RE: [PATCH] x86/fpu: Disable shstk if no CET_USER state
From: Kaplan, David
Date: Fri Apr 03 2026 - 16:10:37 EST
[AMD Official Use Only - AMD Internal Distribution Only]
> -----Original Message-----
> From: Kaplan, David
> Sent: Friday, April 3, 2026 2:53 PM
> To: 'Sean Christopherson' <seanjc@xxxxxxxxxx>
> Cc: Thomas Gleixner <tglx@xxxxxxxxxx>; Ingo Molnar <mingo@xxxxxxxxxx>;
> Borislav Petkov <bp@xxxxxxxxx>; Dave Hansen
> <dave.hansen@xxxxxxxxxxxxxxx>; x86@xxxxxxxxxx; H. Peter Anvin
> <hpa@xxxxxxxxx>; linux-kernel@xxxxxxxxxxxxxxx
> Subject: RE: [PATCH] x86/fpu: Disable shstk if no CET_USER state
>
>
>
> > > ---
> > > arch/x86/kernel/fpu/xstate.c | 11 +++++++++++
> > > 1 file changed, 11 insertions(+)
> > >
> > > diff --git a/arch/x86/kernel/fpu/xstate.c b/arch/x86/kernel/fpu/xstate.c
> > > index 76153dfb58c9..188323442b4d 100644
> > > --- a/arch/x86/kernel/fpu/xstate.c
> > > +++ b/arch/x86/kernel/fpu/xstate.c
> > > @@ -855,6 +855,17 @@ void __init fpu__init_system_xstate(unsigned int
> > legacy_size)
> > > goto out_disable;
> > > }
> > >
> > > + if (boot_cpu_has(X86_FEATURE_USER_SHSTK) &&
> > > + !(fpu_kernel_cfg.max_features & XFEATURE_MASK_CET_USER)) {
> > > + /*
> > > + * The kernel relies on XSAVES/XRSTORS to context switch shadow
> > > + * stack state. If this isn't present, disable user shadow
> > > + * stacks.
> > > + */
> > > + pr_err("x86/fpu: CET_USER not supported in xstate when CET is
> > supported. Disabling shadow stacks.\n");
> > > + setup_clear_cpu_cap(X86_FEATURE_USER_SHSTK);
> >
> > Doesn't this apply to IBT as well? This code is also misplaced, as it needs to
> > live after at least this code:
>
> Good point, it likely does. I can't confirm that as I don't have IBT hardware,
> but assuming that a guest can see CET_IBT=1 this same problem would exist.
>
>
Actually, I don't think this does apply to IBT as well. Per Documentation/arch/x86/shstk.rst, only kernel IBT is currently supported by Linux. And kernel IBT does not require either CET_USER or CET_KERNEL XSS support from what I see. (CET_KERNEL is only for the shadow stack related MSRs)
--David Kaplan