On Thu, Aug 22, 2024 at 02:15:30AM +0100, Mark Brown wrote: > diff --git a/arch/arm64/Kconfig b/arch/arm64/Kconfig > index a2f8ff354ca6..772f9ba99fe8 100644 > --- a/arch/arm64/Kconfig > +++ b/arch/arm64/Kconfig > @@ -2137,6 +2137,26 @@ config ARM64_EPAN > if the cpu does not implement the feature. > endmenu # "ARMv8.7 architectural features" > > +menu "v9.4 architectural features" > + > +config ARM64_GCS > + bool "Enable support for Guarded Control Stack (GCS)" > + default y > + select ARCH_HAS_USER_SHADOW_STACK > + select ARCH_USES_HIGH_VMA_FLAGS > + help > + Guarded Control Stack (GCS) provides support for a separate > + stack with restricted access which contains only return > + addresses. This can be used to harden against some attacks > + by comparing return address used by the program with what is > + stored in the GCS, and may also be used to efficiently obtain > + the call stack for applications such as profiling. > + > + The feature is detected at runtime, and will remain disabled > + if the system does not implement the feature. > + > +endmenu # "v9.4 architectural features" BTW, as Mark R spotted we'd also need to handle uprobes. Since that's off in defconfig, I think it can be done separately on top of this series. In the meantime, we could make this dependent on !UPROBES. -- Catalin
