From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-ed1-f50.google.com (mail-ed1-f50.google.com [209.85.208.50]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 329893C0607 for ; Fri, 15 May 2026 16:20:52 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.208.50 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1778862053; cv=none; b=NP4+bAccG5mF7Ysqg0yTedky6smyElaGiPG9ShaBb/aAlAi7me5AVq3xdJ69/WjdztKxBWFR97f+DviNp3/fwD2Wc/MHOVIceDNpz19mSj+wFN1dwx/x0k0Yw1B7JsyPPxs6HM9RDcakRtYyV22yBR82loZf1gNgWbvVau+Uex8= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1778862053; c=relaxed/simple; bh=aAcB0lQSdvTNWyX7eUvtuIDfMgcykXuvvKVRjuKxmxU=; h=Message-ID:Date:MIME-Version:Subject:To:Cc:References:From: In-Reply-To:Content-Type; b=kC4fl+YZ7msrlGJkgoS+ExrwVI5bLihZD2CUncjwkZrvB3XBq5hvV5CG6lsoX1dcju17gqx32kGOAdcU/mDTdNd5/1NyxNRpCevois2NoU0e327+0cH2eDL3NLjYiw1YLfZtkZilW2otqC9eOdd5H6RZxLUL8sqkrKXcY8kKG70= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=grsecurity.net; spf=pass smtp.mailfrom=opensrcsec.com; dkim=pass (2048-bit key) header.d=grsecurity.net header.i=@grsecurity.net header.b=OTuc2P2g; arc=none smtp.client-ip=209.85.208.50 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=grsecurity.net Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=opensrcsec.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=grsecurity.net header.i=@grsecurity.net header.b="OTuc2P2g" Received: by mail-ed1-f50.google.com with SMTP id 4fb4d7f45d1cf-67c9616b4feso14031755a12.1 for ; Fri, 15 May 2026 09:20:51 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=grsecurity.net; s=grsec; t=1778862050; x=1779466850; darn=vger.kernel.org; h=content-transfer-encoding:in-reply-to:autocrypt:from :content-language:references:cc:to:subject:user-agent:mime-version :date:message-id:from:to:cc:subject:date:message-id:reply-to; bh=4fZwCzxNT36Enn9K5A02eopXyX8cRh+r1IG1rf3wWcU=; b=OTuc2P2gigchMQjcYsoV5QVQTz2CsXbJ1pWxEeTAsVBxdCUUlZEhQwLfo0R7EkUssi 2hgYaVzmTevnWsbvpdHiYcLWxwvlS7sj3oc6wdL7+KceOAlXRa1UONE0ameFBB7c1rjg pu6pACKxdCtDUaB/CzryT/uW7GoRqojffImeaAZRPeeaK/MJMZKaqRWrzRINJ7eqA6Ac GSGd5v6bhrJDsXawgVQK1H3uX8OsA1isRg0ac056RG1ZnaBut34l0xSs5CqphkE+xJtZ VDmL809SzFpT41U8vqupyH7xc7f5bgUsQAENRWPObJi5+ToEOqVK3rm6Z6YnFyMtXVXU eqPg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1778862050; x=1779466850; h=content-transfer-encoding:in-reply-to:autocrypt:from :content-language:references:cc:to:subject:user-agent:mime-version :date:message-id:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=4fZwCzxNT36Enn9K5A02eopXyX8cRh+r1IG1rf3wWcU=; b=YjkqBigF3m4Jg2C5GngJFU7HApf+d7wOfO5PKIEFZN+6ON7YN3LjFFKp3WhpVIRdkJ q8XOT++NmAn4H0PaVLHPoJH3wOtqYbMIzYLi8jM193AVec5W/yRyI2GaEhkxa9ZaAlyB