Re: [PATCH v30 01/32] Documentation/x86: Add CET description
From: Dave Hansen <hidden>
Date: 2021-10-05 15:05:44
Also in:
linux-api, linux-arch, linux-mm, lkml
On 8/30/21 11:14 AM, Yu-cheng Yu wrote:
quoted hunk ↗ jump to hunk
diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt index bdb22006f713..3bc1a917dfef 100644 --- a/Documentation/admin-guide/kernel-parameters.txt +++ b/Documentation/admin-guide/kernel-parameters.txt@@ -3319,6 +3319,13 @@ noexec=on: enable non-executable mappings (default) noexec=off: disable non-executable mappings + no_user_shstk [X86-64] Disable Shadow Stack for user-mode + applications. Disabling shadow stack also disables + IBT. + + no_user_ibt [X86-64] Disable Indirect Branch Tracking for user-mode + applications. + nosmap [X86,PPC] Disable SMAP (Supervisor Mode Access Prevention) even if it is supported by processor.
Please add this documentation in the patch that *implements* the command-line options.
quoted hunk ↗ jump to hunk
+++ b/Documentation/x86/intel_cet.rst@@ -0,0 +1,139 @@ +.. SPDX-License-Identifier: GPL-2.0 + +========================================= +Control-flow Enforcement Technology (CET) +========================================= + +[1] Overview +============ + +Control-flow Enforcement Technology (CET) is an Intel processor feature +that provides protection against return/jump-oriented programming (ROP) +attacks. It can be set up to protect both applications and the kernel. +Only user-mode protection is implemented in the 64-bit kernel, including +shadow stack support for running legacy 32-bit applications. IBT is not +supported for 32-bit applications. + +CET introduces Shadow Stack and Indirect Branch Tracking.
... This is a *bit* confusing now. AMD's manual describes shadow stacks, but does not mention IBT. We should probably consider whether "intel_cet.rst" is the best filename for this.