From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-wm1-f53.google.com (mail-wm1-f53.google.com [209.85.128.53]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id B56C9384CC1 for ; Wed, 13 May 2026 20:51:41 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.128.53 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1778705503; cv=none; b=Od7YQf3N3uEHrIsA/xQADvjUJJjQi9L18B1fnSVmEcphLttmkNQA/OwPeVig1MhO7ZJkEF3vDhSTTux9tXmp6vGtB6y+bdiiaLP5gRyyDRiPaxy4xXbGdlOXPxwehM8jhBZLoA0oMuLRzev6NoKjleaF3Qw1QtkJcsd+tnsC0tc= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1778705503; c=relaxed/simple; bh=EXPacFMWOwj9g7Xrw5aBZuoxrA35ZZwm4lngzKLoUas=; h=Message-ID:Date:MIME-Version:Subject:To:Cc:References:From: In-Reply-To:Content-Type; b=SvNbUd1v96IHU7YUDnFZzNczNV6UzEnRwepdZNDHAK8TIDqOjNyRFHXP/bXO6u3PsqsrQkcmLJ6azPsnoCnhDkN1Ss0v5MKS8ni2jGnZyucj8Z9TfnjTfc4yQ8JNztu2UmeM85Ocy0Xq7Ps9VC/tGJt2DBGi9EvXq5EkEpjGQFw= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=grsecurity.net; spf=pass smtp.mailfrom=opensrcsec.com; dkim=pass (2048-bit key) header.d=grsecurity.net header.i=@grsecurity.net header.b=DNthXUf7; arc=none smtp.client-ip=209.85.128.53 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=grsecurity.net Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=opensrcsec.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=grsecurity.net header.i=@grsecurity.net header.b="DNthXUf7" Received: by mail-wm1-f53.google.com with SMTP id 5b1f17b1804b1-48984d29fe3so77694435e9.0 for ; Wed, 13 May 2026 13:51:41 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=grsecurity.net; s=grsec; t=1778705500; x=1779310300; darn=vger.kernel.org; h=content-transfer-encoding:in-reply-to:autocrypt:from :content-language:references:cc:to:subject:user-agent:mime-version :date:message-id:from:to:cc:subject:date:message-id:reply-to; bh=7CrlUVqwQ8fsGkeVssda79STeXy25xsUUg9jZWG8hM8=; b=DNthXUf7tMNLaiZkfJfK9l3H5d8Sr2YFdYRpIrFluYgpNBCt06ZvLbmK70vSMwUOWM 2XzBcn6BpZY8wsXHAdDXnlwghTQgKmi/qf48qbeHvRVVsJxzbxVrdlWimZeeqxiUpAGe xB15QNL1eFi8nfY8ZyUeDtVcEeC8Q9LW5SjDiDM1z4laC0PLEl0McHdiTnmssAL9YStp Rcv6MVOyb6dsUlNbGq1GYd35JafdZNNgEL58elAJ9sEgBI8qNofnOjvkCCWMUBW4Dpbn hyKH/6HgJFMY24b15aJgNgJiSuiX67sfOZ+RiDLj0L/pMGgYphDNyRXPcqwdkojStkx5 jInw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1778705500; x=1779310300; h=content-transfer-encoding:in-reply-to:autocrypt:from :content-language:references:cc:to:subject:user-agent:mime-version :date:message-id:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=7CrlUVqwQ8fsGkeVssda79STeXy25xsUUg9jZWG8hM8=; b=jWt5ST40e6bVKa5Gd03N0G+96csmJBGwTKO4EaJQWpzwKMMlgJ7S+loo9vlP2XttFY pa4vux/JZaHJ9nhBuNZifI1+zK3HxQFGomSNyLPP9gzXciVWxs/aLpkT30lPcqdf++xJ wboqAAytZpPlsIO30oVisgwtv+KG6RdQL8TXPCQ6wnFpV7XqmqAzrqZD/FsUSyQzPWBs