Re: [PATCH v2] x86/fpu: Disable shstk if no CET_USER state

Next message: Borislav Petkov: "Re: [PATCH v6 00/90] x86: Introduce a centralized CPUID data model"
Previous message: Selvamani Rajagopal: "RE: [PATCH net-next 1/5] dt-bindings: net: add onsemi's TS2500/NCN26010 10BASE-T1S MACPHY"
In reply to: Borislav Petkov: "Re: [PATCH v2] x86/fpu: Disable shstk if no CET_USER state"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Borislav Petkov

Date: Tue May 05 2026 - 11:15:01 EST

On Tue, May 05, 2026 at 04:05:58PM +0200, Borislav Petkov wrote:
> Frankly, I'd like to not do anything here. If the HV is misconfigured, then it
> crashing and burning as early is possible is better than us going out of our
> way to try to fix up things...

I guess we can do this (after talking to tglx):

pr_err("x86/fpu: CET_USER not supported in xstate when CET is supported. Disabling shadow stacks.\n");
setup_clear_cpu_cap(X86_FEATURE_USER_SHSTK);
add_taint(TAINT_FIRMWARE_WORKAROUND, LOCKDEP_STILL_OK);

the firmware workaround thing is to mean, *something* - HV or fw or whatever
- has made this nonsensical configuration so we taint.

When more "smart" configurations appear, we can do something like what
validate*xstate*() does to do some more checking.

And looking at the other checks in that code there in
fpu__init_system_xstate() why aren't we simply disabling XSAVE like we do for
XFEATURE_MASK_FPSSE and XFEATURE_MASK_APXX + FEATURE_MASK_BND* ?

This case looks exactly like those...

--
Regards/Gruss,
Boris.

https://people.kernel.org/tglx/notes-about-netiquette