From: Dave Hansen <dave.hansen@intel.com>
To: Yu-cheng Yu <yu-cheng.yu@intel.com>,
x86@kernel.org, "H. Peter Anvin" <hpa@zytor.com>,
Thomas Gleixner <tglx@linutronix.de>,
Ingo Molnar <mingo@redhat.com>,
linux-kernel@vger.kernel.org, linux-doc@vger.kernel.org,
linux-mm@kvack.org, linux-arch@vger.kernel.org,
linux-api@vger.kernel.org, Arnd Bergmann <arnd@arndb.de>,
Andy Lutomirski <luto@kernel.org>,
Balbir Singh <bsingharora@gmail.com>,
Borislav Petkov <bp@alien8.de>,
Cyrill Gorcunov <gorcunov@gmail.com>,
Dave Hansen <dave.hansen@linux.intel.com>,
Eugene Syromiatnikov <esyr@redhat.com>,
Florian Weimer <fweimer@redhat.com>,
"H.J. Lu" <hjl.tools@gmail.com>, Jann Horn <jannh@google.com>,
Jonathan Corbet <corbet@lwn.net>,
Kees Cook <keescook@chromium.org>,
Mike Kravetz <mike.kravetz@oracle.com>,
Nadav Amit <nadav.amit@gmail.com>,
Oleg Nesterov <oleg@redhat.com>, Pavel Machek <pavel@ucw.cz>,
Peter Zijlstra <peterz@infradead.org>,
Randy Dunlap <rdunlap@infradead.org>,
"Ravi V. Shankar" <ravi.v.shankar@intel.com>,
Vedvyas Shanbhogue <vedvyas.shanbhogue@intel.com>,
Dave Martin <Dave.Martin@arm.com>,
Weijiang Yang <weijiang.yang@intel.com>,
Pengfei Xu <pengfei.xu@intel.com>
Subject: Re: [PATCH v18 02/25] x86/cet/shstk: Add Kconfig option for user-mode control-flow protection
Date: Fri, 29 Jan 2021 11:42:31 -0800 [thread overview]
Message-ID: <40a5a9b5-9c83-473d-5f62-a16ecde50f2a@intel.com> (raw)
In-Reply-To: <20210127212524.10188-3-yu-cheng.yu@intel.com>
On 1/27/21 1:25 PM, Yu-cheng Yu wrote:
> + help
> + Control-flow protection is a hardware security hardening feature
> + that detects function-return address or jump target changes by
> + malicious code.
It's not really one feature. I also think it's not worth talking about
shadow stacks or indirect branch tracking in *here*. Leave that for
Documentation/.
Just say:
Control-flow protection is a set of hardware features which
place additional restrictions on indirect branches. These help
mitigate ROP attacks.
... and add more in the IBT patches.
> Applications must be enabled to use it, and old
> + userspace does not get protection "for free".
> + Support for this feature is present on processors released in
> + 2020 or later. Enabling this feature increases kernel text size
> + by 3.7 KB.
Did any CPUs ever get released that have this? If so, name them. If
not, time to change this to 2021, I think.
next prev parent reply other threads:[~2021-01-29 19:43 UTC|newest]
Thread overview: 49+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-01-27 21:24 [PATCH v18 00/25] Control-flow Enforcement: Shadow Stack Yu-cheng Yu
2021-01-27 21:25 ` [PATCH v18 01/25] Documentation/x86: Add CET description Yu-cheng Yu
2021-01-27 21:25 ` [PATCH v18 02/25] x86/cet/shstk: Add Kconfig option for user-mode control-flow protection Yu-cheng Yu
2021-01-29 19:42 ` Dave Hansen [this message]
2021-01-29 19:58 ` Andy Lutomirski
2021-01-29 20:33 ` Dave Hansen
2021-01-29 20:46 ` Borislav Petkov
2021-01-29 21:13 ` Yu, Yu-cheng
2021-01-29 20:00 ` Yu, Yu-cheng
2021-01-27 21:25 ` [PATCH v18 03/25] x86/cpufeatures: Add CET CPU feature flags for Control-flow Enforcement Technology (CET) Yu-cheng Yu
2021-01-27 21:25 ` [PATCH v18 04/25] x86/cpufeatures: Introduce X86_FEATURE_CET and setup functions Yu-cheng Yu
2021-01-27 21:25 ` [PATCH v18 05/25] x86/fpu/xstate: Introduce CET MSR and XSAVES supervisor states Yu-cheng Yu
2021-01-29 21:00 ` [NEEDS-REVIEW] " Dave Hansen
2021-01-29 22:35 ` Yu, Yu-cheng
