Commit 22c1e263 authored by Deepak Gupta's avatar Deepak Gupta Committed by Paul Walmsley
Browse files

riscv: create a Kconfig fragment for shadow stack and landing pad support 



This patch creates a Kconfig fragment for shadow stack support and
landing pad instruction support. Shadow stack support and landing pad
instruction support can be enabled by selecting
'CONFIG_RISCV_USER_CFI'. Selecting 'CONFIG_RISCV_USER_CFI' wires up
the path to enumerate CPU support.  If support exists, the kernel will
support CPU-assisted user mode CFI.

If CONFIG_RISCV_USER_CFI is selected, select 'ARCH_USES_HIGH_VMA_FLAGS',
'ARCH_HAS_USER_SHADOW_STACK' and 'DYNAMIC_SIGFRAME' for riscv.

Reviewed-by: default avatarZong Li <zong.li@sifive.com>
Signed-off-by: default avatarDeepak Gupta <debug@rivosinc.com>
Tested-by: Andreas Korb <andreas.korb@aisec.fraunhofer.de> # QEMU, custom CVA6
Tested-by: default avatarValentin Haudiquet <valentin.haudiquet@canonical.com>
Link: https://patch.msgid.link/20251112-v5_user_cfi_series-v23-25-b55691eacf4f@rivosinc.com


[pjw@kernel.org: cleaned up patch description, Kconfig text; added CONFIG_MMU exclusion]
Signed-off-by: default avatarPaul Walmsley <pjw@kernel.org>
parent ccad8c13

arch/riscv/Kconfig

+22 −0
Original line number Diff line number Diff line
@@ -1162,6 +1162,28 @@ config RANDOMIZE_BASE 


          If unsure, say N.



config RISCV_USER_CFI

	def_bool y

	bool "riscv userspace control flow integrity"

	depends on 64BIT && MMU && \

		$(cc-option,-mabi=lp64 -march=rv64ima_zicfiss_zicfilp -fcf-protection=full)

	depends on RISCV_ALTERNATIVE

	select RISCV_SBI

	select ARCH_HAS_USER_SHADOW_STACK

	select ARCH_USES_HIGH_VMA_FLAGS

	select DYNAMIC_SIGFRAME

	help

	  Provides CPU-assisted control flow integrity to userspace tasks.

	  Control flow integrity is provided by implementing shadow stack for

	  backward edge and indirect branch tracking for forward edge.

	  Shadow stack protection is a hardware feature that detects function

	  return address corruption. This helps mitigate ROP attacks.

	  Indirect branch tracking enforces that all indirect branches must land

	  on a landing pad instruction else CPU will fault. This mitigates against

	  JOP / COP attacks. Applications must be enabled to use it, and old userspace

	  does not get protection "for free".

	  default y.



endmenu # "Kernel features"



menu "Boot options"

arch/riscv/configs/hardening.config

0 → 100644
+4 −0
Original line number Diff line number Diff line 
# RISCV specific kernel hardening options



# Enable control flow integrity support for usermode.

CONFIG_RISCV_USER_CFI=y