Re: [PATCH v24 25/28] riscv: create a config for shadow stack and landing pad instr support

Fri, 05 Dec 2025 10:33:27 -0800 

On Thu, Dec 04, 2025 at 02:17:27PM -0800, Randy Dunlap wrote:



On 12/4/25 12:04 PM, Deepak Gupta wrote:

This patch creates a config for shadow stack support and landing pad instr
support. Shadow stack support and landing instr support can be enabled by
selecting `CONFIG_RISCV_USER_CFI`. Selecting `CONFIG_RISCV_USER_CFI` wires
up path to enumerate CPU support and if cpu support exists, kernel will
support cpu assisted user mode cfi.

If CONFIG_RISCV_USER_CFI is selected, select `ARCH_USES_HIGH_VMA_FLAGS`,
`ARCH_HAS_USER_SHADOW_STACK` and DYNAMIC_SIGFRAME for riscv.

Reviewed-by: Zong Li <[email protected]>
Tested-by: Andreas Korb <[email protected]>
Tested-by: Valentin Haudiquet <[email protected]>
Signed-off-by: Deepak Gupta <[email protected]>
---
 arch/riscv/Kconfig                  | 22 ++++++++++++++++++++++
 arch/riscv/configs/hardening.config |  4 ++++
 2 files changed, 26 insertions(+)

diff --git a/arch/riscv/Kconfig b/arch/riscv/Kconfig
index 0c6038dc5dfd..f5574c6f66d8 100644
--- a/arch/riscv/Kconfig
+++ b/arch/riscv/Kconfig
@@ -1146,6 +1146,28 @@ config RANDOMIZE_BASE

           If unsure, say N.

+config RISCV_USER_CFI
+       def_bool y
+       bool "riscv userspace control flow integrity"
+       depends on 64BIT && \
+               $(cc-option,-mabi=lp64 -march=rv64ima_zicfiss_zicfilp 
-fcf-protection=full)
+       depends on RISCV_ALTERNATIVE
+       select RISCV_SBI
+       select ARCH_HAS_USER_SHADOW_STACK
+       select ARCH_USES_HIGH_VMA_FLAGS
+       select DYNAMIC_SIGFRAME
+       help
+         Provides CPU assisted control flow integrity to userspace tasks.


                   CPU-assisted


+         Control flow integrity is provided by implementing shadow stack for
+         backward edge and indirect branch tracking for forward edge in 
program.
+         Shadow stack protection is a hardware feature that detects function
+         return address corruption. This helps mitigate ROP attacks.
+         Indirect branch tracking enforces that all indirect branches must land
+         on a landing pad instruction else CPU will fault. This mitigates 
against
+         JOP / COP attacks. Applications must be enabled to use it, and old 
user-
+         space does not get protection "for free".
+         default y.


          Default is y if hardware supports it.
?


No default Y means support is built in the kernel for cfi.
If hardware doesn't support CFI instructions, then kernel will do following

- prctls to manage shadow stack/landing pad enable/disable will fail.
- vDSO will not have shadow stack instructions in it.





+
 endmenu # "Kernel features"



--
~Randy

























					Reply via email to