On Thu, Sep 29, 2022 at 03:29:01PM -0700, Rick Edgecombe wrote: > From: Yu-cheng Yu <yu-cheng.yu@xxxxxxxxx> > > Utilizing CET features requires a CR4 bit to be enabled as well as bits > to be set in CET MSRs. Setting the CR4 bit does two things: > 1. Enables the usage of WRUSS instruction, which the kernel can use to > write to userspace shadow stacks. > 2. Allows those individual aspects of CET to be enabled later via the MSR. > 3. Allows CET to be enabled in guests > > While future patches will allow the MSR values to be saved and restored > per task, the CR4 bit will allow for WRUSS to be used regardless of if a > tasks CET MSRs have been restored. > > Kernel IBT already enables the CET CR4 bit when it detects IBT HW support > and is configured with kernel IBT. However future patches that enable > userspace shadow stack support will need the bit set as well. So change > the logic to enable it in either case. > > Clear MSR_IA32_U_CET in cet_disable() so that it can't live to see > userspace in a new kexec-ed kernel that has CR4.CET set from kernel IBT. > > Signed-off-by: Yu-cheng Yu <yu-cheng.yu@xxxxxxxxx> > Co-developed-by: Rick Edgecombe <rick.p.edgecombe@xxxxxxxxx> > Signed-off-by: Rick Edgecombe <rick.p.edgecombe@xxxxxxxxx> > Cc: Kees Cook <keescook@xxxxxxxxxxxx> Reviewed-by: Kees Cook <keescook@xxxxxxxxxxxx> -- Kees Cook
