[PATCH v24 25/28] riscv: create a config for shadow stack and landing pad instr support

Fri Dec 5 11:41:58 PST 2025

On 12/5/25 10:24 AM, Deepak Gupta wrote:
> On Thu, Dec 04, 2025 at 02:17:27PM -0800, Randy Dunlap wrote:
>>
>>
>> On 12/4/25 12:04 PM, Deepak Gupta wrote:
>>> This patch creates a config for shadow stack support and landing pad instr
>>> support. Shadow stack support and landing instr support can be enabled by
>>> selecting `CONFIG_RISCV_USER_CFI`. Selecting `CONFIG_RISCV_USER_CFI` wires
>>> up path to enumerate CPU support and if cpu support exists, kernel will
>>> support cpu assisted user mode cfi.
>>>
>>> If CONFIG_RISCV_USER_CFI is selected, select `ARCH_USES_HIGH_VMA_FLAGS`,
>>> `ARCH_HAS_USER_SHADOW_STACK` and DYNAMIC_SIGFRAME for riscv.
>>>
>>> Reviewed-by: Zong Li <zong.li at sifive.com>
>>> Tested-by: Andreas Korb <andreas.korb at aisec.fraunhofer.de>
>>> Tested-by: Valentin Haudiquet <valentin.haudiquet at canonical.com>
>>> Signed-off-by: Deepak Gupta <debug at rivosinc.com>
>>> ---
>>>  arch/riscv/Kconfig                  | 22 ++++++++++++++++++++++
>>>  arch/riscv/configs/hardening.config |  4 ++++
>>>  2 files changed, 26 insertions(+)
>>>
>>> diff --git a/arch/riscv/Kconfig b/arch/riscv/Kconfig
>>> index 0c6038dc5dfd..f5574c6f66d8 100644
>>> --- a/arch/riscv/Kconfig
>>> +++ b/arch/riscv/Kconfig
>>> @@ -1146,6 +1146,28 @@ config RANDOMIZE_BASE
>>>
>>>            If unsure, say N.
>>>
>>> +config RISCV_USER_CFI
>>> +    def_bool y
>>> +    bool "riscv userspace control flow integrity"
>>> +    depends on 64BIT && \
>>> +        $(cc-option,-mabi=lp64 -march=rv64ima_zicfiss_zicfilp -fcf-protection=full)
>>> +    depends on RISCV_ALTERNATIVE
>>> +    select RISCV_SBI
>>> +    select ARCH_HAS_USER_SHADOW_STACK
>>> +    select ARCH_USES_HIGH_VMA_FLAGS
>>> +    select DYNAMIC_SIGFRAME
>>> +    help
>>> +      Provides CPU assisted control flow integrity to userspace tasks.
>>
>>                CPU-assisted
>>
>>> +      Control flow integrity is provided by implementing shadow stack for
>>> +      backward edge and indirect branch tracking for forward edge in program.
>>> +      Shadow stack protection is a hardware feature that detects function
>>> +      return address corruption. This helps mitigate ROP attacks.
>>> +      Indirect branch tracking enforces that all indirect branches must land
>>> +      on a landing pad instruction else CPU will fault. This mitigates against
>>> +      JOP / COP attacks. Applications must be enabled to use it, and old user-
>>> +      space does not get protection "for free".
>>> +      default y.
>>
>>       Default is y if hardware supports it.
>> ?
> 
> No default Y means support is built in the kernel for cfi.

  (if the compiler supports it?)

> If hardware doesn't support CFI instructions, then kernel will do following
> 
> - prctls to manage shadow stack/landing pad enable/disable will fail.
> - vDSO will not have shadow stack instructions in it.

Thanks for the info.

-- 
~Randy