From: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
To: Deepak Gupta <debug@rivosinc.com>
Cc: linux-riscv@lists.infradead.org, linux-kernel@vger.kernel.org,
linux-kbuild@vger.kernel.org, linux-mm@kvack.org,
llvm@lists.linux.dev, rick.p.edgecombe@intel.com,
broonie@kernel.org, cleger@rivosinc.com, samitolvanen@google.com,
apatel@ventanamicro.com, ajones@ventanamicro.com,
conor.dooley@microchip.com, charlie@rivosinc.com,
samuel.holland@sifive.com, bjorn@rivosinc.com,
fweimer@redhat.com, jeffreyalaw@gmail.com, andrew@sifive.com,
ved@rivosinc.com, Paul Walmsley <paul.walmsley@sifive.com>,
Palmer Dabbelt <palmer@dabbelt.com>,
Albert Ou <aou@eecs.berkeley.edu>,
Alexandre Ghiti <alex@ghiti.fr>,
Masahiro Yamada <masahiroy@kernel.org>,
Nathan Chancellor <nathan@kernel.org>,
Nicolas Schier <nicolas.schier@linux.dev>,
Andrew Morton <akpm@linux-foundation.org>,
David Hildenbrand <david@redhat.com>,
Lorenzo Stoakes <lorenzo.stoakes@oracle.com>,
"Liam R. Howlett" <Liam.Howlett@oracle.com>,
Vlastimil Babka <vbabka@suse.cz>, Mike Rapoport <rppt@kernel.org>,
Suren Baghdasaryan <surenb@google.com>,
Michal Hocko <mhocko@suse.com>,
Nick Desaulniers <nick.desaulniers+lkml@gmail.com>,
Bill Wendling <morbo@google.com>,
Monk Chiang <monk.chiang@sifive.com>,
Kito Cheng <kito.cheng@sifive.com>,
Justin Stitt <justinstitt@google.com>
Subject: Re: [PATCH 11/11] riscv: Kconfig & Makefile for riscv kernel control flow integrity
Date: Fri, 25 Jul 2025 13:26:44 +0200 [thread overview]
Message-ID: <b50da4ef-53ca-4edf-bd74-f5e037a14f99@canonical.com> (raw)
In-Reply-To: <20250724-riscv_kcfi-v1-11-04b8fa44c98c@rivosinc.com>
On 25.07.25 01:37, Deepak Gupta wrote:
> Defines `CONFIG_RISCV_KERNEL_CFI` and selects SHADOW_CALL_STACK
> and ARCH_HAS_KERNEL_SHADOW_STACK both so that zicfiss can be wired up.
>
> Makefile checks if CONFIG_RISCV_KERNEL_CFI is enabled, then light
> up zicfiss and zicfilp compiler flags. CONFIG_RISCV_KERNEL_CFI is
> dependent on CONFIG_RISCV_USER_CFI. There is no reason for user to
> not select support for user cfi while enabling for kernel.
>
> compat vdso don't need fcf-protection (toolchain lacks support).
>
> Signed-off-by: Deepak Gupta <debug@rivosinc.com>
> ---
> arch/riscv/Kconfig | 37 +++++++++++++++++++++++++++++++++-
> arch/riscv/Makefile | 8 ++++++++
> arch/riscv/kernel/compat_vdso/Makefile | 2 +-
> arch/riscv/kernel/vdso/Makefile | 2 +-
> 4 files changed, 46 insertions(+), 3 deletions(-)
>
> diff --git a/arch/riscv/Kconfig b/arch/riscv/Kconfig
> index 385c3d93e378..305ba5787f74 100644
> --- a/arch/riscv/Kconfig
> +++ b/arch/riscv/Kconfig
> @@ -245,7 +245,7 @@ config GCC_SUPPORTS_DYNAMIC_FTRACE
> depends on CC_HAS_MIN_FUNCTION_ALIGNMENT || !RISCV_ISA_C
>
> config HAVE_SHADOW_CALL_STACK
> - def_bool $(cc-option,-fsanitize=shadow-call-stack)
> + def_bool $(cc-option,-fsanitize=shadow-call-stack) || $(cc-option,-mabi=lp64 -march=rv64ima_zicfilp_zicfiss)
> # https://github.com/riscv-non-isa/riscv-elf-psabi-doc/commit/a484e843e6eeb51f0cb7b8819e50da6d2444d769
> depends on $(ld-option,--no-relax-gp)
>
> @@ -864,6 +864,16 @@ config RISCV_ISA_ZICBOP
>
> If you don't know what to do here, say Y.
