From nobody Fri Jun 12 13:58:24 2026 Received: from mail-ed1-f43.google.com (mail-ed1-f43.google.com [209.85.208.43]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 1C644325707 for ; Thu, 14 May 2026 16:10:19 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.208.43 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1778775021; cv=none; b=EF9IKZeZ7E+TBt3eE6vagOTc1vhuy5TcYY3JdhE9nF5H0lz+/gbQ4ygdTyvLcEMxMULtqOVAN8pRW6vOy2zAFLbHZk7X0YvA8MBktRjJeucYKwOylrrW1etYVN+QiwnDEOI9CaEPTA2go+gSwaWdUtVTezByWJivaY0u67opGaQ= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1778775021; c=relaxed/simple; bh=QJ/+kubIs7EM8wUyGAQ+x1UmHL/EIhq+gVXcXy7Dghc=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=WVgatazAM7yI4s+Mzq2VPkPZBrOdabjwp+msdf+JMywzdvkXeooqJ1TpHWjukWDanPYfKxK2GFYPms8BDLWw3AHZGwVrOgbJxtHw2tYQqDbuIE/kaSlZA4/+2NepHxkHzmLBj9s6L4xsrgKLa3Ym9HXrp3/s+VGRQmbGuXci2BI= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=grsecurity.net; spf=pass smtp.mailfrom=opensrcsec.com; dkim=pass (2048-bit key) header.d=grsecurity.net header.i=@grsecurity.net header.b=jkcWV455; arc=none smtp.client-ip=209.85.208.43 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=grsecurity.net Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=opensrcsec.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=grsecurity.net header.i=@grsecurity.net header.b="jkcWV455" Received: by mail-ed1-f43.google.com with SMTP id 4fb4d7f45d1cf-67179ed133dso9481092a12.2 for ; Thu, 14 May 2026 09:10:19 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=grsecurity.net; s=grsec; t=1778775018; x=1779379818; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=RSLVi5geriNJ9FFfP2JahygXxu1PDLYg+M2b8cHTbpg=; b=jkcWV455QikQ4ur1DnNQGWAEdnwJind160vOYLzGVvtB+elFfKgo1lU4CsopeniRly uoxxrnVP0uIBI8wbwzjUgqNww01ME0nSNtf9hBXL3GFuMpCM5yi8oFbFr6sua8F/sI25 yVuvxqfqSbcV5hJNq4i+JaHdEKYURnFns6qU0W12z+xcsmQBEyq3oN8EjaSiCpIQZxje jlvYdxsqedW9W3DA3wgj5DkN2bLMOomzo+06L3c8MOEA/rCycjAV+1yazm+cYjXwtNJw wnLfWcEymvTYb/bPNXu03PBC5wciTZpLTlmJ4AqagjaJ9LE6GZOMFri6rzEjDI6tRSkr a8tQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1778775018; x=1779379818; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=RSLVi5geriNJ9FFfP2JahygXxu1PDLYg+M2b8cHTbpg=; b=fwdi43Jy0rIqlA1Z8M9KP2rJdk1Yh9zHOn6VANbXfw/He1r4JcyU8Ps3BfLVXBcmpS 6mgKIZYiyabmdemBh3Rw/tIAm8dny6qz05AF9Kjxt/VWEojhcv5vih2uolob9qT0M3vG TnvIt5Z8Ojp9Tjqn+uljwzn4TWA43Zl/BGmT2XOi0ISkgtFEux+AKdjncJR6GGBTrrB3 mz9yTgaleOTtS25e2/phxEI/LijUvK+/5jInd6w6SPFqAjRc2YtRBxTL7/W15heV9LmR L60LuFRvWpD0ZVOqtBCIX206MTEFuUDxuQG7xbfxFNqFqUvsn8E7TulkZtghly5aJ992 lFZQ== X-Forwarded-Encrypted: i=1; AFNElJ+LT8cxe2Qm2biUU+WPOxegP83iZEEbGVYokOOpVQ/roxWQ+IlBbw5KCKUKhjuuhJO4wGKT5KxAsCg/Bfo=@vger.kernel.org X-Gm-Message-State: AOJu0YzolUOvBFyPEjFUXhU17N/p0CRj7AQDYEAUFuDMSsceJmoYbvFo i+WhTEQ75k5/k2Cc4V/74PXDdzlOOOsS8BNwMEXrl3VOJzzfvC+fgMy5alPoQnC3sB8= X-Gm-Gg: Acq92OFVXmFdrgY2HO70vm2/pQiIN/odnzHxsjLdmT4UshxC4X4kRSY4vx+20kUprRk 8RQgGhgNjbcAkaPiEM4EQ8RlnQ+FuaI5Ze/vlOm/uR/hn/nOIQBlzxThKEiPc7Cfur3zGfEtkk1 CJWE55nf5rINrB2vGX1vwF5V0+JWt7gsDChixCyK2qKTeKef7gF98BSJAGjT3ix5vnyY5k2rruA kCSntZn8mPnYjGUSqNxOjcr/ol4HiO1eKVnxF6IrGf2L/c18rrQF3c+GWWVQZ/uQzXkOvnPvX4r koLrzM4qGo0RR5wkdQVr9oz0yiwCKrHqbBPCdq5Mv+hBH4LkWyYbl0ekFaY/8Z/rXblbT4YGFam turK4Wa65P9Q9AM02mrazTSGqT8nWPmahFz2k3tiynV7lzeLk8ar5nei8+bHdncPGBPODybRJll Ddit+suhLM7KwTEy7AGEgWHe2SJJ687HF37fQHc4pvD0re5Xo5SkmE