diff options
| author | Deepak Gupta <debug@rivosinc.com> | 2026-01-25 21:09:56 -0700 |
|---|---|---|
| committer | Paul Walmsley <pjw@kernel.org> | 2026-01-29 02:38:40 -0700 |
| commit | 22c1e263af2ac7dad3d2af258336318ee4c4a0ae (patch) | |
| tree | bdae1dbe808a6a4c4b1ffd25feaf549ff2755765 | |
| parent | ccad8c1336b6511e3c7ca5c02f797b1fd2cf67e1 (diff) | |
riscv: create a Kconfig fragment for shadow stack and landing pad support
This patch creates a Kconfig fragment for shadow stack support and
landing pad instruction support. Shadow stack support and landing pad
instruction support can be enabled by selecting
'CONFIG_RISCV_USER_CFI'. Selecting 'CONFIG_RISCV_USER_CFI' wires up
the path to enumerate CPU support. If support exists, the kernel will
support CPU-assisted user mode CFI.
If CONFIG_RISCV_USER_CFI is selected, select 'ARCH_USES_HIGH_VMA_FLAGS',
'ARCH_HAS_USER_SHADOW_STACK' and 'DYNAMIC_SIGFRAME' for riscv.
Reviewed-by: Zong Li <zong.li@sifive.com>
Signed-off-by: Deepak Gupta <debug@rivosinc.com>
Tested-by: Andreas Korb <andreas.korb@aisec.fraunhofer.de> # QEMU, custom CVA6
Tested-by: Valentin Haudiquet <valentin.haudiquet@canonical.com>
Link: https://patch.msgid.link/20251112-v5_user_cfi_series-v23-25-b55691eacf4f@rivosinc.com
[pjw@kernel.org: cleaned up patch description, Kconfig text; added CONFIG_MMU exclusion]
Signed-off-by: Paul Walmsley <pjw@kernel.org>
| -rw-r--r-- | arch/riscv/Kconfig | 22 | ||||
| -rw-r--r-- | arch/riscv/configs/hardening.config | 4 |
2 files changed, 26 insertions, 0 deletions
diff --git a/arch/riscv/Kconfig b/arch/riscv/Kconfig index 6b39f37f769a..7e76b6316425 100644 --- a/arch/riscv/Kconfig +++ b/arch/riscv/Kconfig @@ -1162,6 +1162,28 @@ config RANDOMIZE_BASE If unsure, say N. +config RISCV_USER_CFI + def_bool y + bool "riscv userspace control flow integrity" + depends on 64BIT && MMU && \ + $(cc-option,-mabi=lp64 -march=rv64ima_zicfiss_zicfilp -fcf-protection=full) + depends on RISCV_ALTERNATIVE + select RISCV_SBI + select ARCH_HAS_USER_SHADOW_STACK + select ARCH_USES_HIGH_VMA_FLAGS + select DYNAMIC_SIGFRAME + help + Provides CPU-assisted control flow integrity to userspace tasks. + Control flow integrity is provided by implementing shadow stack for + backward edge and indirect branch tracking for forward edge. + Shadow stack protection is a hardware feature that detects function + return address corruption. This helps mitigate ROP attacks. + Indirect branch tracking enforces that all indirect branches must land + on a landing pad instruction else CPU will fault. This mitigates against + JOP / COP attacks. Applications must be enabled to use it, and old userspace + does not get protection "for free". + default y. + endmenu # "Kernel features" menu "Boot options" diff --git a/arch/riscv/configs/hardening.config b/arch/riscv/configs/hardening.config new file mode 100644 index 000000000000..089f4cee82f4 --- /dev/null +++ b/arch/riscv/configs/hardening.config @@ -0,0 +1,4 @@ +# RISCV specific kernel hardening options + +# Enable control flow integrity support for usermode. +CONFIG_RISCV_USER_CFI=y |