Re: [PATCH v2 1/2] x86/cpu: Disable CR pinning during CPU bringup

[Nikunj A. Dadhania]

On 3/12/2026 11:39 PM, Sohil Mehta wrote:
> On 3/12/2026 7:08 AM, Nikunj A. Dadhania wrote:
> 
>>   1) Universally set X86_CR4_FSGSBASE in cr4_init() and call cr4_init()
>>      from trap_init() on the boot CPU
> 
> 
> cr4_init() seems like the wrong place to do this. I don't think this a
> primarily a CR4 issue. Deferring CR4 pinning maybe have uncovered the
> FSGSBASE issue.
> 
> But, essentially the difference lies in when we enable exception
> handling related features on the BSP vs APs. It involves setting a few
> other things than CR4 programming.
> 
> See:
> 
> /*
>  * Setup everything needed to handle exceptions from the IDT, including
> the IST
>  * exceptions which use paranoid_entry().
>  */
> void cpu_init_exception_handling(bool boot_cpu)
> 
> IIUC, anything that is needed to handle exceptions should be initialized
> here. As FSGSBASE is used in the paranoid_entry() code, should its
> enabling be moved to cpu_init_exception_handling()?

Good idea, thanks!

For the boot CPU, FRED is enabled via cpu_init_replace_early_idt(), and
cpu_init_exception_handling() is called later (before alternative patching).
FSGSBASE can be safely enabled in cpu_init_exception_handling():

start_kernel()
  setup_arch()
   cpu_init_replace_early_idt()
     cpu_init_fred_exceptions()             <-- FRED enabled here
  ...
  trap_init()
    cpu_init_exception_handling(true)
      cr4_set_bits(X86_CR4_FSGSBASE);       <-- Enable FSGSBASE here
  ...
  arch_cpu_finalize_init()
    ...
    alternative_instructions()              <- Patches code to use RDGSBASE/WRGSBASE

For secondary CPUs, FSGSBASE can be safely enabled before any exceptions
occur, and FRED is enabled immediately after:

  start_secondary()
    cr4_init()                              <- Code already patched, CR4.FSGSBASE=0
    cpu_init_exception_handling(false)
      cr4_set_bits(X86_CR4_FSGSBASE);       <-- Enable FSGSBASE here
      if (!boot_cpu)
        cpu_init_fred_exceptions();         <-- FRED enabled here for secondary CPU
    ...
    cpu_init()


diff --git a/arch/x86/kernel/cpu/common.c b/arch/x86/kernel/cpu/common.c
index 1c3261cae40c..bd35e98d648d 100644
--- a/arch/x86/kernel/cpu/common.c
+++ b/arch/x86/kernel/cpu/common.c
@@ -2047,12 +2047,6 @@ static void identify_cpu(struct cpuinfo_x86 *c)
 	setup_umip(c);
 	setup_lass(c);
 
-	/* Enable FSGSBASE instructions if available. */
-	if (cpu_has(c, X86_FEATURE_FSGSBASE)) {
-		cr4_set_bits(X86_CR4_FSGSBASE);
-		elf_hwcap2 |= HWCAP2_FSGSBASE;
-	}
-
 	/*
 	 * The vendor-specific functions might have changed features.
 	 * Now we do "generic changes."
@@ -2413,6 +2407,16 @@ void cpu_init_exception_handling(bool boot_cpu)
 	/* GHCB needs to be setup to handle #VC. */
 	setup_ghcb();
 
+	/*
+	 * CPUs that support FSGSBASE may use RDGSBASE/WRGSBASE in
+	 * paranoid_entry(). Enable the feature before any exceptions
+	 * occur.
+	 */
+	if (cpu_feature_enabled(X86_FEATURE_FSGSBASE)) {
+		cr4_set_bits(X86_CR4_FSGSBASE);
+		elf_hwcap2 |= HWCAP2_FSGSBASE;
+	}
+
 	if (cpu_feature_enabled(X86_FEATURE_FRED)) {
 		/* The boot CPU has enabled FRED during early boot */
 		if (!boot_cpu)

Regards,
Nikunj