Re: [PATCH v2] x86/shstk: Provide kernel command line knob to disable

Next message: Erhard Furtner: "Re: BUG: KASAN: null-ptr-deref in ar_context_release+0x3c/0x11c [firewire_ohci]"
Previous message: Jacob Keller: "Re: [Intel-wired-lan] [PATCH v4] ice: wait for reset completion in ice_resume()"
In reply to: Dave Hansen: "Re: [PATCH v2] x86/shstk: Provide kernel command line knob to disable"
Next in thread: Mathias Krause: "Re: [PATCH v2] x86/shstk: Provide kernel command line knob to disable"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Edgecombe, Rick P

Date: Wed May 06 2026 - 18:45:57 EST

On Wed, 2026-05-06 at 12:03 -0700, Dave Hansen wrote:
> Is there a reason that clearcpuid=shstk doesn't work in this case? I
> guess shstk and ibt are peers, but I was kinda hoping we'd stop adding
> these for every single CPU feature at _some_ point.

Oh yea, for the reason of "debugging related issues during early boot"
clearcpuid of shstk and ibt should be fine. It taints the kernel, but should be
fine for debugging? If I'm reading this right, the kernel does the clearcpuid
processing before setting up CET bits.

I'm remembering we actually already have a "nousershstk" too, which covers the
"userspace init cet violations break boot" usage.

What that doesn't do though, is clear CR4.CET. With nousershstk, KVM can still
use CET. So that is what is missing. A way to clear CR4.CET without tainting the
kernel when HW supports CET. Do we need it?