Re: [PATCH v30 01/32] Documentation/x86: Add CET description

[Dave Hansen]

On 8/30/21 11:14 AM, Yu-cheng Yu wrote:
> diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt
> index bdb22006f713..3bc1a917dfef 100644
> --- a/Documentation/admin-guide/kernel-parameters.txt
> +++ b/Documentation/admin-guide/kernel-parameters.txt
> @@ -3319,6 +3319,13 @@
>  			noexec=on: enable non-executable mappings (default)
>  			noexec=off: disable non-executable mappings
>  
> +	no_user_shstk	[X86-64] Disable Shadow Stack for user-mode
> +			applications.  Disabling shadow stack also disables
> +			IBT.
> +
> +	no_user_ibt	[X86-64] Disable Indirect Branch Tracking for user-mode
> +			applications.
> +
>  	nosmap		[X86,PPC]
>  			Disable SMAP (Supervisor Mode Access Prevention)
>  			even if it is supported by processor.

Please add this documentation in the patch that *implements* the
command-line options.


> +++ b/Documentation/x86/intel_cet.rst
> @@ -0,0 +1,139 @@
> +.. SPDX-License-Identifier: GPL-2.0
> +
> +=========================================
> +Control-flow Enforcement Technology (CET)
> +=========================================
> +
> +[1] Overview
> +============
> +
> +Control-flow Enforcement Technology (CET) is an Intel processor feature
> +that provides protection against return/jump-oriented programming (ROP)
> +attacks.  It can be set up to protect both applications and the kernel.
> +Only user-mode protection is implemented in the 64-bit kernel, including
> +shadow stack support for running legacy 32-bit applications.  IBT is not
> +supported for 32-bit applications.
> +
> +CET introduces Shadow Stack and Indirect Branch Tracking.
...

This is a *bit* confusing now.  AMD's manual describes shadow stacks,
but does not mention IBT.

We should probably consider whether "intel_cet.rst" is the best filename
for this.