Re: [PATCH v20 02/25] x86/cet/shstk: Add Kconfig option for user-mode control-flow protection
From: Yu, Yu-cheng
Date: Wed Feb 10 2021 - 14:43:06 EST
On 2/10/2021 11:33 AM, Kees Cook wrote:
On Wed, Feb 10, 2021 at 09:56:40AM -0800, Yu-cheng Yu wrote:
Shadow Stack provides protection against function return address
corruption. It is active when the processor supports it, the kernel has
CONFIG_X86_CET enabled, and the application is built for the feature.
This is only implemented for the 64-bit kernel. When it is enabled, legacy
non-Shadow Stack applications continue to work, but without protection.
Signed-off-by: Yu-cheng Yu <yu-cheng.yu@xxxxxxxxx>
---
arch/x86/Kconfig | 23 +++++++++++++++++++++++
arch/x86/Kconfig.assembler | 5 +++++
2 files changed, 28 insertions(+)
diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig
index 21f851179ff0..1138b5fa9b4f 100644
--- a/arch/x86/Kconfig
+++ b/arch/x86/Kconfig
@@ -28,6 +28,7 @@ config X86_64
select ARCH_HAS_GIGANTIC_PAGE
select ARCH_SUPPORTS_INT128 if CC_HAS_INT128
select ARCH_USE_CMPXCHG_LOCKREF
+ select ARCH_HAS_SHADOW_STACK
select HAVE_ARCH_SOFT_DIRTY
select MODULES_USE_ELF_RELA
select NEED_DMA_MAP_STATE
@@ -1951,6 +1952,28 @@ config X86_SGX
If unsure, say N.
+config ARCH_HAS_SHADOW_STACK
+ def_bool n
+
+config X86_CET
+ prompt "Intel Control-flow protection for user-mode"
+ def_bool n
+ depends on X86_64
This depends isn't needed any more. With that fixed:
Yes, that's right. I will remove it.
Reviewed-by: Kees Cook <keescook@xxxxxxxxxxxx>
Thanks!
--
Yu-cheng