uccB+lfj1zbSqqPbG3/BDC2sYAqhiC9Fzt60Z0EwwuhBqGMbjiZ0N5mdjOz/ugkpcr5U 55Uo/fUWGvaE+4ErcJ0SJodt0zrYWLxALmnXWbz5EucGEEQUe0c0crFjtJKVLNol/DP8 IG3O7DZlvJ/SHZorYc1BFixF0rbnRgnA3ZZpqWZtlRPxB2g7GoJ4Q0vJ6g2MZQSI2jsz OsGA== X-Forwarded-Encrypted: i=1; AFNElJ/NS0ab5Q8z4kgeQ+GgtwB5oOq+A7cK9WUk8wQoDw3ty+Gjo6A8ss4FHPnQFi4xpUsjSyzYM88mrdf+3WI=@vger.kernel.org X-Gm-Message-State: AOJu0YwrUH1GoLzxEKG7W9NsNRf3Xjo8wJanafxoGyh/WHK+/4yk3ywY SN0kd4yVmJokPeQu+rwbooy66ET4Xip0gfXmNbJeWdws3kx1inkirIoDXvsXHac6bC4= X-Gm-Gg: Acq92OHMAYfg1wdRKImcwM+aiflsfDQYrSkZ5uuoSWW0X0h2iNCOJj0pzkzvf+4T5OY QBPVeXx/aV8QL9sv7fmIeOvBCbF8EA9qAFuaCBO0amXumdPcBgjidfVVG8oTPcFKQhAKvFif7NV ZdnHd2C3PkZ2iQnSu7U9cFc3hBp3DS9LhqX0EnHKsLEmTqfE0+bcKVVuLn67z1ptA4RfNnonVLX 7YUa1Wwu9MoyxzIqPd3WvYNyv1Nn0ajAUy9XEDd8QTWp4jpTHU+Jn40Gcgnh8j2TJm/kziVjBls opHIGq9saFpT5AX3Ofl3ipd9CU2v70zi2u2K0F2KJJS0PrYFHDcXMOAUmrUzD34VTE8Om8K2TeM LcDHdvvG5hup07QpcsDfaheycqppglkzhsFVo2FuzOCMBrdIwb4+NHuJkW5qZZ7pj9+JE27Fg7U 1yJiA91/D0ZUdFmkjdRkJEpxICroWvaqMMiNgo1X5psI48Om0haBVzNQM= X-Received: by 2002:a17:907:3e21:b0:bd4:f2c1:f2c3 with SMTP id a640c23a62f3a-bd5177b206cmr239078166b.6.1778862047617; Fri, 15 May 2026 09:20:47 -0700 (PDT) Received: from [192.168.75.77] ([151.189.190.156]) by smtp.gmail.com with ESMTPSA id a640c23a62f3a-bd4f4bd0992sm244452166b.13.2026.05.15.09.20.46 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Fri, 15 May 2026 09:20:47 -0700 (PDT) Message-ID: Date: Fri, 15 May 2026 18:20:46 +0200 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: [PATCH v3] x86/cpufeatures: Make X86_FEATURE_SHSTK clearcpuid-able To: Borislav Petkov , "Edgecombe, Rick P" Cc: "peterz@infradead.org" , "mingo@redhat.com" , "tglx@kernel.org" , "linux-kernel@vger.kernel.org" , "dave.hansen@linux.intel.com" , "x86@kernel.org" References: <20260514160932.91556-1-minipli@grsecurity.net> <20260514165922.GGagX_amNCc0mZcz4d@fat_crate.local> <8380b063f933ac3b909b6a5c9adfa03a116da1f7.camel@intel.com> <20260514171256.GHagYCmFMsc1FYZ57B@fat_crate.local> <20260514223846.GJagZO9l17Aj0ZnI-K@fat_crate.local> Content-Language: en-US, de-DE From: Mathias Krause Autocrypt: addr=minipli@grsecurity.net; keydata= xsDNBF4u6F8BDAC1kCIyATzlCiDBMrbHoxLywJSUJT9pTbH9MIQIUW8K1m2Ney7a0MTKWQXp 64/YTQNzekOmta1eZFQ3jqv+iSzfPR/xrDrOKSPrw710nVLC8WL993DrCfG9tm4z3faBPHjp zfXBIOuVxObXqhFGvH12vUAAgbPvCp9wwynS1QD6RNUNjnnAxh3SNMxLJbMofyyq5bWK/FVX 897HLrg9bs12d9b48DkzAQYxcRUNfL9VZlKq1fRbMY9jAhXTV6lcgKxGEJAVqXqOxN8DgZdU aj7sMH8GKf3zqYLDvndTDgqqmQe/RF/hAYO+pg7yY1UXpXRlVWcWP7swp8OnfwcJ+PiuNc7E gyK2QEY3z5luqFfyQ7308bsawvQcFjiwg+0aPgWawJ422WG8bILV5ylC8y6xqYUeSKv/KTM1 4zq2vq3Wow63Cd/qyWo6S4IVaEdfdGKVkUFn6FihJD/GxnDJkYJThwBYJpFAqJLj7FtDEiFz