On Thu, 2018-08-30 at 22:39 +0200, Pavel Machek wrote: > Hi! > > > > > diff --git a/Documentation/admin-guide/kernel-parameters.txt > > b/Documentation/admin-guide/kernel-parameters.txt > > index 9871e649ffef..b090787188b4 100644 > > --- a/Documentation/admin-guide/kernel-parameters.txt > > +++ b/Documentation/admin-guide/kernel-parameters.txt > > @@ -2764,6 +2764,12 @@ > > noexec=on: enable non-executable mappings > > (default) > > noexec=off: disable non-executable > > mappings > > > > + no_cet_ibt [X86-64] Disable indirect branch > > tracking for user-mode > > + applications > > + > > + no_cet_shstk [X86-64] Disable shadow stack support > > for user-mode > > + applications > Hmm, not too consistent with "nosmap" below. Would it make sense to > have cet=on/off/ibt/shstk instead? > > > > > +++ b/Documentation/x86/intel_cet.rst > > @@ -0,0 +1,252 @@ > > +========================================= > > +Control Flow Enforcement Technology (CET) > > +========================================= > > + > > +[1] Overview > > +============ > > + > > +Control Flow Enforcement Technology (CET) provides protection > > against > > +return/jump-oriented programing (ROP) attacks. > Can you add something like "It attempts to protect process from > running arbitrary code even after attacker has control of its stack" > -- for people that don't know what ROP is, and perhaps link to > wikipedia explaining ROP or something... > > > > > It can be implemented > > +to protect both the kernel and applications. In the first phase, > > +only the user-mode protection is implemented for the 64-bit > > kernel. > > +Thirty-two bit applications are supported under the compatibility > 32-bit (for consistency). > > Ok, so CET stops execution of malicious code before architectural > effects are visible, correct? Does it prevent micro-architectural > effects of the malicious code? (cache content would be one example; > see Spectre). > > > > > +[3] Application Enabling > > +======================== > "Enabling CET in applications" ? > > > > > +Signal > > +------ > > + > > +The main program and its signal handlers use the same > > SHSTK. Because > > +the SHSTK stores only return addresses, we can estimate a large > > +enough SHSTK to cover the condition that both the program stack > > and > > +the sigaltstack run out. > English? Is it estimate or is it large enough? "a large" -- "a" > should > be deleted AFAICT. > I will work on these, thanks!
