>> On Dec 5, 2018, at 7:04 AM, Josh Poimboeuf <jpoim...@redhat.com> wrote: > > >> Anyway, I have a new objection to Josh’s create_gap proposal: what on >> Earth will kernel CET do to it? Maybe my longjmp-like hack is >> actually better. > > Does CET even care about iret? I assumed it didn't. If it does, your > proposal would have the same problem, no?
I think it doesn’t, but it doesn’t really matter. The shadow stack looks like: retaddr of function being poked call do_int3 + 5 And, to emulate a call, you need to stick a new frame right in the middle. At least with a longjmp-like approach, you can clobber the “call do_int3 + 5” part and then INCSSP on the way out. To be fair, I think this also sucks. PeterZ, can we abuse NMI to make this problem go away? I don't suppose that we have some rule that NMI handlers never wait for other CPUs to finish doing anything?