LXAkv0VBedKwHeBaOAVH6QEAEQEAAc0nTWF0aGlhcyBLcmF1c2UgPG1pbmlwbGlAZ3JzZWN1 cml0eS5uZXQ+wsERBBMBCgA7AhsDBQsJCAcCBhUKCQgLAgQWAgMBAh4BAheAFiEEd7J359B9 wKgGsB94J4hPxYYBGYYFAmBbH/cCGQEACgkQJ4hPxYYBGYaX/gv/WYhaehD88XjpEO+yC6x7 bNWQbk7ea+m82fU2x/x6A9L4DN/BXIxqlONzk3ehvW3wt1hcHeF43q1M/z6IthtxSRi059RO SarzX3xfXC1pc5YMgCozgE0VRkxH4KXcijLyFFjanXe0HzlnmpIJB6zTT2jgI70q0FvbRpgc rs3VKSFb+yud17KSSN/ir1W2LZPK6er6actK03L92A+jaw+F8fJ9kJZfhWDbXNtEE0+94bMa cdDWTaZfy6XJviO3ymVe3vBnSDakVE0HwLyIKvfAEok+YzuSYm1Nbd2T0UxgSUZHYlrUUH0y tVxjEFyA+iJRSdm0rbAvzpwau5FOgxRQDa9GXH6ie6/ke2EuZc3STNS6EBciJm1qJ7xb2DTf SNyOiWdvop+eQZoznJJte931pxkRaGwV+JXDM10jGTfyV7KT9751xdn6b6QjQANTgNnGP3qs TO5oU3KukRHgDcivzp6CWb0X/WtKy0Y/54bTJvI0e5KsAz/0iwH19IB0vpYLzsDNBF4u6F8B DADwcu4TPgD5aRHLuyGtNUdhP9fqhXxUBA7MMeQIY1kLYshkleBpuOpgTO/ikkQiFdg13yIv q69q/feicsjaveIEe7hUI9lbWcB9HKgVXW3SCLXBMjhCGCNLsWQsw26gRxDy62UXRCTCT3iR qHP82dxPdNwXuOFG7IzoGBMm3vZbBeKn0pYYWz2MbTeyRHn+ZubNHqM0cv5gh0FWsQxrg1ss pnhcd+qgoynfuWAhrPD2YtNB7s1Vyfk3OzmL7DkSDI4+SzS56cnl9Q4mmnsVh9eyae74pv5w kJXy3grazD1lLp+Fq60Iilc09FtWKOg/2JlGD6ZreSnECLrawMPTnHQZEIBHx/VLsoyCFMmO 5P6gU0a9sQWG3F2MLwjnQ5yDPS4IRvLB0aCu+zRfx6mz1zYbcVToVxQqWsz2HTqlP2ZE5cdy BGrQZUkKkNH7oQYXAQyZh42WJo6UFesaRAPc3KCOCFAsDXz19cc9l6uvHnSo/OAazf/RKtTE 0xGB6mQN34UAEQEAAcLA9gQYAQoAIAIbDBYhBHeyd+fQfcCoBrAfeCeIT8WGARmGBQJeORkW AAoJECeIT8WGARmGXtgL/jM4NXaPxaIptPG6XnVWxhAocjk4GyoUx14nhqxHmFi84DmHUpMz 8P0AEACQ8eJb3MwfkGIiauoBLGMX2NroXcBQTi8gwT/4u4Gsmtv6P27Isn0hrY7hu7AfgvnK owfBV796EQo4i26ZgfSPng6w7hzCR+6V2ypdzdW8xXZlvA1D+gLHr1VGFA/ZCXvVcN1lQvIo S9yXo17bgy+/Xxi2YZGXf9AZ9C+g/EvPgmKrUPuKi7ATNqloBaN7S2UBJH6nhv618bsPgPqR SV11brVF8s5yMiG67WsogYl/gC2XCj5qDVjQhs1uGgSc9LLVdiKHaTMuft5gSR9hS5sMb/cL zz3lozuC5nsm1nIbY62mR25Kikx7N6uL7TAZQWazURzVRe1xq2MqcF+18JTDdjzn53PEbg7L VeNDGqQ5lJk+rATW2VAy8zasP2/aqCPmSjlCogC6vgCot9mj+lmMkRUxspxCHDEms13K41tH RzDVkdgPJkL/NFTKZHo5foFXNi89kA== In-Reply-To: <20260514223846.GJagZO9l17Aj0ZnI-K@fat_crate.local> Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit On 5/15/26 00:38, Borislav Petkov wrote: > If you want to disable things, then you need to disable them properly. Like > turn off CR4 bits in this case or disable dependent features in other cases. > Or whatever else is needed. > > Whatever you do, it needs to have a use case and be properly done. > > clearcpuid= is simply shooting down X86_FEATURE flags. Not really well thought > out but a wholesale quick'n'dirty method of toggling feature bits (yah, > there's the setcpuid= counterpart too). And that's why it should not really > exist but that ship has sailed... > So a "nocet" for that very use case of disabling CR4.CET, which would simply disable X86_FEATURE_IBT and X86_FEATURE_SHSTK? Thanks, Mathias