Re: [tip: x86/urgent] x86/cpu: Disable CR pinning during CPU bringup

From: Peter Zijlstra

Date: Wed Mar 18 2026 - 18:16:44 EST

On Wed, Mar 18, 2026 at 09:47:22PM +0100, Peter Zijlstra wrote:
> On Wed, Mar 18, 2026 at 06:51:10PM -0000, tip-bot2 for Dave Hansen wrote:
> > --- a/arch/x86/kernel/cpu/common.c
> > +++ b/arch/x86/kernel/cpu/common.c
> > @@ -437,6 +437,21 @@ static const unsigned long cr4_pinned_mask = X86_CR4_SMEP | X86_CR4_SMAP | X86_C
> > static DEFINE_STATIC_KEY_FALSE_RO(cr_pinning);
> > static unsigned long cr4_pinned_bits __ro_after_init;
> >
> > +static bool cr_pinning_enabled(void)
> > +{
> > + if (!static_branch_likely(&cr_pinning))
> > + return false;
> > +
> > + /*
> > + * Do not enforce pinning during CPU bringup. It might
> > + * turn on features that are not set up yet, like FRED.
> > + */
> > + if (!cpu_online(smp_processor_id()))
> > + return false;
> > +
> > + return true;
> > +}
>
> Urgh, so this means all an attack needs to do is disable the online bit
> and it gets to poke CR4 bits.
>
> This seems unfortunate.
>
> And sure, randomly clearing the online bit will eventually cause havoc,
> but I suspect you still get plenty time until the system goes wobbly.

The below tries to explain the CR pinning; and shows how the above
effectively disables the entire scheme since the online bit lives in RW
memory.

That is, the sequence:

clear online bit
ROP into 'mov %reg, %CR4'
(re)set online bit

is fairly trivial, all things considering.

---
diff --git a/arch/x86/kernel/cpu/common.c b/arch/x86/kernel/cpu/common.c
index bb937bc4b00f..994e09d8c2fb 100644
--- a/arch/x86/kernel/cpu/common.c
+++ b/arch/x86/kernel/cpu/common.c
@@ -450,6 +450,19 @@ late_initcall(cpu_finalize_pre_userspace);
/* These bits should not change their value after CPU init is finished. */
static const unsigned long cr4_pinned_mask = X86_CR4_SMEP | X86_CR4_SMAP | X86_CR4_UMIP |
X86_CR4_FSGSBASE | X86_CR4_CET | X86_CR4_FRED;
+
+/*
+ * The CR pinning protects against ROP on the 'mov %reg, %CRn' instruction(s).
+ * Since you can ROP directly to these instructions (barring shadow stack),
+ * any protection must follow immediately and unconditionally after that.
+ *
+ * Specifically, the CR[04] write functions below will have the value
+ * validation controlled by the @cr_pinning static_branch which is
+ * __ro_after_init, just like the cr4_pinned_bits value.
+ *
+ * Once set, an attacker will have to defeat page-tables to get around these
+ * restrictions. Which is a much bigger ask than 'simple' ROP.
+ */
static DEFINE_STATIC_KEY_FALSE_RO(cr_pinning);
static unsigned long cr4_pinned_bits __ro_after_init;