Commit a3e93cac authored by Peter Zijlstra's avatar Peter Zijlstra Committed by Borislav Petkov (AMD)
Browse files

x86/cpu: Add comment clarifying CRn pinning 



To avoid future confusion on the purpose and design of the CRn pinning code.

Also note that if the attacker controls page-tables, the CRn bits lose much of
the attraction anyway.

Signed-off-by: default avatarPeter Zijlstra (Intel) <peterz@infradead.org>
Signed-off-by: default avatarBorislav Petkov (AMD) <bp@alien8.de>
Link: https://patch.msgid.link/20260320092521.GG3739106@noisy.programming.kicks-ass.net
parent 3645eb7e

arch/x86/kernel/cpu/common.c

+13 −0
Original line number Diff line number Diff line
@@ -434,6 +434,19 @@ static __always_inline void setup_lass(struct cpuinfo_x86 *c) 
/* These bits should not change their value after CPU init is finished. */

static const unsigned long cr4_pinned_mask = X86_CR4_SMEP | X86_CR4_SMAP | X86_CR4_UMIP |

					     X86_CR4_FSGSBASE | X86_CR4_CET;



/*

 * The CR pinning protects against ROP on the 'mov %reg, %CRn' instruction(s).

 * Since you can ROP directly to these instructions (barring shadow stack),

 * any protection must follow immediately and unconditionally after that.

 *

 * Specifically, the CR[04] write functions below will have the value

 * validation controlled by the @cr_pinning static_branch which is

 * __ro_after_init, just like the cr4_pinned_bits value.

 *

 * Once set, an attacker will have to defeat page-tables to get around these

 * restrictions. Which is a much bigger ask than 'simple' ROP.

 */

static DEFINE_STATIC_KEY_FALSE_RO(cr_pinning);

static unsigned long cr4_pinned_bits __ro_after_init;