>
> +config TOOLCHAIN_HAS_ZICFILP
> + bool
> + default y
> + depends on 64BIT && $(cc-option,-mabi=lp64 -march=rv64ima_zicfilp)
> +
> +config TOOLCHAIN_HAS_ZICFISS
> + bool
> + default y
> + depends on 64BIT && $(cc-option,-mabi=lp64 -march=rv64ima_zicfiss)
> +
> config TOOLCHAIN_NEEDS_EXPLICIT_ZICSR_ZIFENCEI
> def_bool y
> # https://sourceware.org/git/?p=binutils-gdb.git;a=commit;h=aed44286efa8ae8717a77d94b51ac3614e2ca6dc
> @@ -1182,6 +1192,31 @@ config RISCV_USER_CFI
> space does not get protection "for free".
> default n.
>
> +config RISCV_KERNEL_CFI
> + def_bool n
> + bool "hw assisted riscv kernel control flow integrity (kcfi)"
> + depends on 64BIT && $(cc-option,-mabi=lp64 -march=rv64ima_zicfilp_zicfiss)
> + depends on RISCV_USER_CFI
> + select ARCH_SUPPORTS_SHADOW_CALL_STACK
> + select SHADOW_CALL_STACK
> + select ARCH_HAS_KERNEL_SHADOW_STACK
> + help
> + Provides CPU assisted control flow integrity to for riscv kernel.
> + Control flow integrity is provided by implementing shadow stack for
> + backward edge and indirect branch tracking for forward edge. Shadow
> + stack protection is a hardware feature that detects function return
> + address corruption. This helps mitigate ROP attacks. RISCV_KERNEL_CFI
> + selects CONFIG_SHADOW_CALL_STACK which uses software based shadow
> + stack but is unprotected against stray writes. Selecting RISCV_KERNEL_CFI
> + will select CONFIG_DYNAMIC_SCS and will enable hardware assisted shadow
> + stack protection against stray writes.
Please, consider adding a blank line for better readability.
> + Indirect branch tracking enforces that all indirect branches must land
> + on a landing pad instruction else CPU will fault. This enables forward
> + control flow (call/jmp) protection in kernel and restricts all indirect
> + call or jump in kernel to a landing pad instruction which mostly likely
> + will be start of the function.
> + default n
For Linux distributions it is important that the same kernel can run
both on hardware both with and without CFI support. The description
provided does not help to understand if RISCV_KERNEL_CFI=y will result
in such a kernel. Please, enumerate the minimum set of extensions needed
for supporting a kernel built with RISCV_KERNEL_CFI=y. I guess this will
at least include Zimop.