X-Received: by 2002:a05:6402:3189:b0:677:1ce0:c08d with SMTP id 4fb4d7f45d1cf-68256d5ad55mr3634847a12.18.1778775018023; Thu, 14 May 2026 09:10:18 -0700 (PDT) Received: from localhost.localdomain ([151.189.190.156]) by smtp.gmail.com with ESMTPSA id 4fb4d7f45d1cf-6831187ecb7sm876790a12.29.2026.05.14.09.10.16 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 14 May 2026 09:10:17 -0700 (PDT) From: Mathias Krause To: Thomas Gleixner , Ingo Molnar , Borislav Petkov , Dave Hansen , Rick Edgecombe , x86@kernel.org Cc: Peter Zijlstra , linux-kernel@vger.kernel.org, Mathias Krause Subject: [PATCH v3] x86/cpufeatures: Make X86_FEATURE_SHSTK clearcpuid-able Date: Thu, 14 May 2026 18:09:32 +0200 Message-ID: <20260514160932.91556-1-minipli@grsecurity.net> X-Mailer: git-send-email 2.47.3 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Allow X86_FEATURE_SHST to be disabled through the kernel commandline via 'clearcpuid=3Dshstk' as 'nousershstk' would still enable CR4.CET even if no CET features are in use. This, in combination with disabling IBT as well, e.g. via 'clearcpuid=3Dshstk,ibt' allows to fully disable CR4.CET enabling on capable hardware, which in turn allows debugging CET-related issues during early boot. Signed-off-by: Mathias Krause Acked-by: Rick Edgecombe --- v3: - switch to clearcpuid-based approach v2: https://lore.kernel.org/lkml/20260402173606.1096172-1-minipli@grsecurit= y.net/ arch/x86/include/asm/cpufeatures.h | 2 +- tools/arch/x86/include/asm/cpufeatures.h | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/arch/x86/include/asm/cpufeatures.h b/arch/x86/include/asm/cpuf= eatures.h index 1d506e5d6f46..75cc39037df6 100644 --- a/arch/x86/include/asm/cpufeatures.h +++ b/arch/x86/include/asm/cpufeatures.h @@ -393,7 +393,7 @@ #define X86_FEATURE_OSPKE (16*32+ 4) /* "ospke" OS Protection Keys Enable= */ #define X86_FEATURE_WAITPKG (16*32+ 5) /* "waitpkg" UMONITOR/UMWAIT/TPAUS= E Instructions */ #define X86_FEATURE_AVX512_VBMI2 (16*32+ 6) /* "avx512_vbmi2" Additional A= VX512 Vector Bit Manipulation Instructions */ -#define X86_FEATURE_SHSTK (16*32+ 7) /* Shadow stack */ +#define X86_FEATURE_SHSTK (16*32+ 7) /* "shstk" CET Shadow Stack */ #define X86_FEATURE_GFNI (16*32+ 8) /* "gfni" Galois Field New Instructio= ns */ #define X86_FEATURE_VAES (16*32+ 9) /* "vaes" Vector AES */ #define X86_FEATURE_VPCLMULQDQ (16*32+10) /* "vpclmulqdq" Carry-Less Mult= iplication Double Quadword */ diff --git a/tools/arch/x86/include/asm/cpufeatures.h b/tools/arch/x86/incl= ude/asm/cpufeatures.h index 86d17b195e79..fcbe633e1f76 100644 --- a/tools/arch/x86/include/asm/cpufeatures.h +++ b/tools/arch/x86/include/asm/cpufeatures.h @@ -393,7 +393,7 @@ #define X86_FEATURE_OSPKE (16*32+ 4) /* "ospke" OS Protection Keys Enable= */ #define X86_FEATURE_WAITPKG (16*32+ 5) /* "waitpkg" UMONITOR/UMWAIT/TPAUS= E Instructions */ #define X86_FEATURE_AVX512_VBMI2 (16*32+ 6) /* "avx512_vbmi2" Additional A= VX512 Vector Bit Manipulation Instructions */ -#define X86_FEATURE_SHSTK (16*32+ 7) /* Shadow stack */ +#define X86_FEATURE_SHSTK (16*32+ 7) /* "shstk" CET Shadow Stack */ #define X86_FEATURE_GFNI (16*32+ 8) /* "gfni" Galois Field New Instructio= ns */ #define X86_FEATURE_VAES (16*32+ 9) /* "vaes" Vector AES */ #define X86_FEATURE_VPCLMULQDQ (16*32+10) /* "vpclmulqdq" Carry-Less Mult= iplication Double Quadword */ --=20 2.47.3