Thread (38 messages) 38 messages, 6 authors, 2025-11-12

Re: [PATCH v22 25/28] riscv: create a config for shadow stack and landing pad instr support

From: Deepak Gupta <hidden>
Date: 2025-11-11 18:22:13
Also in: linux-arch, linux-doc, linux-fsdevel, linux-kselftest, linux-mm, linux-riscv, lkml, rust-for-linux 

On Tue, Nov 11, 2025 at 01:58:37PM +0800, Zong Li wrote:
On Fri, Oct 24, 2025 at 12:51 AM Deepak Gupta via B4 Relay
[off-list ref] wrote:
quoted
From: Deepak Gupta <redacted>

This patch creates a config for shadow stack support and landing pad instr
support. Shadow stack support and landing instr support can be enabled by
selecting `CONFIG_RISCV_USER_CFI`. Selecting `CONFIG_RISCV_USER_CFI` wires
up path to enumerate CPU support and if cpu support exists, kernel will
support cpu assisted user mode cfi.

If CONFIG_RISCV_USER_CFI is selected, select `ARCH_USES_HIGH_VMA_FLAGS`,
`ARCH_HAS_USER_SHADOW_STACK` and DYNAMIC_SIGFRAME for riscv.

Reviewed-by: Zong Li <redacted>
Signed-off-by: Deepak Gupta <redacted>
---
 arch/riscv/Kconfig                  | 22 ++++++++++++++++++++++
 arch/riscv/configs/hardening.config |  4 ++++
 2 files changed, 26 insertions(+)

diff --git a/arch/riscv/Kconfig b/arch/riscv/Kconfig
index 0c6038dc5dfd..4f9f9358e6e3 100644
--- a/arch/riscv/Kconfig
+++ b/arch/riscv/Kconfig
@@ -1146,6 +1146,28 @@ config RANDOMIZE_BASE

           If unsure, say N.

+config RISCV_USER_CFI
+       def_bool y
+       bool "riscv userspace control flow integrity"
+       depends on 64BIT && $(cc-option,-mabi=lp64 -march=rv64ima_zicfiss) && \
+                           $(cc-option,-fcf-protection=full)
Hi Deepak,
I noticed that you added a $(cc-option,-fcf-protection=full) check in
this version. I think this check will fail by a cc1 warning when using
a newer toolchain, because -fcf-protection cannot be used alone, it
must be specified together with the appropriate -march option.
For example:
 1. -fcf-protection=branch requires -march=..._zicfilp
 2. -fcf-protection=return requires -march=..._zicfiss
 3. -fcf-protection=full requires -march=..._zicfilp_zicfiss
toolchain that I have from June doesn't require -march=..._zicfilp_zicfiss
for -fcf-protection=full. If that has changed, I think this will need a
revision.

quoted
+       depends on RISCV_ALTERNATIVE
+       select RISCV_SBI
+       select ARCH_HAS_USER_SHADOW_STACK
+       select ARCH_USES_HIGH_VMA_FLAGS
+       select DYNAMIC_SIGFRAME
+       help
+         Provides CPU assisted control flow integrity to userspace tasks.
+         Control flow integrity is provided by implementing shadow stack for
+         backward edge and indirect branch tracking for forward edge in program.
+         Shadow stack protection is a hardware feature that detects function
+         return address corruption. This helps mitigate ROP attacks.
+         Indirect branch tracking enforces that all indirect branches must land
+         on a landing pad instruction else CPU will fault. This mitigates against
+         JOP / COP attacks. Applications must be enabled to use it, and old user-
+         space does not get protection "for free".
+         default y.
+
 endmenu # "Kernel features"

 menu "Boot options"
diff --git a/arch/riscv/configs/hardening.config b/arch/riscv/configs/hardening.config
new file mode 100644
index 000000000000..089f4cee82f4
--- /dev/null
+++ b/arch/riscv/configs/hardening.config
@@ -0,0 +1,4 @@
+# RISCV specific kernel hardening options
+
+# Enable control flow integrity support for usermode.
+CONFIG_RISCV_USER_CFI=y

--
2.43.0

  



    
  

  
    

      

        Keyboard shortcuts
      

      

        
          
hback out one level

          
jnext message in thread

          
kprevious message in thread

          
ldrill in

          
Escclose help / fold thread tree

          
?toggle this help