Re: [RFC PATCH v9 05/27] x86/cet/shstk: Add Kconfig option for user-mode Shadow Stack protection

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Wed, 2020-02-26 at 10:05 -0800, Dave Hansen wrote:
> On 2/5/20 10:19 AM, Yu-cheng Yu wrote:
> > +# Check assembler Shadow Stack suppot
> 
> 				  ^ support
> 
> > +ifdef CONFIG_X86_INTEL_SHADOW_STACK_USER
> > +  ifeq ($(call as-instr, saveprevssp, y),)
> > +      $(error CONFIG_X86_INTEL_SHADOW_STACK_USER not supported by the assembler)
> > +  endif
> > +endif
> 
> Is this *just* looking for instruction support in the assembler?
> 
> We usually just .byte them, like this for pkeys:
> 
>         asm volatile(".byte 0x0f,0x01,0xee\n\t"
>                      : "=a" (pkru), "=d" (edx)
>                      : "c" (ecx));
> 
> That way everybody with old toolchains can still build the kernel (and
> run/test code with your config option on, btw...).

We used to do this for CET instructions, but after adding kernel-mode
instructions and inserting ENDBR's, the code becomes cluttered.  I also
found an earlier discussion on the ENDBR:

https://lore.kernel.org/lkml/CALCETrVRH8LeYoo7V1VBPqg4WS0Enxtizt=T7dPvgoeWfJrdzA@xxxxxxxxxxxxxx/

It makes sense to let the user know early on that the system cannot support
CET and cannot build a CET-enabled kernel.

One thing we can do is to disable CET in Kconfig and not in kernel
build, which I will do in the next version.

Yu-cheng




[Index of Archives]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Linux FS]     [Yosemite Forum]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]     [Linux Resources]

  Powered by Linux