On Tue, Nov 11, 2025 at 01:58:37PM +0800, Zong Li wrote:
On Fri, Oct 24, 2025 at 12:51 AM Deepak Gupta via B4 Relay
<[email protected]> wrote:
From: Deepak Gupta <[email protected]>
This patch creates a config for shadow stack support and landing pad instr
support. Shadow stack support and landing instr support can be enabled by
selecting `CONFIG_RISCV_USER_CFI`. Selecting `CONFIG_RISCV_USER_CFI` wires
up path to enumerate CPU support and if cpu support exists, kernel will
support cpu assisted user mode cfi.
If CONFIG_RISCV_USER_CFI is selected, select `ARCH_USES_HIGH_VMA_FLAGS`,
`ARCH_HAS_USER_SHADOW_STACK` and DYNAMIC_SIGFRAME for riscv.
Reviewed-by: Zong Li <[email protected]>
Signed-off-by: Deepak Gupta <[email protected]>
---
arch/riscv/Kconfig | 22 ++++++++++++++++++++++
arch/riscv/configs/hardening.config | 4 ++++
2 files changed, 26 insertions(+)
diff --git a/arch/riscv/Kconfig b/arch/riscv/Kconfig
index 0c6038dc5dfd..4f9f9358e6e3 100644
--- a/arch/riscv/Kconfig
+++ b/arch/riscv/Kconfig
@@ -1146,6 +1146,28 @@ config RANDOMIZE_BASE
If unsure, say N.
+config RISCV_USER_CFI
+ def_bool y
+ bool "riscv userspace control flow integrity"
+ depends on 64BIT && $(cc-option,-mabi=lp64 -march=rv64ima_zicfiss) && \
+ $(cc-option,-fcf-protection=full)
Hi Deepak,
I noticed that you added a $(cc-option,-fcf-protection=full) check in
this version. I think this check will fail by a cc1 warning when using
a newer toolchain, because -fcf-protection cannot be used alone, it
must be specified together with the appropriate -march option.
For example:
1. -fcf-protection=branch requires -march=..._zicfilp
2. -fcf-protection=return requires -march=..._zicfiss
3. -fcf-protection=full requires -march=..._zicfilp_zicfiss
toolchain that I have from June doesn't require -march=..._zicfilp_zicfiss
for -fcf-protection=full. If that has changed, I think this will need a
revision.
+ depends on RISCV_ALTERNATIVE
+ select RISCV_SBI
+ select ARCH_HAS_USER_SHADOW_STACK
+ select ARCH_USES_HIGH_VMA_FLAGS
+ select DYNAMIC_SIGFRAME
+ help
+ Provides CPU assisted control flow integrity to userspace tasks.
+ Control flow integrity is provided by implementing shadow stack for
+ backward edge and indirect branch tracking for forward edge in
program.
+ Shadow stack protection is a hardware feature that detects function
+ return address corruption. This helps mitigate ROP attacks.
+ Indirect branch tracking enforces that all indirect branches must land
+ on a landing pad instruction else CPU will fault. This mitigates
against
+ JOP / COP attacks. Applications must be enabled to use it, and old
user-
+ space does not get protection "for free".
+ default y.
+
endmenu # "Kernel features"
menu "Boot options"
diff --git a/arch/riscv/configs/hardening.config
b/arch/riscv/configs/hardening.config
new file mode 100644
index 000000000000..089f4cee82f4
--- /dev/null
+++ b/arch/riscv/configs/hardening.config
@@ -0,0 +1,4 @@
+# RISCV specific kernel hardening options
+
+# Enable control flow integrity support for usermode.
+CONFIG_RISCV_USER_CFI=y
--
2.43.0
