From nobody Sun Jun 14 11:27:13 2026 Received: from mail-wm1-f41.google.com (mail-wm1-f41.google.com [209.85.128.41]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id B22BF7082D for ; Thu, 2 Apr 2026 15:44:22 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.128.41 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775144664; cv=none; b=Jf60DfNKm+4Ua/jIlyyd4TVmRynEbt1c0/Q3BY/Ocu63DW5W1+Qy8Ub1eHBdfEqmqln6N4Gj4KHEQJqPYRemL0CrhWRXZojN+SKPJ4pksI46byukstev5nTiWZLWoTA74vEZRtlgu68wyTo1YhspehF3M0c2blF1gEKveRdJfXI= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775144664; c=relaxed/simple; bh=LYXHnTldoZ0PDSN2eeh7EOs1zVlY4z88n24vQzAW+ZE=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=XTLWwIMGClbkDDb7yKR+V4e9X+/QDnsNOYL9p7QBu3TdhZVCseqDlUgVug+lNzJUEXXJLM9gYDoKnFXPeyrZVXKOWpuPQThT0FyawQzjVct+9RV38Jjc9zlIUhhFXFnq/mqfxrFfBWjMlPfukpPEBcV1whzsRkY0ss30q4QzX4k= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=grsecurity.net; spf=pass smtp.mailfrom=opensrcsec.com; dkim=pass (2048-bit key) header.d=grsecurity.net header.i=@grsecurity.net header.b=cIHuh7xb; arc=none smtp.client-ip=209.85.128.41 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=grsecurity.net Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=opensrcsec.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=grsecurity.net header.i=@grsecurity.net header.b="cIHuh7xb" Received: by mail-wm1-f41.google.com with SMTP id 5b1f17b1804b1-486ff201041so10295355e9.1 for ; Thu, 02 Apr 2026 08:44:22 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=grsecurity.net; s=grsec; t=1775144661; x=1775749461; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=Q4PR2mSflTPLwgK/JkRY8om1cFvwtCHXcja3z8lewtk=; b=cIHuh7xbYvHojh+/3QL/ToROPkbeylKsv7h6g2D4VKeqMIjDD7ciwdCwHtd2OLQCQN OGNPqnRB10jupsOEOCFBCW4eHxwjuna/2jZ2WxJ7V3Se5jWOKY5uRYEODh56Op6yWALY RucpXjoSHs3gM1EUWZuJbbFY58TqrW6PWaD6SajPjczbF2OvvmTZCszbwfX8zCmFvXi3 wCPvAWkPUfBfeHVHRudcUUwIHplEU498i6wmsrzinAwOVVjdK5RjfUwEA/Icac76/5/Y BFBMO4l38U9GYUrEWg9sm/g+iwHzTBPQDLR4UVfFoJlcHJhM39tGvZoUBTospf9QiWFq 6vOQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1775144661; x=1775749461; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=Q4PR2mSflTPLwgK/JkRY8om1cFvwtCHXcja3z8lewtk=; b=W8RbAyK0271qnQIWPiOPeMjSlDUyG7R6oJvD/QzGMhD9nuqXkevz6CAE/jgxvF2Txq MK1JaVOAWTpx0YKQ/yh8YGB/dPWJ5OJBEOKLKhLhbANMa1o7I1qZVejb0OeRtpMtDv/J Ifg8ZFLtlPfPJwKj93DV2rgCg4rdVKtdBS54s+7+oN130vlbmAipMGDftRbQYF1ZNrw2 2a6iMpPVfeDJtowdMV7FCyk3hrxXno8Lw9IIA4GiVVdmZR5e5M5cxvov8sC85bD4EF+g nyepiTJ0+FFPhbViQ5A3ceIPlp3bQYoi+8z7Drex14Mc1GBIAs4UshXopKC3fmXI0wfj nvOA== X-Forwarded-Encrypted: i=1; AJvYcCWKbvcpDJc5EbTQKj0O9ObFeKtk3pm4rKlpDEy4nFPOzZk1Bk+FRaKvM64eYTU3zeCrgCbNAvh2r7WtuMY=@vger.kernel.org