On Thu, Sep 29, 2022 at 03:29:27PM -0700, Rick Edgecombe wrote: > From: "Kirill A. Shutemov" <kirill.shutemov@xxxxxxxxxxxxxxx> > > Applications and loaders can have logic to decide whether to enable CET. > They usually don't report whether CET has been enabled or not, so there > is no way to verify whether an application actually is protected by CET > features. > > Add two lines in /proc/$PID/arch_status to report enabled and locked > features. > > Signed-off-by: Kirill A. Shutemov <kirill.shutemov@xxxxxxxxxxxxxxx> > [Switched to CET, added to commit log] > Signed-off-by: Rick Edgecombe <rick.p.edgecombe@xxxxxxxxx> > > --- > > v2: > - New patch > > arch/x86/kernel/Makefile | 2 ++ > arch/x86/kernel/fpu/xstate.c | 47 --------------------------- > arch/x86/kernel/proc.c | 63 ++++++++++++++++++++++++++++++++++++ > 3 files changed, 65 insertions(+), 47 deletions(-) > create mode 100644 arch/x86/kernel/proc.c This is two patches: one to create proc.c, the other to add CET support. I found where the "arch_status" conversation was: https://lore.kernel.org/all/CALCETrUjF9PBmkzH1J86vw4ZW785DP7FtcT+gcSrx29=BUnjoQ@xxxxxxxxxxxxxx/ Andy, what did you mean "make sure that everything in it is namespaced"? Everything already has a field name. And arch_status doesn't exactly solve having compat fields -- it still needs to be handled manually? Anyway... we have arch_status, so I guess it's fine. > [...] > +int proc_pid_arch_status(struct seq_file *m, struct pid_namespace *ns, > + struct pid *pid, struct task_struct *task) > +{ > + /* > + * Report AVX512 state if the processor and build option supported. > + */ > + if (cpu_feature_enabled(X86_FEATURE_AVX512F)) > + avx512_status(m, task); > + > + seq_puts(m, "Thread_features:\t"); > + dump_features(m, task->thread.features); > + seq_putc(m, '\n'); > + > + seq_puts(m, "Thread_features_locked:\t"); > + dump_features(m, task->thread.features_locked); > + seq_putc(m, '\n'); Why are these always present instead of ifdefed? -Kees -- Kees Cook
