[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH v4 06/14] x86/traps: Don't configure Supervisor Shadow Stack tokens in FRED mode

  • To: Jan Beulich <jbeulich@xxxxxxxx>
  • From: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
  • Date: Mon, 2 Mar 2026 15:47:04 +0000
  • Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=citrix.com; dmarc=pass action=none header.from=citrix.com; dkim=pass header.d=citrix.com; arc=none
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=0y+S1Kp3BTitawanS0oApxEXRRZN8x8ryHCgv2OtqCM=; b=pR3seyYgfYPkrTtj0xaTP6KeGNhTIKGW83PDnjbV5H7FjFY/LkxjdgtIuHyafAMKPk41fhUkeq02ExbrwYpFj8QrasI0GW8eXTWqpeQH4G4Ihm86t7TuCSvL3QAANHtlUrokgBra7oIJIyMUCKMnbLHJE9Vj1/h8du4k8Kf4IxMt0o9cPAPUNVmaDRgJqrvHSzKD1NbBjAiXDzWm8tOAv6BBlY19nS5Kq5wjN+chxD4Lb0arsx17pA+NIhN5wY2L/vOjGYne9LjkboeXtF2hflrc+ffCkzU3IMszUOlS7OKqYgdYQZrAJfD7dXCDmMaCQiRblCZTx/nSmSfB3M0srg==
  • Arc-seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=Nf38qlXtLyPOEiEubE01tKmOKd0kIKb9Zv8DRjQ6qzVwbs9/dMAIfM5LzH6ypn2t///yRCR+0fcc1rk448WbM6T9piRe1VFLXnMSovqiUHke1fVbGrVKS/XvJCnvJnnVkRQrS3SY7CuL2hsBGr1WgtZzMfTJhsOeiud6P2HkS8bfkNod2WW/FTPIL3sZnpGBlD00L6hYHmczY0JFPkFEWrCt1nPiLW0HtRtpyV5K4Rn36ZjYcuXzP3FRhXttiWi225IYnfFoCCWkQO1d/Q+z64Q3LEo4QmhD4x55DJa4ZLP8oU38rgSxHgkUTn/C5oDicF/LKycBn9ZSYz/8FDm6MQ==
  • Authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=citrix.com;
  • Cc: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>, Roger Pau Monné <roger.pau@xxxxxxxxxx>, Xen-devel <xen-devel@xxxxxxxxxxxxxxxxxxxx>
  • Delivery-date: Mon, 02 Mar 2026 15:47:17 +0000
  • List-id: Xen developer discussion <xen-devel.lists.xenproject.org>
On 02/03/2026 2:50 pm, Jan Beulich wrote:
> On 28.02.2026 00:16, Andrew Cooper wrote:
>> FRED doesn't use Supervisor Shadow Stack tokens.  This means that:
>>
>>  1) memguard_guard_stack() should not write Supervisor Shadow Stack Tokens.
>>  2) cpu_has_bug_shstk_fracture is no longer relevant when deciding whether or
>>     not to enable Shadow Stacks in the first place.
>>
>> Signed-off-by: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
> Reviewed-by: Jan Beulich <jbeulich@xxxxxxxx>

Thanks.

>> The SDM explicitly points out the shstk fracture vs FRED case, yet PTL
>> enumerates CET-SSS (immunity to shstk fracture).  I can only assume that 
>> there
>> are other Intel CPUs with FRED but without CET-SSS.
> Isn't CET-SSS still relevant to OSes not using FRED (much like you do for
> the fred=no case)?

Yes, CET-SSS is relevant outside of FRED mode.

I just don't see the point of the note if all FRED systems will
enumerate CET-SSS.

~Andrew

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.