On 9/18/20 2:06 PM, H.J. Lu wrote: > On Fri, Sep 18, 2020 at 2:00 PM Pavel Machek <[email protected]> wrote: >> On Fri 2020-09-18 12:32:57, Dave Hansen wrote: >>> On 9/18/20 12:23 PM, Yu-cheng Yu wrote: >>>> Emulation of the legacy vsyscall page is required by some programs >>>> built before 2013. Newer programs after 2013 don't use it. >>>> Disable vsyscall emulation when Control-flow Enforcement (CET) is >>>> enabled to enhance security. >>> How does this "enhance security"? >>> >>> What is the connection between vsyscall emulation and CET? >> Boom. >> >> We don't break compatibility by default, and you should not tell >> people to enable CET by default if you plan to do this. >> > Nothing will be broken. CET enabled applications don't use/need > vsyscall emulation.
Hi H.J., Could you explain your logic a bit more thoroughly, please? I also suspect that Pavel was confused by your changelog where you said that you do this when "CET is enabled". Does enabled in this context mean: 1. Just CET support compiled in, or 2. Compiled in and on CET hardware, or 3. Compiled in to the kernel enabled in the app and running on CET hardware?

