On 06/07/2018 07:35 AM, Yu-cheng Yu wrote:
> Explain how CET works and the noshstk/noibt kernel parameters.
>
> Signed-off-by: Yu-cheng Yu <yu-cheng.yu@xxxxxxxxx>
> ---
> Documentation/admin-guide/kernel-parameters.txt | 6 +
> Documentation/x86/intel_cet.txt | 161 ++++++++++++++++++++++++
> 2 files changed, 167 insertions(+)
> create mode 100644 Documentation/x86/intel_cet.txt
>
> diff --git a/Documentation/x86/intel_cet.txt b/Documentation/x86/intel_cet.txt
> new file mode 100644
> index 000000000000..1b902a6c49f4
> --- /dev/null
> +++ b/Documentation/x86/intel_cet.txt
> @@ -0,0 +1,161 @@
> +-----------------------------------------
> +Control Flow Enforcement Technology (CET)
> +-----------------------------------------
> +
> +[1] Overview
> +
> +Control Flow Enforcement Technology (CET) provides protection against
> +return/jump-oriented programing (ROP) attacks. It can be implemented to
programming
> +protect both the kernel and applications. In the first phase, only the
> +user-mode protection is implemented for the 64-bit kernel. Thirty-two bit
> +applications are supported under the compatibility mode.
> +
> +CET includes shadow stack (SHSTK) and indirect branch tracking (IBT) and
> +they are enabled from two kernel configuration options:
> +
> + INTEL_X86_SHADOW_STACK_USER, and
no comma.
> + INTEL_X86_BRANCH_TRACKING_USER.
> +
> +There are two command-line options for disabling CET features:
> +
> + noshstk - disables shadow stack, and
> + noibt - disables indirect branch tracking.
> +
> +At run time, /proc/cpuinfo shows the availability of SHSTK and IBT.
> +
[snip]
thanks,
--
~Randy