2021-01-29 22:53 ` Dave Hansen
2021-02-01 22:43 ` Yu, Yu-cheng
2021-02-01 22:59 ` Dave Hansen
2021-02-01 23:05 ` Yu, Yu-cheng
2021-02-01 23:12 ` Dave Hansen
2021-02-01 23:14 ` Yu, Yu-cheng
2021-01-27 21:25 ` [PATCH v18 06/25] x86/cet: Add control-protection fault handler Yu-cheng Yu
2021-01-27 21:25 ` [PATCH v18 07/25] x86/mm: Remove _PAGE_DIRTY from kernel RO pages Yu-cheng Yu
2021-01-27 21:25 ` [PATCH v18 08/25] x86/mm: Introduce _PAGE_COW Yu-cheng Yu
2021-01-27 21:25 ` [PATCH v18 09/25] drm/i915/gvt: Change _PAGE_DIRTY to _PAGE_DIRTY_BITS Yu-cheng Yu
2021-01-27 21:25 ` [PATCH v18 10/25] x86/mm: Update pte_modify for _PAGE_COW Yu-cheng Yu
2021-01-27 21:25 ` [PATCH v18 11/25] x86/mm: Update ptep_set_wrprotect() and pmdp_set_wrprotect() for transition from _PAGE_DIRTY to _PAGE_COW Yu-cheng Yu
2021-01-27 21:25 ` [PATCH v18 12/25] mm: Introduce VM_SHSTK for shadow stack memory Yu-cheng Yu
2021-01-27 21:25 ` [PATCH v18 13/25] x86/mm: Shadow Stack page fault error checking Yu-cheng Yu
2021-01-27 21:25 ` [PATCH v18 14/25] x86/mm: Update maybe_mkwrite() for shadow stack Yu-cheng Yu
2021-01-27 21:25 ` [PATCH v18 15/25] mm: Fixup places that call pte_mkwrite() directly Yu-cheng Yu
2021-01-27 21:25 ` [PATCH v18 16/25] mm: Add guard pages around a shadow stack Yu-cheng Yu
2021-01-27 21:25 ` [PATCH v18 17/25] mm/mmap: Add shadow stack pages to memory accounting Yu-cheng Yu
2021-01-27 21:25 ` [PATCH v18 18/25] mm: Update can_follow_write_pte() for shadow stack Yu-cheng Yu
2021-01-27 21:25 ` [PATCH v18 19/25] mm: Re-introduce vm_flags to do_mmap() Yu-cheng Yu
2021-01-27 21:25 ` [PATCH v18 20/25] x86/cet/shstk: User-mode shadow stack support Yu-cheng Yu
2021-01-27 21:25 ` [PATCH v18 21/25] x86/cet/shstk: Handle signals for shadow stack Yu-cheng Yu
2021-02-01 22:53 ` Dave Hansen
2021-02-01 22:58 ` Yu, Yu-cheng
2021-01-27 21:25 ` [PATCH v18 22/25] ELF: Introduce arch_setup_elf_property() Yu-cheng Yu
2021-01-27 21:25 ` [PATCH v18 23/25] x86/cet/shstk: Handle thread shadow stack Yu-cheng Yu
2021-01-27 21:25 ` [PATCH v18 24/25] x86/cet/shstk: Add arch_prctl functions for " Yu-cheng Yu
2021-01-29 17:07 ` Dave Hansen
2021-01-29 18:56 ` Yu, Yu-cheng
2021-01-29 19:15 ` Dave Hansen
2021-01-29 19:53 ` Yu, Yu-cheng
2021-02-03 21:54 ` Yu, Yu-cheng
2021-02-03 22:11 ` Dave Hansen
2021-02-03 22:28 ` Yu, Yu-cheng
2021-01-27 21:25 ` [PATCH v18 25/25] mm: Introduce PROT_SHSTK " Yu-cheng Yu
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=40a5a9b5-9c83-473d-5f62-a16ecde50f2a@intel.com \
--to=dave.hansen@intel.com \
--cc=Dave.Martin@arm.com \
--cc=arnd@arndb.de \
--cc=bp@alien8.de \
--cc=bsingharora@gmail.com \
--cc=corbet@lwn.net \
--cc=dave.hansen@linux.intel.com \
--cc=esyr@redhat.com \
--cc=fweimer@redhat.com \
--cc=gorcunov@gmail.com \
--cc=hjl.tools@gmail.com \
--cc=hpa@zytor.com \
--cc=jannh@google.com \
--cc=keescook@chromium.org \
--cc=linux-api@vger.kernel.org \
--cc=linux-arch@vger.kernel.org \
--cc=linux-doc@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=luto@kernel.org \
--cc=mike.kravetz@oracle.com \
--cc=mingo@redhat.com \
--cc=nadav.amit@gmail.com \
--cc=oleg@redhat.com \
--cc=pavel@ucw.cz \
--cc=pengfei.xu@intel.com \
--cc=peterz@infradead.org \
--cc=ravi.v.shankar@intel.com \
--cc=rdunlap@infradead.org \
--cc=tglx@linutronix.de \
--cc=vedvyas.shanbhogue@intel.com \
--cc=weijiang.yang@intel.com \
--cc=x86@kernel.org \
--cc=yu-cheng.yu@intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.