Best regards
Heinrich
> +
> endmenu # "Kernel features"
>
> menu "Boot options"
> diff --git a/arch/riscv/Makefile b/arch/riscv/Makefile
> index 7128df832b28..6ef30a3d2bc4 100644
> --- a/arch/riscv/Makefile
> +++ b/arch/riscv/Makefile
> @@ -61,8 +61,10 @@ else ifeq ($(CONFIG_LTO_CLANG),y)
> endif
>
> ifeq ($(CONFIG_SHADOW_CALL_STACK),y)
> +ifndef CONFIG_ARCH_HAS_KERNEL_SHADOW_STACK
> KBUILD_LDFLAGS += --no-relax-gp
> endif
> +endif
>
> # ISA string setting
> riscv-march-$(CONFIG_ARCH_RV32I) := rv32ima
> @@ -91,6 +93,12 @@ riscv-march-$(CONFIG_TOOLCHAIN_HAS_ZABHA) := $(riscv-march-y)_zabha
> KBUILD_BASE_ISA = -march=$(shell echo $(riscv-march-y) | sed -E 's/(rv32ima|rv64ima)fd([^v_]*)v?/\1\2/')
> export KBUILD_BASE_ISA
>
> +ifeq ($(CONFIG_RISCV_KERNEL_CFI),y)
> +riscv-march-$(CONFIG_TOOLCHAIN_HAS_ZICFILP) := $(riscv-march-y)_zicfilp
> +riscv-march-$(CONFIG_TOOLCHAIN_HAS_ZICFISS) := $(riscv-march-y)_zicfiss
> +KBUILD_CFLAGS += -fcf-protection=full
> +KBUILD_AFLAGS += -fcf-protection=full
> +endif
> # Remove F,D,V from isa string for all. Keep extensions between "fd" and "v" by
> # matching non-v and non-multi-letter extensions out with the filter ([^v_]*)
> KBUILD_CFLAGS += $(KBUILD_BASE_ISA)
> diff --git a/arch/riscv/kernel/compat_vdso/Makefile b/arch/riscv/kernel/compat_vdso/Makefile
> index 24e37d1ef7ec..552131bc34d7 100644
> --- a/arch/riscv/kernel/compat_vdso/Makefile
> +++ b/arch/riscv/kernel/compat_vdso/Makefile
> @@ -69,4 +69,4 @@ quiet_cmd_compat_vdsold = VDSOLD $@
>
> # actual build commands
> quiet_cmd_compat_vdsoas = VDSOAS $@
> - cmd_compat_vdsoas = $(COMPAT_CC) $(a_flags) $(COMPAT_CC_FLAGS) -c -o $@ $<
> + cmd_compat_vdsoas = $(COMPAT_CC) $(filter-out -fcf-protection=full, $(a_flags)) $(COMPAT_CC_FLAGS) -c -o $@ $<
> diff --git a/arch/riscv/kernel/vdso/Makefile b/arch/riscv/kernel/vdso/Makefile
> index 2b528d82fa7d..7b1446b63ebc 100644
> --- a/arch/riscv/kernel/vdso/Makefile
> +++ b/arch/riscv/kernel/vdso/Makefile
> @@ -17,7 +17,7 @@ ifdef CONFIG_VDSO_GETRANDOM
> vdso-syms += getrandom
> endif
>
> -ifdef CONFIG_RISCV_USER_CFI
> +ifneq ($(CONFIG_RISCV_USER_CFI), $(CONFIG_RISCV_KERNEL_CFI))
> CFI_MARCH = _zicfilp_zicfiss
> CFI_FULL = -fcf-protection=full
> endif
>
next prev parent reply other threads:[~2025-07-25 11:26 UTC|newest]
Thread overview: 41+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-07-24 23:36 [PATCH 00/11] riscv: fine grained hardware assisted kernel control-flow integrity Deepak Gupta
2025-07-24 23:36 ` [PATCH 01/11] riscv: add landing pad for asm routines Deepak Gupta
2025-07-25 6:13 ` Heinrich Schuchardt
2025-07-25 14:10 ` Deepak Gupta
2025-07-25 15:27 ` Sami Tolvanen
2025-07-25 17:01 ` Deepak Gupta
2025-07-24 23:36 ` [PATCH 02/11] riscv: update asm call site in `call_on_irq_stack` to setup correct label Deepak Gupta
2025-07-25 6:23 ` Heinrich Schuchardt
2025-07-25 14:16 ` Deepak Gupta
2025-07-25 15:33 ` Sami Tolvanen
2025-07-25 16:56 ` Deepak Gupta
