpu_feature_enabled(X86_FEATURE_IBT))
> > + msr |= CET_ENDBR_EN;
> > + wrmsrl(MSR_IA32_S_CET, msr);
>
> So something I learnt the hard way with shstk is that you really want to
> disable S_CET before heading into purgatory.
>
> I've got no idea what's going to result from UEFI finally getting CET
> support. However, clearing out the other IBT settings is probably a
> wise move.
>
> In particular, if there was a stale legacy bitmap pointer, then
> ibt_selftest() could take #PF ahead of #CP.
How's this then? That writes the whole state to a known value before
enabling CR4.CET to make the thing go...
+static __always_inline void setup_cet(struct cpuinfo_x86 *c)
+{
+ u64 msr = CET_ENDBR_EN;
+
+ if (!IS_ENABLED(CONFIG_X86_IBT) ||
+ !cpu_feature_enabled(X86_FEATURE_IBT))
+ return;
+
+ wrmsrl(MSR_IA32_S_CET, msr);
+ cr4_set_bits(X86_CR4_CET);
+
+ if (!ibt_selftest()) {
+ pr_err("IBT selftest: Failed!\n");
+ setup_clear_cpu_cap(X86_FEATURE_IBT);
+ }
+}
next prev parent reply other threads:[~2022-02-18 21:15 UTC|newest]
Thread overview: 94+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-02-18 16:49 [PATCH 00/29] x86: Kernel IBT Peter Zijlstra
2022-02-18 16:49 ` [PATCH 01/29] static_call: Avoid building empty .static_call_sites Peter Zijlstra
2022-02-18 16:49 ` [PATCH 02/29] x86/module: Fix the paravirt vs alternative order Peter Zijlstra
2022-02-18 20:28 ` Josh Poimboeuf
2022-02-18 21:22 ` Peter Zijlstra
2022-02-18 23:28 ` Josh Poimboeuf
2022-02-18 16:49 ` [PATCH 03/29] objtool: Add --dry-run Peter Zijlstra
2022-02-18 16:49 ` [PATCH 04/29] x86/livepatch: Validate __fentry__ location Peter Zijlstra
2022-02-18 21:08 ` Josh Poimboeuf
2022-02-23 10:09 ` Peter Zijlstra
2022-02-23 10:21 ` Miroslav Benes
2022-02-23 10:57 ` Peter Zijlstra
2022-02-23 12:41 ` Steven Rostedt
2022-02-23 14:05 ` Peter Zijlstra
2022-02-23 14:16 ` Steven Rostedt
2022-02-23 14:23 ` Steven Rostedt
2022-02-23 14:33 ` Steven Rostedt
2022-02-23 14:49 ` Peter Zijlstra
2022-02-23 15:54 ` Peter Zijlstra
2022-02-18 16:49 ` [PATCH 05/29] x86: Base IBT bits Peter Zijlstra
2022-02-18 20:49 ` Andrew Cooper
2022-02-18 21:11 ` David Laight
2022-02-18 21:24 ` Andrew Cooper
2022-02-18 22:37 ` David Laight
2022-02-18 21:26 ` Peter Zijlstra
2022-02-18 21:14 ` Josh Poimboeuf
2022-02-18 21:21 ` Peter Zijlstra
2022-02-18 22:12 ` Joao Moreira
2022-02-19 1:07 ` Edgecombe, Rick P
2022-02-18 16:49 ` [PATCH 06/29] x86/ibt: Add ANNOTATE_NOENDBR Peter Zijlstra
2022-02-18 16:49 ` [PATCH 07/29] x86/entry: Sprinkle ENDBR dust Peter Zijlstra
2022-02-19 0:23 ` Josh Poimboeuf
2022-02-19 23:08 ` Peter Zijlstra
2022-02-19 0:36 ` Josh Poimboeuf
2022-02-18 16:49 ` [PATCH 08/29] x86/linkage: Add ENDBR to SYM_FUNC_START*() Peter Zijlstra
2022-02-18 16:49 ` [PATCH 09/29] x86/ibt,paravirt: Sprinkle ENDBR Peter Zijlstra
2022-02-18 16:49 ` [PATCH 10/29] x86/bpf: Add ENDBR instructions to prologue Peter Zijlstra
2022-02-18 16:49 ` [PATCH 11/29] x86/ibt,crypto: Add ENDBR for the jump-table entries Peter Zijlstra
2022-02-18 16:49 ` [PATCH 12/29] x86/ibt,kvm: Add ENDBR to fastops Peter Zijlstra
2022-02-18 16:49 ` [PATCH 13/29] x86/ibt,ftrace: Add ENDBR to samples/ftrace Peter Zijlstra
