Thread (34 messages) 34 messages, 2 authors, 2021-10-05

Re: [PATCH v30 01/32] Documentation/x86: Add CET description

From: Dave Hansen <hidden>
Date: 2021-10-05 15:05:44
Also in: linux-api, linux-arch, linux-mm, lkml

On 8/30/21 11:14 AM, Yu-cheng Yu wrote:
quoted hunk ↗ jump to hunk
diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt
index bdb22006f713..3bc1a917dfef 100644
--- a/Documentation/admin-guide/kernel-parameters.txt
+++ b/Documentation/admin-guide/kernel-parameters.txt
@@ -3319,6 +3319,13 @@
 			noexec=on: enable non-executable mappings (default)
 			noexec=off: disable non-executable mappings
 
+	no_user_shstk	[X86-64] Disable Shadow Stack for user-mode
+			applications.  Disabling shadow stack also disables
+			IBT.
+
+	no_user_ibt	[X86-64] Disable Indirect Branch Tracking for user-mode
+			applications.
+
 	nosmap		[X86,PPC]
 			Disable SMAP (Supervisor Mode Access Prevention)
 			even if it is supported by processor.
Please add this documentation in the patch that *implements* the
command-line options.

quoted hunk ↗ jump to hunk
+++ b/Documentation/x86/intel_cet.rst
@@ -0,0 +1,139 @@
+.. SPDX-License-Identifier: GPL-2.0
+
+=========================================
+Control-flow Enforcement Technology (CET)
+=========================================
+
+[1] Overview
+============
+
+Control-flow Enforcement Technology (CET) is an Intel processor feature
+that provides protection against return/jump-oriented programming (ROP)
+attacks.  It can be set up to protect both applications and the kernel.
+Only user-mode protection is implemented in the 64-bit kernel, including
+shadow stack support for running legacy 32-bit applications.  IBT is not
+supported for 32-bit applications.
+
+CET introduces Shadow Stack and Indirect Branch Tracking.
...

This is a *bit* confusing now.  AMD's manual describes shadow stacks,
but does not mention IBT.

We should probably consider whether "intel_cet.rst" is the best filename
for this.
Keyboard shortcuts
hback out one level
jnext message in thread
kprevious message in thread
ldrill in
Escclose help / fold thread tree
?toggle this help