[PATCH v3] x86/cpufeatures: Make X86_FEATURE_SHSTK clearcpuid-able
From: Mathias Krause
Date: Thu May 14 2026 - 12:11:44 EST
Allow X86_FEATURE_SHST to be disabled through the kernel commandline via
'clearcpuid=shstk' as 'nousershstk' would still enable CR4.CET even if
no CET features are in use.
This, in combination with disabling IBT as well, e.g. via
'clearcpuid=shstk,ibt' allows to fully disable CR4.CET enabling on
capable hardware, which in turn allows debugging CET-related issues
during early boot.
Signed-off-by: Mathias Krause <minipli@xxxxxxxxxxxxxx>
---
v3:
- switch to clearcpuid-based approach
v2: https://lore.kernel.org/lkml/20260402173606.1096172-1-minipli@xxxxxxxxxxxxxx/
arch/x86/include/asm/cpufeatures.h | 2 +-
tools/arch/x86/include/asm/cpufeatures.h | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/arch/x86/include/asm/cpufeatures.h b/arch/x86/include/asm/cpufeatures.h
index 1d506e5d6f46..75cc39037df6 100644
--- a/arch/x86/include/asm/cpufeatures.h
+++ b/arch/x86/include/asm/cpufeatures.h
@@ -393,7 +393,7 @@
#define X86_FEATURE_OSPKE (16*32+ 4) /* "ospke" OS Protection Keys Enable */
#define X86_FEATURE_WAITPKG (16*32+ 5) /* "waitpkg" UMONITOR/UMWAIT/TPAUSE Instructions */
#define X86_FEATURE_AVX512_VBMI2 (16*32+ 6) /* "avx512_vbmi2" Additional AVX512 Vector Bit Manipulation Instructions */
-#define X86_FEATURE_SHSTK (16*32+ 7) /* Shadow stack */
+#define X86_FEATURE_SHSTK (16*32+ 7) /* "shstk" CET Shadow Stack */
#define X86_FEATURE_GFNI (16*32+ 8) /* "gfni" Galois Field New Instructions */
#define X86_FEATURE_VAES (16*32+ 9) /* "vaes" Vector AES */
#define X86_FEATURE_VPCLMULQDQ (16*32+10) /* "vpclmulqdq" Carry-Less Multiplication Double Quadword */
diff --git a/tools/arch/x86/include/asm/cpufeatures.h b/tools/arch/x86/include/asm/cpufeatures.h
index 86d17b195e79..fcbe633e1f76 100644
--- a/tools/arch/x86/include/asm/cpufeatures.h
+++ b/tools/arch/x86/include/asm/cpufeatures.h
@@ -393,7 +393,7 @@
#define X86_FEATURE_OSPKE (16*32+ 4) /* "ospke" OS Protection Keys Enable */
#define X86_FEATURE_WAITPKG (16*32+ 5) /* "waitpkg" UMONITOR/UMWAIT/TPAUSE Instructions */
#define X86_FEATURE_AVX512_VBMI2 (16*32+ 6) /* "avx512_vbmi2" Additional AVX512 Vector Bit Manipulation Instructions */
-#define X86_FEATURE_SHSTK (16*32+ 7) /* Shadow stack */
+#define X86_FEATURE_SHSTK (16*32+ 7) /* "shstk" CET Shadow Stack */
#define X86_FEATURE_GFNI (16*32+ 8) /* "gfni" Galois Field New Instructions */
#define X86_FEATURE_VAES (16*32+ 9) /* "vaes" Vector AES */
#define X86_FEATURE_VPCLMULQDQ (16*32+10) /* "vpclmulqdq" Carry-Less Multiplication Double Quadword */
--
2.47.3