From nobody Sun Jun 14 11:27:46 2026 Received: from mail-wr1-f46.google.com (mail-wr1-f46.google.com [209.85.221.46]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 4C2D83C3430 for ; Thu, 2 Apr 2026 17:36:34 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.221.46 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775151396; cv=none; b=NoYbrbpxcsm0r9oHOmmOrLnonYsoktJpruT8C/iaIv6h2E/j7TvljhEmeh7wXV9HrOts5UU6bGGMg7AJdPSUVzKnxPXzpaql7pqrqMaGbLhcw503XMx9S8xOvAuBkGftMa6SBhJHZA0h/sZI4WEpfCXc7v0a5LlukpjKeXCwa78= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775151396; c=relaxed/simple; bh=C1MSYSBW6iDztsjnIqeoYHk1rCGDWE+Ba/3Vs2jaI34=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=OpHKZHXmQ/wpdXIaYnSeaEKJUNULU6aFVGhCUhMDCFUNt3bhAaEteExJOnIKeEOwUTPJnZOdPJrUd0f+lYbBFigijYgidXTq6OjMVfpSMNbjfSrfA85A9K9sLlOV7wNhrr+yYNjLTyEYIyk6I3USbxyf1GuQO22g4aFOyWoCEcg= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=grsecurity.net; spf=pass smtp.mailfrom=opensrcsec.com; dkim=pass (2048-bit key) header.d=grsecurity.net header.i=@grsecurity.net header.b=tiR42DhA; arc=none smtp.client-ip=209.85.221.46 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=grsecurity.net Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=opensrcsec.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=grsecurity.net header.i=@grsecurity.net header.b="tiR42DhA" Received: by mail-wr1-f46.google.com with SMTP id ffacd0b85a97d-43b95e5b3afso721131f8f.3 for ; Thu, 02 Apr 2026 10:36:34 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=grsecurity.net; s=grsec; t=1775151392; x=1775756192; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=L0AXfLEKM3Jw+cxXRFa5irc6JTg6nHd/JLe9Y9SvzUw=; b=tiR42DhAS3AjzSv6WVUudJdBUsratf56sP0GYFKhDDGRSzS//zfb4xuwqeSqeDoueA 3sHLTCNuAc009EVp80t/GCwQySRckh8iPldMNB9SdqguFzsIf2IctXh/IK86OfZN4IJt WPvYEoNMtZutc9IWLEBLblvZZhPG/8WfWQ5W0dg0CShGEF/1iE73RwQONStr8yZ7sp49 lNEOdjgp7iph9L9DJnLL2irKi2fGutABBrE/PMUrfYqhNkpwLX2ILpj5JKjd5EnCoGax cAd3YEimGPZ2sBSroBb8tIulVS1HGiPSzNAjq2vEgbPL5Cz9IVQnTJ2Ehc+YaxTZGaA6 fZOA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1775151392; x=1775756192; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=L0AXfLEKM3Jw+cxXRFa5irc6JTg6nHd/JLe9Y9SvzUw=; b=A/1sJDdQiNThFIaIb7CpMyZjmG3KnQYf5L6l+osPWWGzsHJzXpKgXioPGIIbbiL4R5 1oY+KOouZdEuyEh/AwyQ4GPRt5fE+RmceW8NbJAfkL/dR4I1kBZwvPxvcUfcHkMhcevv 9uH2C3BZh9DP9bJQ/BHJgkC5wHObE1gQRgLl+ldGB75WCxT8WEEh0uQ0BVTmgr/mNIm2 G7/FeUArZ5AyzfS0WUDlXKMGKlGcAH9LllVDwNBwN2Wc7Cik7Q9e6q6Uc2hz1RMGAVNL 9zja9JzJS5wMSMXFC/5sOrYUkKOS3uWmQozCCeuylH6zYOMvpGcRfStwxuvYtxrW1kNn GNwQ== X-Forwarded-Encrypted: i=1; AJvYcCV/5iXs4XtrKvTrrIPlOD78zYjvyahyNLyzzFgjh4WU7M5feyWiCWYTE3Dw9x7gyZb2UFWv/6E7VGuaLOY=@vger.kernel.org X-Gm-Message-State: AOJu0YymhOF2BRiVXfbQHGHabf5vCIFaQ1WNYhstts/Gpm5/ORzEWXdM nmtvIu6CYx3QFJ1Sg3/gwuh3RAWg2+ibfXJfZ5tuQVxAiVUZpeY+O353YFsl2Q4VICQ= X-Gm-Gg: AeBDievO8wTM9lOyvUYGPKOJZaIB2AnHoPUSYj59URPjsb+9rKjqCqj6xLBGU/DUhdC n3+TwE/WkbxMQW0ilMmd/HOUKZjp0D+6lYBtAGAuAWwjQbm+iWlOJWgmm6cyjuetQY6V/WRXAra r3xTQ544aOnH97sanlZSuurrsrATppuwJaBAusJXqfjfv1fH3ndqho6CUbXcIy1zwVwlLP9VZIT NJdjhyJk3KE7fTDSFeGXwrd04PMiqDObJu7niYXpY7BVaEbnAU9DQUVeGA/CdrBsf2rIUIb1Umt pyVRzb1qbdKA/cmpUkew9x6kZebdTxOY38lPMk4NKaa98JTKovG8uYLgyZ7tQcPrgKJKD06KzFT ywbq8tDVb3F+SGDFstWm77AduePziup7MmTynSdxIluwRtotGf0Xhu91s9BRXOd5j7BtxFtJGQK +FXjxgV/ZKmhjxLTAbL4eDmYyuaXAWNl5Y8Qi7aagTn/FqLMPBAXkTFEn7xy8ZgyUIP+C9r/W+4 6DUwrMTWcmD/v6CvFg= X-Received: by 2002:a5d:5d12:0:b0:43c:ea2d:9c7a