wNk8YUp5IW5cHCwrijrOvxnrCTLCsZ2Mya5eHf8JqiLchdMFKNzXCOKEhLWI1e4molwP kYaXiF60SxgzCdStINQ1u489fO3secIj6Y1dJ4cDJMq6X/O/62uVmLQV2Bn63ugcxCFf Ja8Q== X-Gm-Message-State: AOJu0YxC28j3O2dVTrMWoQutkhpvcuZgJLvhQFrODxNLXH8ZJ+yVRccJ HaEVyMvvG40YbE7Vjm/SoaXz11KMAU0bmBsNz7JsD7OOIEYFC/VkioA0EqO4yb+BZKY= X-Gm-Gg: Acq92OEGFJ7vwg1Nw9TLmRnJklpYWFK/0zBCJoYB2EyHNZ3TiIyCIjEJKekHCnQC/Fv PeCwyq9AM/Tpzh3N+Y1EG1ICtQt+8/tPia1e7CJzgPwtfE1QWlQIjDimoUIxUsOsP6X7T7g9cMl yuGxFfsBpcSEt/0dFirw48h+A/cVydKklRAgCnbpsYAAni2WHkQhOCG08JAGHEa+VfpKqgwcXfZ AhgytpzU24NUXhncgTzy1vY2DQS2Q0mLgB73ezlkzNIBPbrPJ8S3zjI2L0zeiHn5KCxsoujhyaA rWFw7Bk3JnRjJjFElIWJPNV6zdrODUZlE5db642dw3+/+7fsP+MFE7z8M7lU0ubUzGVkwJNI9Jk YaqXHsxbSVlrNORGHaTo6wcJbEaNKaac8/T9ShG9ZtnU3iuJ5EVCFt229NRIr8NZ5DyQk3T6YB/ RXrnWsd9NZfsD1zr97VbwF8PS8fe5535ErH914qQketnISS7tDDTickXknMfKGWplTHxtrGOUxQ WtCXBEt6HlsUCEvH8Ej8upkxeAyCHt1ysrLgDRaG6zoE2+CMo9JJGw1FVC3UUYAesY= X-Received: by 2002:a05:600c:4fc9:b0:48a:7a10:4f17 with SMTP id 5b1f17b1804b1-48fc9a021a4mr61903895e9.6.1778705499914; Wed, 13 May 2026 13:51:39 -0700 (PDT) Received: from ?IPV6:2003:fa:af26:200:51a:ef03:a698:a1fc? (p200300faaf260200051aef03a698a1fc.dip0.t-ipconnect.de. [2003:fa:af26:200:51a:ef03:a698:a1fc]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-48fd64816b5sm28132685e9.2.2026.05.13.13.51.37 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Wed, 13 May 2026 13:51:38 -0700 (PDT) Message-ID: Date: Wed, 13 May 2026 22:51:37 +0200 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: [PATCH v2] x86/shstk: Provide kernel command line knob to disable To: "Edgecombe, Rick P" , "Hansen, Dave" , "x86@kernel.org" , "dave.hansen@linux.intel.com" , "peterz@infradead.org" , "bp@alien8.de" , "mingo@redhat.com" , "tglx@kernel.org" Cc: "linux-kernel@vger.kernel.org" , "Gao, Chao" , Paolo Bonzini References: <20260402173606.1096172-1-minipli@grsecurity.net> <3d7c8d26-558d-40ef-9ad9-3a5100eed9e5@grsecurity.net> <739e4dd0-84a3-4b37-8cc3-b7ec59737010@intel.com> <4cffee5d2886129e621d3011db1d00a236869d1d.camel@intel.com> <457a77eb-2a77-4873-b2a1-24f5110a0393@grsecurity.net> <5b605463-533f-46ae-833a-b6c8f9bcfae1@grsecurity.net> Content-Language: en-US, de-DE From: Mathias Krause Autocrypt: addr=minipli@grsecurity.net; keydata= xsDNBF4u6F8BDAC1kCIyATzlCiDBMrbHoxLywJSUJT9pTbH9MIQIUW8K1m2Ney7a0MTKWQXp 64/YTQNzekOmta1eZFQ3jqv+iSzfPR/xrDrOKSPrw710nVLC8WL993DrCfG9tm4z3faBPHjp zfXBIOuVxObXqhFGvH12vUAAgbPvCp9wwynS1QD6RNUNjnnAxh3SNMxLJbMofyyq5bWK/FVX 897HLrg9bs12d9b48DkzAQYxcRUNfL9VZlKq1fRbMY9jAhXTV6lcgKxGEJAVqXqOxN8DgZdU aj7sMH8GKf3zqYLDvndTDgqqmQe/RF/hAYO+pg7yY1UXpXRlVWcWP7swp8OnfwcJ+PiuNc7E gyK2QEY3z5luqFfyQ7308bsawvQcFjiwg+0aPgWawJ422WG8bILV5ylC8y6xqYUeSKv/KTM1 