2025-07-24 23:36 ` [PATCH 03/11] riscv: indirect jmp in asm that's static in nature to use sw guarded jump Deepak Gupta
2025-07-25 6:26 ` Heinrich Schuchardt
2025-07-24 23:36 ` [PATCH 04/11] riscv: exception handlers can be software guarded transfers Deepak Gupta
2025-07-24 23:36 ` [PATCH 05/11] riscv: enable landing pad enforcement Deepak Gupta
2025-07-25 6:33 ` Heinrich Schuchardt
2025-07-25 14:20 ` Deepak Gupta
2025-07-25 14:43 ` Heinrich Schuchardt
2025-07-24 23:36 ` [PATCH 06/11] mm: Introduce ARCH_HAS_KERNEL_SHADOW_STACK Deepak Gupta
2025-07-26 7:42 ` Mike Rapoport
2025-07-29 0:36 ` Deepak Gupta
2025-07-24 23:37 ` [PATCH 07/11] scs: place init shadow stack in .shadowstack section Deepak Gupta
2025-07-24 23:37 ` [PATCH 08/11] riscv/mm: prepare shadow stack for init task Deepak Gupta
2025-07-24 23:37 ` [PATCH 09/11] riscv: scs: add hardware shadow stack support to scs Deepak Gupta
2025-07-24 23:37 ` [PATCH 10/11] scs: generic scs code updated to leverage hw assisted shadow stack Deepak Gupta
2025-07-25 16:13 ` Sami Tolvanen
2025-07-25 16:42 ` Deepak Gupta
2025-07-25 16:47 ` Deepak Gupta
2025-07-25 16:46 ` Mark Brown
2025-07-28 12:47 ` Will Deacon
2025-07-28 16:37 ` Deepak Gupta
2025-07-25 17:06 ` Edgecombe, Rick P
2025-07-25 17:19 ` Deepak Gupta
2025-07-25 18:05 ` Edgecombe, Rick P
2025-07-28 19:23 ` Deepak Gupta
2025-07-28 21:19 ` Deepak Gupta
2025-07-24 23:37 ` [PATCH 11/11] riscv: Kconfig & Makefile for riscv kernel control flow integrity Deepak Gupta
2025-07-25 11:26 ` Heinrich Schuchardt [this message]
2025-07-25 14:23 ` Deepak Gupta
2025-07-25 14:39 ` Heinrich Schuchardt
2025-07-24 23:38 ` [PATCH 00/11] riscv: fine grained hardware assisted kernel control-flow integrity Deepak Gupta
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=b50da4ef-53ca-4edf-bd74-f5e037a14f99@canonical.com \
--to=heinrich.schuchardt@canonical.com \
--cc=Liam.Howlett@oracle.com \
--cc=ajones@ventanamicro.com \
--cc=akpm@linux-foundation.org \
--cc=alex@ghiti.fr \
--cc=andrew@sifive.com \
--cc=aou@eecs.berkeley.edu \
--cc=apatel@ventanamicro.com \
--cc=bjorn@rivosinc.com \
--cc=broonie@kernel.org \
--cc=charlie@rivosinc.com \
--cc=cleger@rivosinc.com \
--cc=conor.dooley@microchip.com \
--cc=david@redhat.com \
--cc=debug@rivosinc.com \
--cc=fweimer@redhat.com \
--cc=jeffreyalaw@gmail.com \
--cc=justinstitt@google.com \
--cc=kito.cheng@sifive.com \
--cc=linux-kbuild@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=linux-riscv@lists.infradead.org \
--cc=llvm@lists.linux.dev \
--cc=lorenzo.stoakes@oracle.com \
--cc=masahiroy@kernel.org \
--cc=mhocko@suse.com \
--cc=monk.chiang@sifive.com \
--cc=morbo@google.com \
--cc=nathan@kernel.org \
--cc=nick.desaulniers+lkml@gmail.com \
--cc=nicolas.schier@linux.dev \
--cc=palmer@dabbelt.com \
--cc=paul.walmsley@sifive.com \
--cc=rick.p.edgecombe@intel.com \
--cc=rppt@kernel.org \
--cc=samitolvanen@google.com \
--cc=samuel.holland@sifive.com \
--cc=surenb@google.com \
--cc=vbabka@suse.cz \
--cc=ved@rivosinc.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox