From nobody Mon Mar 23 19:52:07 2026 Received: from galois.linutronix.de (Galois.linutronix.de [193.142.43.55]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 845713AEF20; Mon, 23 Mar 2026 13:58:26 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=193.142.43.55 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1774274307; cv=none; b=iY/g3Xqpv03ZxLr11M4gUQFYLTZrqSV3Yj+83dhphZCKJl5omuUMGwb4pISUUWRYwxyHNr1l4J8S3Wq2iN9Cl3gOewcX0TUVg8DgS4Yp0HY3lZQ2jJNiTV7W0hSAA3I8Z6mpcOiwgu/8V2gUtoXCVHPGztmw9/D5z/J1VQ98rRM= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1774274307; c=relaxed/simple; bh=nlhO/Mk2TseaIbzm8R38yjI3aPF8RJ2oUZQViThjvL8=; h=Date:From:To:Subject:Cc:In-Reply-To:References:MIME-Version: Message-ID:Content-Type; b=bxEFpUsMJx0/4TZKSQlcNP/C4ZQQKlioRPlsqLDXCLRvOhhC2FV/XFNo6sCARPaEtV4UNsooxMTaxeYY1jWDKxr2oKuWOo60YNWoAWzoON3EbJBKGmzHyaljMklNlX1QY5CnSLk0g71JCfEyZ3PpJc47aWXTny0a20eRjo3RKyQ= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linutronix.de; spf=pass smtp.mailfrom=linutronix.de; dkim=pass (2048-bit key) header.d=linutronix.de header.i=@linutronix.de header.b=gyIUa2Ay; dkim=permerror (0-bit key) header.d=linutronix.de header.i=@linutronix.de header.b=fHZReTua; arc=none smtp.client-ip=193.142.43.55 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linutronix.de Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=linutronix.de Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=linutronix.de header.i=@linutronix.de header.b="gyIUa2Ay"; dkim=permerror (0-bit key) header.d=linutronix.de header.i=@linutronix.de header.b="fHZReTua" Date: Mon, 23 Mar 2026 13:58:23 -0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linutronix.de; s=2020; t=1774274305; h=from:from:sender:sender:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=eH2522exVMPB/LrL8Hy/BORhQOMODsw/bE1SmvFaea4=; b=gyIUa2AyTLqpt3lRPr53i8dwp/48ZWnSuhTlvEHgg9X8aRQapw9FTipycLQvLiYJa8lRGd FXoyy0YUwoZNmYW9UiAlWB1L+V7wfnSaryQ1N+lusKrjKTeTNb6WokuIMoZoOHo8eJ9PjG 3nTDgY4QI/xNZddUzO37WhvwZh+DtwIvbkdDZ4f0q+MKT+CMBYMiUsfhQLs1X4gmzoJEv0 kxP5OpDQ3ZfxkrSCxHEWLc93HjNUQUh5pjfnlyf5lEQLyt419pbnb5+335GzYYk3L4dXVm DiaJ0hgNZNcG2RrlAUKa2Z3qMANbAmRhQBWDCHu8iKrp0S9ZqlZF+UUR0b5omA== DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=linutronix.de; s=2020e; t=1774274305; h=from:from:sender:sender:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=eH2522exVMPB/LrL8Hy/BORhQOMODsw/bE1SmvFaea4=; b=fHZReTuaWllZS6yD1mk3ZAMGTaRBrIwS38DOJmEhi50DPwXBI1QwZGvOjQ0lIW3LRyzA6j SzEvR8FDGeMqi+Dg== From: "tip-bot2 for Peter Zijlstra" Sender: tip-bot2@linutronix.de Reply-to: linux-kernel@vger.kernel.org To: linux-tip-commits@vger.kernel.org Subject: [tip: x86/urgent] x86/cpu: Add comment clarifying CRn pinning Cc: "Peter Zijlstra (Intel)" , "Borislav Petkov (AMD)" , x86@kernel.org, linux-kernel@vger.kernel.org In-Reply-To: <20260320092521.GG3739106@noisy.programming.kicks-ass.net> References: <20260320092521.GG3739106@noisy.programming.kicks-ass.net> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Message-ID: <177427430338.1647592.3628353467254170252.tip-bot2@tip-bot2> Robot-ID: Robot-Unsubscribe: Contact to get blacklisted from these emails Precedence: bulk Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable The following commit has been merged into the x86/urgent branch of tip: Commit-ID: a3e93cac25316aad03bf561e3c205f4ca0b8f452 Gitweb: https://git.kernel.org/tip/a3e93cac25316aad03bf561e3c205f4ca= 0b8f452 Author: Peter Zijlstra AuthorDate: Fri, 20 Mar 2026 10:25:21 +01:00 Committer: Borislav Petkov (AMD) CommitterDate: Mon, 23 Mar 2026 14:25:53 +01:00 x86/cpu: Add comment clarifying CRn pinning To avoid future confusion on the purpose and design of the CRn pinning code. Also note that if the attacker controls page-tables, the CRn bits lose much= of the attraction anyway. Signed-off-by: Peter Zijlstra (Intel) Signed-off-by: Borislav Petkov (AMD) Link: https://patch.msgid.link/20260320092521.GG3739106@noisy.programming.k= icks-ass.net --- arch/x86/kernel/cpu/common.c | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/arch/x86/kernel/cpu/common.c b/arch/x86/kernel/cpu/common.c index c57e897..ec06701 100644 --- a/arch/x86/kernel/cpu/common.c +++ b/arch/x86/kernel/cpu/common.c @@ -434,6 +434,19 @@ static __always_inline void setup_lass(struct cpuinfo_= x86 *c) /* These bits should not change their value after CPU init is finished. */ static const unsigned long cr4_pinned_mask =3D X86_CR4_SMEP | X86_CR4_SMAP= | X86_CR4_UMIP | X86_CR4_FSGSBASE | X86_CR4_CET; + +/* + * The CR pinning protects against ROP on the 'mov %reg, %CRn' instruction= (s). + * Since you can ROP directly to these instructions (barring shadow stack), + * any protection must follow immediately and unconditionally after that. + * + * Specifically, the CR[04] write functions below will have the value + * validation controlled by the @cr_pinning static_branch which is + * __ro_after_init, just like the cr4_pinned_bits value. + * + * Once set, an attacker will have to defeat page-tables to get around the= se + * restrictions. Which is a much bigger ask than 'simple' ROP. + */ static DEFINE_STATIC_KEY_FALSE_RO(cr_pinning); static unsigned long cr4_pinned_bits __ro_after_init; =20