From nobody Sun May 24 22:35:49 2026 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-alma10-1.taild15c8.ts.net [100.103.45.18]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 2FDFD36AB53 for ; Wed, 20 May 2026 20:25:10 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=100.103.45.18 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779308712; cv=none; b=FZgXE5eJL9znG4CidPZmyOuQXVu75iYrWcgl3yZ0L6PVePQQ/ERWPFJjhB08xp6jK+g6pKyZ8TWNGXmESaxz7yrBgHbobEXyn7DLjE0JCA+x6MeUAByrJjlItwwwPLurkqegeJjjeyktlCy4H3GZh/1fAAjlR6LU+Ez4RHFvBDo= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779308712; c=relaxed/simple; bh=iGT8yTKdKIbkL3WRx+RvVnfaAOeMqeUAjJWChWD78T4=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=PrqSWXGAYd4QXF5HRNCe94FdPDO0gDNL75hubEbTlc7VRP/lkw35Oga44iS62Nr73zlIoEM5Mvy6clPpkVMq54kDUVmXHUBiDvUjCfk04OomPkeUYxAzWUAkBEs5Q1McohcRBxqaQ05uU+R94s+WsopIg/xbxQ3654bKBBmzC24= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=hgyNGkfs; arc=none smtp.client-ip=100.103.45.18 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="hgyNGkfs" Received: by smtp.kernel.org (Postfix) with ESMTPSA id AB4F51F000E9; Wed, 20 May 2026 20:25:10 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kernel.org; s=k20260515; t=1779308710; bh=8+iO3RvDq8Aeog5oB8S6Fdkuwbb6rX10cllXhSKLvTA=; h=From:To:Cc:Subject:Date; b=hgyNGkfsOrkPKOt4W4Ke993sv8b7VIhQnc4/wOVKTq2GYa0hq1JMydWHq9aXYqInk 4lWgFOnn+MpU1JNoYUvsdmm/ciDpAwnZHFcR3Nz6ks8DgQQ1OsfK04Xb35ElnNtoyV W1ZAigBJoDIgqetys4K09sizH6loW6ZTjuWhaPr4IMSdrpm+qprHuYjFMHEzFsFTqd tECZnzs9ximAtFTs43/k1UMUd88KO3WftMJjM77M0IiR6fWFxnl1sc903d+02kzlsz RukWLrAye4ayeg4DApQpvsSrvnCx+7Xzk7Awz2RMpIlyfco1icX3+qIz3NVb1MZPnG iAVKaECUXfqYg== From: Borislav Petkov To: X86 ML Cc: LKML , "Borislav Petkov (AMD)" Subject: [PATCH] Documentation/arch/x86: Hide clearcpuid= Date: Wed, 20 May 2026 13:25:07 -0700 Message-ID: <20260520202508.160112-1-bp@kernel.org> X-Mailer: git-send-email 2.53.0 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" From: "Borislav Petkov (AMD)" This option was never meant to be used in production because it solely clears the X86_FEATURE kernel-internal representation of what CPUID bits it has detected and doesn't do any *proper* feature disablement like clearing CR4.CET in the user shadow stack case, for example. So remove its documentation so that it doesn't get used in production and people get silly ideas. It is meant strictly for debugging and if a chicken bit for properly disabling a feature is warranted, then that would need proper enablement. No functional changes. Signed-off-by: Borislav Petkov (AMD) --- .../admin-guide/kernel-parameters.txt | 18 ------------------ Documentation/arch/x86/cpuinfo.rst | 4 ++++ 2 files changed, 4 insertions(+), 18 deletions(-) diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentatio= n/admin-guide/kernel-parameters.txt index 4d0f545fb3ec..97007f4f69d4 100644 --- a/Documentation/admin-guide/kernel-parameters.txt +++ b/Documentation/admin-guide/kernel-parameters.txt @@ -789,24 +789,6 @@ Kernel parameters cio_ignore=3D [S390] See Documentation/arch/s390/common_io.rst for details. =20 - clearcpuid=3DX[,X...] [X86] - Disable CPUID feature X for the kernel. See - arch/x86/include/asm/cpufeatures.h for the valid bit - numbers X. Note the Linux-specific bits are not necessarily - stable over kernel options, but the vendor-specific - ones should be. - X can also be a string as appearing in the flags: line - in /proc/cpuinfo which does not have the above - instability issue. However, not all features have names - in /proc/cpuinfo. - Note that using this option will taint your kernel. - Also note that user programs calling CPUID directly - or using the feature without checking anything - will still see it. This just prevents it from - being used by the kernel or shown in /proc/cpuinfo. - Also note the kernel might malfunction if you disable - some critical bits. - clk_ignore_unused [CLK] Prevents the clock framework from automatically gating diff --git a/Documentation/arch/x86/cpuinfo.rst b/Documentation/arch/x86/cp= uinfo.rst index 9f2e47c4b1c8..17fce95367e6 100644 --- a/Documentation/arch/x86/cpuinfo.rst +++ b/Documentation/arch/x86/cpuinfo.rst @@ -187,6 +187,10 @@ to disable features using the feature number as define= d in Protection can be disabled using clearcpuid=3D514. The number 514 is calcu= lated from #define X86_FEATURE_UMIP (16*32 + 2). =20 +DO NOT USE this cmdline option in production - it is meant to be used only= as +a quick'n'dirty debugging aid to rule out a feature-enabling code is the +culprit. If you use it, it'll taint the kernel. + In addition, there exists a variety of custom command-line parameters that disable specific features. The list of parameters includes, but is not lim= ited to, nofsgsbase, nosgx, noxsave, etc. 5-level paging can also be disabled u= sing --=20 2.53.0