On Fri, Oct 24, 2025 at 12:51 AM Deepak Gupta via B4 Relay <[email protected]> wrote: > > From: Deepak Gupta <[email protected]> > > This patch creates a config for shadow stack support and landing pad instr > support. Shadow stack support and landing instr support can be enabled by > selecting `CONFIG_RISCV_USER_CFI`. Selecting `CONFIG_RISCV_USER_CFI` wires > up path to enumerate CPU support and if cpu support exists, kernel will > support cpu assisted user mode cfi. > > If CONFIG_RISCV_USER_CFI is selected, select `ARCH_USES_HIGH_VMA_FLAGS`, > `ARCH_HAS_USER_SHADOW_STACK` and DYNAMIC_SIGFRAME for riscv. > > Reviewed-by: Zong Li <[email protected]> > Signed-off-by: Deepak Gupta <[email protected]> > --- > arch/riscv/Kconfig | 22 ++++++++++++++++++++++ > arch/riscv/configs/hardening.config | 4 ++++ > 2 files changed, 26 insertions(+) > > diff --git a/arch/riscv/Kconfig b/arch/riscv/Kconfig > index 0c6038dc5dfd..4f9f9358e6e3 100644 > --- a/arch/riscv/Kconfig > +++ b/arch/riscv/Kconfig > @@ -1146,6 +1146,28 @@ config RANDOMIZE_BASE > > If unsure, say N. > > +config RISCV_USER_CFI > + def_bool y > + bool "riscv userspace control flow integrity" > + depends on 64BIT && $(cc-option,-mabi=lp64 -march=rv64ima_zicfiss) && > \ > + $(cc-option,-fcf-protection=full)
Hi Deepak, I noticed that you added a $(cc-option,-fcf-protection=full) check in this version. I think this check will fail by a cc1 warning when using a newer toolchain, because -fcf-protection cannot be used alone, it must be specified together with the appropriate -march option. For example: 1. -fcf-protection=branch requires -march=..._zicfilp 2. -fcf-protection=return requires -march=..._zicfiss 3. -fcf-protection=full requires -march=..._zicfilp_zicfiss > + depends on RISCV_ALTERNATIVE > + select RISCV_SBI > + select ARCH_HAS_USER_SHADOW_STACK > + select ARCH_USES_HIGH_VMA_FLAGS > + select DYNAMIC_SIGFRAME > + help > + Provides CPU assisted control flow integrity to userspace tasks. > + Control flow integrity is provided by implementing shadow stack for > + backward edge and indirect branch tracking for forward edge in > program. > + Shadow stack protection is a hardware feature that detects function > + return address corruption. This helps mitigate ROP attacks. > + Indirect branch tracking enforces that all indirect branches must > land > + on a landing pad instruction else CPU will fault. This mitigates > against > + JOP / COP attacks. Applications must be enabled to use it, and old > user- > + space does not get protection "for free". > + default y. > + > endmenu # "Kernel features" > > menu "Boot options" > diff --git a/arch/riscv/configs/hardening.config > b/arch/riscv/configs/hardening.config > new file mode 100644 > index 000000000000..089f4cee82f4 > --- /dev/null > +++ b/arch/riscv/configs/hardening.config > @@ -0,0 +1,4 @@ > +# RISCV specific kernel hardening options > + > +# Enable control flow integrity support for usermode. > +CONFIG_RISCV_USER_CFI=y > > -- > 2.43.0 > >
