On Tue, Nov 10, 2020 at 08:21:50AM -0800, Yu-cheng Yu wrote:
> +config X86_CET
> + def_bool n
> +
> +config ARCH_HAS_SHADOW_STACK
> + def_bool n
> +
> +config X86_SHADOW_STACK_USER
Is X86_SHADOW_STACK_KERNEL coming too?
Regardless, you can add it when it comes and you can use only X86_CET
for now and drop this one and simplify this pile of Kconfig symbols.
> + prompt "Intel Shadow Stacks for user-mode"
> + def_bool n
> + depends on CPU_SUP_INTEL && X86_64
> + depends on AS_HAS_SHADOW_STACK
> + select ARCH_USES_HIGH_VMA_FLAGS
> + select X86_CET
> + select ARCH_HAS_SHADOW_STACK
> + help
> + Shadow Stacks provides protection against program stack
> + corruption. It's a hardware feature. This only matters
> + if you have the right hardware. It's a security hardening
> + feature and apps must be enabled to use it. You get no
> + protection "for free" on old userspace. The hardware can
> + support user and kernel, but this option is for user space
> + only.
> + Support for this feature is only known to be present on
> + processors released in 2020 or later. CET features are also
> + known to increase kernel text size by 3.7 KB.
This help text needs some rewriting. You can find an inspiration about
more adequate style in that same Kconfig file.
> +
> + If unsure, say N.
> +
> config EFI
> bool "EFI runtime service support"
> depends on ACPI
> diff --git a/scripts/as-x86_64-has-shadow-stack.sh b/scripts/as-x86_64-has-shadow-stack.sh
> new file mode 100755
> index 000000000000..fac1d363a1b8
> --- /dev/null
> +++ b/scripts/as-x86_64-has-shadow-stack.sh
> @@ -0,0 +1,4 @@
> +#!/bin/sh
> +# SPDX-License-Identifier: GPL-2.0
> +
> +echo "wrussq %rax, (%rbx)" | $* -x assembler -c -
2> /dev/null
otherwise you get
{standard input}: Assembler messages:
{standard input}:1: Error: no such instruction: `wrussq %rax,(%rbx)
on non-enlightened toolchains during build.
Thx.
--
Regards/Gruss,
Boris.
https://people.kernel.org/tglx/notes-about-netiquette
