RE: [PATCH] x86/fpu: Disable shstk if no CET_USER state

[Kaplan, David]

[AMD Official Use Only - AMD Internal Distribution Only]

> -----Original Message-----
> From: Sean Christopherson <seanjc@xxxxxxxxxx>
> Sent: Monday, April 6, 2026 10:32 AM
> To: Kaplan, David <David.Kaplan@xxxxxxx>
> Cc: Thomas Gleixner <tglx@xxxxxxxxxx>; Ingo Molnar <mingo@xxxxxxxxxx>;
> Borislav Petkov <bp@xxxxxxxxx>; Dave Hansen
> <dave.hansen@xxxxxxxxxxxxxxx>; x86@xxxxxxxxxx; H. Peter Anvin
> <hpa@xxxxxxxxx>; linux-kernel@xxxxxxxxxxxxxxx
> Subject: Re: [PATCH] x86/fpu: Disable shstk if no CET_USER state
>
> Caution: This message originated from an External Source. Use proper caution
> when opening attachments, clicking links, or responding.
>
>
> On Mon, Apr 06, 2026, David Kaplan wrote:
> > > From: Sean Christopherson <seanjc@xxxxxxxxxx>
> > > On Fri, Apr 03, 2026, David Kaplan wrote:
> > > > > From: Kaplan, David
> > > > > > > ---
> > > > > > >  arch/x86/kernel/fpu/xstate.c | 11 +++++++++++
> > > > > > >  1 file changed, 11 insertions(+)
> > > > > > >
> > > > > > > diff --git a/arch/x86/kernel/fpu/xstate.c
> > > b/arch/x86/kernel/fpu/xstate.c
> > > > > > > index 76153dfb58c9..188323442b4d 100644
> > > > > > > --- a/arch/x86/kernel/fpu/xstate.c
> > > > > > > +++ b/arch/x86/kernel/fpu/xstate.c
> > > > > > > @@ -855,6 +855,17 @@ void __init
> fpu__init_system_xstate(unsigned
> > > int
> > > > > > legacy_size)
> > > > > > >               goto out_disable;
> > > > > > >       }
> > > > > > >
> > > > > > > +     if (boot_cpu_has(X86_FEATURE_USER_SHSTK) &&
> > > > > > > +         !(fpu_kernel_cfg.max_features &
> XFEATURE_MASK_CET_USER)) {
> > > > > > > +             /*
> > > > > > > +              * The kernel relies on XSAVES/XRSTORS to context switch
> > > shadow
> > > > > > > +              * stack state.  If this isn't present, disable user shadow
> > > > > > > +              * stacks.
> > > > > > > +              */
> > > > > > > +             pr_err("x86/fpu: CET_USER not supported in xstate when
> CET is
> > > > > > supported.  Disabling shadow stacks.\n");
> > > > > > > +             setup_clear_cpu_cap(X86_FEATURE_USER_SHSTK);
> > > > > >
> > > > > > Doesn't this apply to IBT as well?  This code is also misplaced, as it
> needs
> > > to
> > > > > > live after at least this code:
> > > > >
> > > > > Good point, it likely does.  I can't confirm that as I don't have IBT
> hardware,
> > > > > but assuming that a guest can see CET_IBT=1 this same problem would
> > > exist.
> > > >
> > > > Actually, I don't think this does apply to IBT as well.  Per
> > > > Documentation/arch/x86/shstk.rst, only kernel IBT is currently
> supported by
> > > > Linux.  And kernel IBT does not require either CET_USER or CET_KERNEL
> XSS
> > > > support from what I see.  (CET_KERNEL is only for the shadow stack
> related
> > > > MSRs)
> > >
> > > KVM virtualizes IBT and SHSTK, for both user and kernel, and relies on the
> host
> > > kernel to save/restore IA32_U_CET.
> >
> > I think you're talking about a nested virt scenario is that right?
>
> FWIW, this isn't limited to running in a VM.  Booting on bare metal with
> e.g. noxsaves=1 would lead to the same problematic scenario.
>

Btw, this does not appear to be a problem.  X86_FEATURE_SHSTK is marked as dependent on X86_FEATURE_XSAVES so booting with noxsaves seems to work fine.

--David Kaplan