X-Gm-Message-State: AOJu0YwgjAQeajImWEcd9bh+O9wRUeB7B8eF2Ey1XDIuCKypwi1i7Sq6 kqwhbJWd/2uypukoVmObbLjna54Q+mNfEGo38Lzy1w7MrJNUvHhvOeBIzF5I8nRRvrRZ6gUVdX3 banXO X-Gm-Gg: ATEYQzxHKAkWewnfUaGJRJaAYxna/GJ3zGg3NWtRL4PtQgXimsTzvtbhBHraqQa0QNp 6tO+1lLFidgDqykwl32a1phy45JgiUhzkiR2U1wcwEeVOriWk6XKMUmQvMakcv6NE3CdQ59rK0P n9mnHMEMew66GczZlkibUwkbXHPKjSopDwdg8xTq9XEoaUg+FL8C20lgvrT+Hg5mjxUMRccczFM cbvBRjoM9V0c3brGpPtu9tIbX5RdK9wyN5fvDYa8L9j4E+3aEf5QsyagPD6Mtig0tNAhrbZqkGx 8awfJFtaqcONP8kTHdXjmzZHrFlPqmmqmUaUvrp+HoaYC1ygBDzK3ySGsC+pXifhIB9OL4X2HRo pg3ACoTdR+K2SGfS3OecCTeUswVbnsVqBlHfHE6qggSC3Udp0cw43mpsHmS/yKtPlqxqWRzmqpY JriNJEuBgqasZTafuHhpV9x+sDndSMO/QN0Q4sZiqt0hVDx6jdm1eZDVRfZVlFvbcfbRN0cpmuA /2oLd2rVP+UhkJfeQ0= X-Received: by 2002:a05:600c:1c02:b0:485:3af5:7e53 with SMTP id 5b1f17b1804b1-4888b750b8dmr65246415e9.19.1775144660803; Thu, 02 Apr 2026 08:44:20 -0700 (PDT) Received: from bell.fritz.box (p200300faaf260200051aef03a698a1fc.dip0.t-ipconnect.de. [2003:fa:af26:200:51a:ef03:a698:a1fc]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-4888a72baa8sm74670275e9.15.2026.04.02.08.44.19 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 02 Apr 2026 08:44:20 -0700 (PDT) From: Mathias Krause To: Thomas Gleixner , Ingo Molnar , Borislav Petkov , Dave Hansen , x86@kernel.org Cc: Rick Edgecombe , Peter Zijlstra , linux-kernel@vger.kernel.org, Mathias Krause Subject: [PATCH] x86/shstk: Provide kernel command line knob to disable Date: Thu, 2 Apr 2026 17:44:05 +0200 Message-ID: <20260402154405.1090935-1-minipli@grsecurity.net> X-Mailer: git-send-email 2.47.3 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Provide a kernel command line option 'shstk=3Doff' to disable CET shadow stacks, much like 'ibt=3Doff' can be used to disable CET IBT. With both set to off, it avoids setting CR4.CET on capable hardware to allow debugging related issues during early boot. Signed-off-by: Mathias Krause Acked-by: Peter Zijlstra (Intel) Acked-by: Rick Edgecombe --- arch/x86/kernel/shstk.c | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/arch/x86/kernel/shstk.c b/arch/x86/kernel/shstk.c index 978232b6d48d..68b46bf1540b 100644 --- a/arch/x86/kernel/shstk.c +++ b/arch/x86/kernel/shstk.c @@ -542,6 +542,15 @@ static int shstk_disable(void) return 0; } =20 +static int __init shstk_configure(char *str) +{ + if (!strcmp(str, "off")) + setup_clear_cpu_cap(X86_FEATURE_SHSTK); + + return 1; +} +__setup("shstk=3D", shstk_configure); + SYSCALL_DEFINE3(map_shadow_stack, unsigned long, addr, unsigned long, size= , unsigned int, flags) { bool set_tok =3D flags & SHADOW_STACK_SET_TOKEN; --=20 2.47.3