On 8/30/21 11:14 AM, Yu-cheng Yu wrote: > diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt > index bdb22006f713..3bc1a917dfef 100644 > --- a/Documentation/admin-guide/kernel-parameters.txt > +++ b/Documentation/admin-guide/kernel-parameters.txt > @@ -3319,6 +3319,13 @@ > noexec=on: enable non-executable mappings (default) > noexec=off: disable non-executable mappings > > + no_user_shstk [X86-64] Disable Shadow Stack for user-mode > + applications. Disabling shadow stack also disables > + IBT. > + > + no_user_ibt [X86-64] Disable Indirect Branch Tracking for user-mode > + applications. > + > nosmap [X86,PPC] > Disable SMAP (Supervisor Mode Access Prevention) > even if it is supported by processor. Please add this documentation in the patch that *implements* the command-line options. > +++ b/Documentation/x86/intel_cet.rst > @@ -0,0 +1,139 @@ > +.. SPDX-License-Identifier: GPL-2.0 > + > +========================================= > +Control-flow Enforcement Technology (CET) > +========================================= > + > +[1] Overview > +============ > + > +Control-flow Enforcement Technology (CET) is an Intel processor feature > +that provides protection against return/jump-oriented programming (ROP) > +attacks. It can be set up to protect both applications and the kernel. > +Only user-mode protection is implemented in the 64-bit kernel, including > +shadow stack support for running legacy 32-bit applications. IBT is not > +supported for 32-bit applications. > + > +CET introduces Shadow Stack and Indirect Branch Tracking. ... This is a *bit* confusing now. AMD's manual describes shadow stacks, but does not mention IBT. We should probably consider whether "intel_cet.rst" is the best filename for this.