2022-02-18 16:49 ` [PATCH 14/29] x86/ibt: Add IBT feature, MSR and #CP handling Peter Zijlstra
2022-02-18 19:31 ` Andrew Cooper
2022-02-18 21:15 ` Peter Zijlstra [this message]
2022-02-19 1:20 ` Edgecombe, Rick P
2022-02-19 1:21 ` Josh Poimboeuf
2022-02-19 9:24 ` Peter Zijlstra
2022-02-21 8:24 ` Kees Cook
2022-02-22 4:38 ` Edgecombe, Rick P
2022-02-22 9:32 ` Peter Zijlstra
2022-02-18 16:49 ` [PATCH 15/29] x86: Disable IBT around firmware Peter Zijlstra
2022-02-21 8:27 ` Kees Cook
2022-02-21 10:06 ` Peter Zijlstra
2022-02-21 13:22 ` Peter Zijlstra
2022-02-21 15:54 ` Kees Cook
2022-02-21 16:10 ` Peter Zijlstra
2022-02-18 16:49 ` [PATCH 16/29] x86/bugs: Disable Retpoline when IBT Peter Zijlstra
2022-02-19 2:15 ` Josh Poimboeuf
2022-02-22 15:00 ` Peter Zijlstra
2022-02-25 0:19 ` Josh Poimboeuf
2022-02-18 16:49 ` [PATCH 17/29] x86/ibt: Annotate text references Peter Zijlstra
2022-02-19 5:22 ` Josh Poimboeuf
2022-02-19 9:39 ` Peter Zijlstra
2022-02-18 16:49 ` [PATCH 18/29] x86/ibt,ftrace: Annotate ftrace code patching Peter Zijlstra
2022-02-18 16:49 ` [PATCH 19/29] x86/ibt,xen: Annotate away warnings Peter Zijlstra
2022-02-18 20:24 ` Andrew Cooper
2022-02-18 21:05 ` Peter Zijlstra
2022-02-18 23:07 ` Andrew Cooper
2022-02-21 14:20 ` Peter Zijlstra
2022-02-18 16:49 ` [PATCH 20/29] x86/ibt,sev: Annotations Peter Zijlstra
2022-02-18 16:49 ` [PATCH 21/29] objtool: Rename --duplicate to --lto Peter Zijlstra
2022-02-26 19:42 ` Josh Poimboeuf
2022-02-26 21:48 ` Josh Poimboeuf
2022-02-28 11:05 ` Peter Zijlstra
2022-02-28 18:32 ` Josh Poimboeuf
2022-02-28 20:09 ` Peter Zijlstra
2022-02-28 20:18 ` Josh Poimboeuf
2022-03-01 14:19 ` Miroslav Benes
2022-02-18 16:49 ` [PATCH 22/29] Kbuild: Prepare !CLANG whole module objtool Peter Zijlstra
2022-02-18 16:49 ` [PATCH 23/29] objtool: Read the NOENDBR annotation Peter Zijlstra
2022-02-18 16:49 ` [PATCH 24/29] x86/text-patching: Make text_gen_insn() IBT aware Peter Zijlstra
2022-02-24 1:18 ` Joao Moreira
2022-02-24 9:10 ` Peter Zijlstra
2022-02-18 16:49 ` [PATCH 25/29] x86/ibt: Dont generate ENDBR in .discard.text Peter Zijlstra
2022-02-18 16:49 ` [PATCH 26/29] objtool: Add IBT validation / fixups Peter Zijlstra
2022-02-18 16:49 ` [PATCH 27/29] x86/ibt: Finish --ibt-fix-direct on module loading Peter Zijlstra
2022-02-18 16:49 ` [PATCH 28/29] x86/ibt: Ensure module init/exit points have references Peter Zijlstra
2022-02-18 16:49 ` [PATCH 29/29] x86/alternative: Use .ibt_endbr_sites to seal indirect calls Peter Zijlstra
2022-02-19 1:29 ` [PATCH 00/29] x86: Kernel IBT Edgecombe, Rick P
2022-02-19 9:58 ` Peter Zijlstra
2022-02-19 16:00 ` Andrew Cooper
2022-02-21 8:42 ` Kees Cook
2022-02-21 9:24 ` Peter Zijlstra
2022-02-23 7:26 ` Kees Cook
2022-02-24 16:47 ` Mike Rapoport
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=YhAMZNDJAjB69cEX@hirez.programming.kicks-ass.net \
--to=peterz@infradead.org \
--cc=Andrew.Cooper3@citrix.com \
--cc=alyssa.milburn@intel.com \
--cc=hjl.tools@gmail.com \
--cc=joao@overdrivepizza.com \
--cc=jpoimboe@redhat.com \
--cc=keescook@chromium.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mark.rutland@arm.com \
--cc=ndesaulniers@google.com \
--cc=samitolvanen@google.com \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox