Linux kernel mirror (for testing)
git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel
os
linux
x86/cpu: Add comment clarifying CRn pinning
To avoid future confusion on the purpose and design of the CRn pinning code.
Also note that if the attacker controls page-tables, the CRn bits lose much of
the attraction anyway.
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de>
Link: https://patch.msgid.link/20260320092521.GG3739106@noisy.programming.kicks-ass.net
authored by
Peter Zijlstra
and committed by
Borislav Petkov (AMD)
a3e93cac
3645eb7e
+13
+13
arch/x86/kernel/cpu/common.c
+13
arch/x86/kernel/cpu/common.c
···
434
434
/* These bits should not change their value after CPU init is finished. */
435
435
static const unsigned long cr4_pinned_mask = X86_CR4_SMEP | X86_CR4_SMAP | X86_CR4_UMIP |
436
436
X86_CR4_FSGSBASE | X86_CR4_CET;
437
+
438
+
/*
439
+
* The CR pinning protects against ROP on the 'mov %reg, %CRn' instruction(s).
440
+
* Since you can ROP directly to these instructions (barring shadow stack),
441
+
* any protection must follow immediately and unconditionally after that.
442
+
*
443
+
* Specifically, the CR[04] write functions below will have the value
444
+
* validation controlled by the @cr_pinning static_branch which is
445
+
* __ro_after_init, just like the cr4_pinned_bits value.
446
+
*
447
+
* Once set, an attacker will have to defeat page-tables to get around these
448
+
* restrictions. Which is a much bigger ask than 'simple' ROP.
449
+
*/
437
450
static DEFINE_STATIC_KEY_FALSE_RO(cr_pinning);
438
451
static unsigned long cr4_pinned_bits __ro_after_init;
439
452