Re: [PATCH v21 25/28] riscv: create a config for shadow stack and landing pad instr support

Sat, 18 Oct 2025 18:01:05 -0700 

On Thu, Oct 16, 2025 at 04:29:48PM +0800, Zong Li wrote:

On Thu, Oct 16, 2025 at 2:14 AM Deepak Gupta <[email protected]> wrote:


This patch creates a config for shadow stack support and landing pad instr
support. Shadow stack support and landing instr support can be enabled by
selecting `CONFIG_RISCV_USER_CFI`. Selecting `CONFIG_RISCV_USER_CFI` wires
up path to enumerate CPU support and if cpu support exists, kernel will
support cpu assisted user mode cfi.

If CONFIG_RISCV_USER_CFI is selected, select `ARCH_USES_HIGH_VMA_FLAGS`,
`ARCH_HAS_USER_SHADOW_STACK` and DYNAMIC_SIGFRAME for riscv.

Reviewed-by: Zong Li <[email protected]>
Signed-off-by: Deepak Gupta <[email protected]>
---
 arch/riscv/Kconfig                  | 21 +++++++++++++++++++++
 arch/riscv/configs/hardening.config |  4 ++++
 2 files changed, 25 insertions(+)

diff --git a/arch/riscv/Kconfig b/arch/riscv/Kconfig
index 0c6038dc5dfd..aed033e2b526 100644
--- a/arch/riscv/Kconfig
+++ b/arch/riscv/Kconfig
@@ -1146,6 +1146,27 @@ config RANDOMIZE_BASE

           If unsure, say N.

+config RISCV_USER_CFI
+       def_bool y
+       bool "riscv userspace control flow integrity"
+       depends on 64BIT && $(cc-option,-mabi=lp64 -march=rv64ima_zicfiss)
+       depends on RISCV_ALTERNATIVE
+       select RISCV_SBI
+       select ARCH_HAS_USER_SHADOW_STACK
+       select ARCH_USES_HIGH_VMA_FLAGS
+       select DYNAMIC_SIGFRAME
+       help
+         Provides CPU assisted control flow integrity to userspace tasks.
+         Control flow integrity is provided by implementing shadow stack for
+         backward edge and indirect branch tracking for forward edge in 
program.
+         Shadow stack protection is a hardware feature that detects function
+         return address corruption. This helps mitigate ROP attacks.
+         Indirect branch tracking enforces that all indirect branches must land
+         on a landing pad instruction else CPU will fault. This mitigates 
against
+         JOP / COP attacks. Applications must be enabled to use it, and old 
user-
+         space does not get protection "for free".
+         default n.


Maybe it is default 'y' instead of 'n'


aah yes, this needs to change. thanks.
I'll see if there are other significant issues, if yes then I'll fix it in that
version. Else I request Paul to fix it.




+
 endmenu # "Kernel features"

 menu "Boot options"
diff --git a/arch/riscv/configs/hardening.config 
b/arch/riscv/configs/hardening.config
new file mode 100644
index 000000000000..089f4cee82f4
--- /dev/null
+++ b/arch/riscv/configs/hardening.config
@@ -0,0 +1,4 @@
+# RISCV specific kernel hardening options
+
+# Enable control flow integrity support for usermode.
+CONFIG_RISCV_USER_CFI=y

--
2.43.0

























					Reply via email to