with SMTP id ffacd0b85a97d-43d150f777fmr16323390f8f.49.1775151392478; Thu, 02 Apr 2026 10:36:32 -0700 (PDT) Received: from bell.fritz.box (p200300faaf260200051aef03a698a1fc.dip0.t-ipconnect.de. [2003:fa:af26:200:51a:ef03:a698:a1fc]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-43d1e2a6f1esm9797075f8f.2.2026.04.02.10.36.31 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 02 Apr 2026 10:36:32 -0700 (PDT) From: Mathias Krause To: Thomas Gleixner , Ingo Molnar , Borislav Petkov , Dave Hansen , x86@kernel.org Cc: Rick Edgecombe , Peter Zijlstra , linux-kernel@vger.kernel.org, Mathias Krause Subject: [PATCH v2] x86/shstk: Provide kernel command line knob to disable Date: Thu, 2 Apr 2026 19:36:05 +0200 Message-ID: <20260402173606.1096172-1-minipli@grsecurity.net> X-Mailer: git-send-email 2.47.3 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Provide a kernel command line option 'shstk=3Doff' to disable CET shadow stacks, much like 'ibt=3Doff' can be used to disable CET IBT. With both set to off, it avoids setting CR4.CET on capable hardware to allow debugging related issues during early boot which I happened to have done way too many times in the recent past. Document it along with its sibling option 'ibt' in kernel-parameters.txt to allow others to find it more easily. Signed-off-by: Mathias Krause Acked-by: Peter Zijlstra (Intel) Acked-by: Rick Edgecombe --- v2: - pick up Ack's - document the new option as well as ibt=3D - tweak changelog accordingly Documentation/admin-guide/kernel-parameters.txt | 14 ++++++++++++++ arch/x86/kernel/shstk.c | 9 +++++++++ 2 files changed, 23 insertions(+) diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentatio= n/admin-guide/kernel-parameters.txt index 03a550630644..43bdf72f6495 100644 --- a/Documentation/admin-guide/kernel-parameters.txt +++ b/Documentation/admin-guide/kernel-parameters.txt @@ -2248,6 +2248,16 @@ Kernel parameters syscalls, essentially overriding IA32_EMULATION_DEFAULT_DISABLED at boot time. When false, unconditionally disables IA32 emulation. =20 + ibt=3D [X86-64] + Format: ibt=3Dwarn, ibt=3Doff + Changes the handling of CET IBT violations in the kernel. + + The 'warn' setting makes CET IBT violations emit a + warning only instead of being fatal while the 'off' + setting completely disables CET IBT for the kernel. + + To fully disable CET, use 'ibt=3Doff shstk=3Doff'. + icn=3D [HW,ISDN] Format: [,[,[,]]] =20 @@ -6924,6 +6934,10 @@ Kernel parameters Specify the MCLK divider for Intel SoundWire buses in case the BIOS does not provide the clock rate properly. =20 + shstk=3Doff [X86-64] Disable CET userspace shadow stack support. + + To fully disable CET, use 'ibt=3Doff shstk=3Doff'. + skew_tick=3D [KNL,EARLY] Offset the periodic timer tick per cpu to mitiga= te xtime_lock contention on larger systems, and/or RCU lock contention on all systems with CONFIG_MAXSMP set. diff --git a/arch/x86/kernel/shstk.c b/arch/x86/kernel/shstk.c index 978232b6d48d..68b46bf1540b 100644 --- a/arch/x86/kernel/shstk.c +++ b/arch/x86/kernel/shstk.c @@ -542,6 +542,15 @@ static int shstk_disable(void) return 0; } =20 +static int __init shstk_configure(char *str) +{ + if (!strcmp(str, "off")) + setup_clear_cpu_cap(X86_FEATURE_SHSTK); + + return 1; +} +__setup("shstk=3D", shstk_configure); + SYSCALL_DEFINE3(map_shadow_stack, unsigned long, addr, unsigned long, size= , unsigned int, flags) { bool set_tok =3D flags & SHADOW_STACK_SET_TOKEN; --=20 2.47.3