On Wed, 2020-02-26 at 09:03 -0800, Dave Hansen wrote: > On 2/5/20 10:19 AM, Yu-cheng Yu wrote: > > Introduce Kconfig option: X86_INTEL_SHADOW_STACK_USER. > > > > Shadow Stack (SHSTK) provides protection against function return address > > corruption. It is active when the kernel has this feature enabled, and > > both the processor and the application support it. When this feature is > > enabled, legacy non-SHSTK applications continue to work, but without SHSTK > > protection. > > > > The user-mode SHSTK protection is only implemented for the 64-bit kernel. > > IA32 applications are supported under the compatibility mode. > > I think what you're trying to say here is that the hardware supports > shadow stacks with 32-bit kernels. However, this series does not > include that support and we have no plans to add it. > > Right? Yes. > > I'll let others weigh in, but I rather dislike the use of acronyms here. > I'd much rather see the english "shadow stack" everywhere than SHSTK. I will change to shadow stack. > > > diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig > > index 5e8949953660..6c34b701c588 100644 > > --- a/arch/x86/Kconfig > > +++ b/arch/x86/Kconfig > > @@ -1974,6 +1974,28 @@ config X86_INTEL_TSX_MODE_AUTO > > side channel attacks- equals the tsx=auto command line parameter. > > endchoice > > > > +config X86_INTEL_CET > > + def_bool n > > + > > +config ARCH_HAS_SHSTK > > + def_bool n > > + > > +config X86_INTEL_SHADOW_STACK_USER > > + prompt "Intel Shadow Stack for user-mode" > > Nit: this whole thing is to support more than a single stack. I'd make > this plural at least in the text: "shadow stacks". OK. > > > + def_bool n > > + depends on CPU_SUP_INTEL && X86_64 > > + select ARCH_USES_HIGH_VMA_FLAGS > > + select X86_INTEL_CET > > + select ARCH_HAS_SHSTK > > + ---help--- > > + Shadow Stack (SHSTK) provides protection against program > > + stack corruption. It is active when the kernel has this > > + feature enabled, and the processor and the application > > + support it. When this feature is enabled, legacy non-SHSTK > > + applications continue to work, but without SHSTK protection. > > + > > + If unsure, say y. > > This is missing a *lot* of information. > > What matters to someone turning this on? > > 1. It's a hardware feature. This only matters if you have the right > hardware > 2. It's a security hardening feature. You dance around this, but need > to come out and say it. > 3. Apps must be enabled to use it. You get no protection "for free" on > old userspace. > 4. The hardware supports user and kernel, but this option is for > userspace only. I will update the help text. Yu-cheng