4zq2vq3Wow63Cd/qyWo6S4IVaEdfdGKVkUFn6FihJD/GxnDJkYJThwBYJpFAqJLj7FtDEiFz LXAkv0VBedKwHeBaOAVH6QEAEQEAAc0nTWF0aGlhcyBLcmF1c2UgPG1pbmlwbGlAZ3JzZWN1 cml0eS5uZXQ+wsERBBMBCgA7AhsDBQsJCAcCBhUKCQgLAgQWAgMBAh4BAheAFiEEd7J359B9 wKgGsB94J4hPxYYBGYYFAmBbH/cCGQEACgkQJ4hPxYYBGYaX/gv/WYhaehD88XjpEO+yC6x7 bNWQbk7ea+m82fU2x/x6A9L4DN/BXIxqlONzk3ehvW3wt1hcHeF43q1M/z6IthtxSRi059RO SarzX3xfXC1pc5YMgCozgE0VRkxH4KXcijLyFFjanXe0HzlnmpIJB6zTT2jgI70q0FvbRpgc rs3VKSFb+yud17KSSN/ir1W2LZPK6er6actK03L92A+jaw+F8fJ9kJZfhWDbXNtEE0+94bMa cdDWTaZfy6XJviO3ymVe3vBnSDakVE0HwLyIKvfAEok+YzuSYm1Nbd2T0UxgSUZHYlrUUH0y tVxjEFyA+iJRSdm0rbAvzpwau5FOgxRQDa9GXH6ie6/ke2EuZc3STNS6EBciJm1qJ7xb2DTf SNyOiWdvop+eQZoznJJte931pxkRaGwV+JXDM10jGTfyV7KT9751xdn6b6QjQANTgNnGP3qs TO5oU3KukRHgDcivzp6CWb0X/WtKy0Y/54bTJvI0e5KsAz/0iwH19IB0vpYLzsDNBF4u6F8B DADwcu4TPgD5aRHLuyGtNUdhP9fqhXxUBA7MMeQIY1kLYshkleBpuOpgTO/ikkQiFdg13yIv q69q/feicsjaveIEe7hUI9lbWcB9HKgVXW3SCLXBMjhCGCNLsWQsw26gRxDy62UXRCTCT3iR qHP82dxPdNwXuOFG7IzoGBMm3vZbBeKn0pYYWz2MbTeyRHn+ZubNHqM0cv5gh0FWsQxrg1ss pnhcd+qgoynfuWAhrPD2YtNB7s1Vyfk3OzmL7DkSDI4+SzS56cnl9Q4mmnsVh9eyae74pv5w kJXy3grazD1lLp+Fq60Iilc09FtWKOg/2JlGD6ZreSnECLrawMPTnHQZEIBHx/VLsoyCFMmO 5P6gU0a9sQWG3F2MLwjnQ5yDPS4IRvLB0aCu+zRfx6mz1zYbcVToVxQqWsz2HTqlP2ZE5cdy BGrQZUkKkNH7oQYXAQyZh42WJo6UFesaRAPc3KCOCFAsDXz19cc9l6uvHnSo/OAazf/RKtTE 0xGB6mQN34UAEQEAAcLA9gQYAQoAIAIbDBYhBHeyd+fQfcCoBrAfeCeIT8WGARmGBQJeORkW AAoJECeIT8WGARmGXtgL/jM4NXaPxaIptPG6XnVWxhAocjk4GyoUx14nhqxHmFi84DmHUpMz 8P0AEACQ8eJb3MwfkGIiauoBLGMX2NroXcBQTi8gwT/4u4Gsmtv6P27Isn0hrY7hu7AfgvnK owfBV796EQo4i26ZgfSPng6w7hzCR+6V2ypdzdW8xXZlvA1D+gLHr1VGFA/ZCXvVcN1lQvIo S9yXo17bgy+/Xxi2YZGXf9AZ9C+g/EvPgmKrUPuKi7ATNqloBaN7S2UBJH6nhv618bsPgPqR SV11brVF8s5yMiG67WsogYl/gC2XCj5qDVjQhs1uGgSc9LLVdiKHaTMuft5gSR9hS5sMb/cL zz3lozuC5nsm1nIbY62mR25Kikx7N6uL7TAZQWazURzVRe1xq2MqcF+18JTDdjzn53PEbg7L VeNDGqQ5lJk+rATW2VAy8zasP2/aqCPmSjlCogC6vgCot9mj+lmMkRUxspxCHDEms13K41tH RzDVkdgPJkL/NFTKZHo5foFXNi89kA== In-Reply-To: Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit On 08.05.26 18:35, Edgecombe, Rick P wrote: > On Fri, 2026-05-08 at 09:23 +0200, Mathias Krause wrote: >>> Now that KVM uses this this feature independently of X86_FEATURE_USER_SHSTK, >>> it might be good to have the plain HW shstk feature exposed for just normal >>> runtime user use. (+Chao, for KVM CET) >> >> But that sounds more like having the need for an official chicken bit, >> like I was proposing, no? Using 'clearcpuid=shstk' as a workaround for >> whatever KVM bugs, similar in spirit to 'nousershstk', but without the >> kernel taint? > > For users to turn off shadow stack for guests? You can do this via the KVM API > in the normal way you customize guests. https://git.kernel.org/linus/2d5d3fc593c9b7e41bee86175d7b9e11f470072e Oh, well....