On 26.11.2021 13:34, Andrew Cooper wrote:
> With all the pieces now in place, turn CET-IBT on when available.
>
> MSR_S_CET, like SMEP/SMAP, controls Ring1 meaning that ENDBR_EN can't be
> enabled for Xen independently of PV32 kernels. As we already disable PV32 for
> CET-SS, extend this to all CET, adjusting the documentation/comments as
> appropriate.
>
> Introduce a cet=no-ibt command line option to allow the admin to disable IBT
> even when everything else is configured correctly.
>
> Signed-off-by: Andrew Cooper <andrew.coop...@citrix.com>
Reviewed-by: Jan Beulich <jbeul...@suse.com>
> @@ -1102,11 +1116,33 @@ void __init noreturn __start_xen(unsigned long mbi_p)
> printk("Enabling Supervisor Shadow Stacks\n");
>
> setup_force_cpu_cap(X86_FEATURE_XEN_SHSTK);
> + }
> +
> + if ( opt_xen_ibt && boot_cpu_has(X86_FEATURE_CET_IBT) )
> + {
> + printk("Enabling Indirect Branch Tracking\n");
> +
> + setup_force_cpu_cap(X86_FEATURE_XEN_IBT);
> +
> + if ( efi_no_cet_ibt )
> + printk(" - UEFI Runtime Services not IBT safe\n");
Here it becomes clear why you need the variable also in efi/stub.c.
Jan
