[PATCH v9 21/26] riscv: enable kernel access to shadow stack memory via FWFT sbi call

, it must be enabled as early as possible for better coverage and prevent imbalance between regular stack and shadow stack. After `relocate_enable_mmu` has been done, this is as early as possible it can enabled. Signed-off-by: Deepak Gupta --- arch/riscv/kernel/asm-offsets.c | 4 arch/riscv

[PATCH v9 26/26] kselftest/riscv: kselftest for user mode cfi

indeed enabled and working This is to ensure shadow stack is indeed enabled and working ok 1 shstk fork test ok 2 map shadow stack syscall ok 3 shadow stack gup tests ok 4 shadow stack signal tests ok 5 memory protections of shadow stack memory """ Signed-off-by: Deepak Gupta

[PATCH v9 11/26] riscv/shstk: If needed allocate a new shadow stack on clone

can be provided. This is not settled yet and being extensively discussed on mailing list. Once that's settled, this commit will adapt to that. Signed-off-by: Deepak Gupta --- arch/riscv/include/asm/mmu_context.h | 7 ++ arch/riscv/include/asm/usercfi.h | 25 arch/riscv/k

[PATCH v9 20/26] riscv: Add Firmware Feature SBI extensions definitions

From: Clément Léger Add necessary SBI definitions to use the FWFT extension. Signed-off-by: Clément Léger --- arch/riscv/include/asm/sbi.h | 26 ++ 1 file changed, 26 insertions(+) diff --git a/arch/riscv/include/asm/sbi.h b/arch/riscv/include/asm/sbi.h index 3d2508241

[PATCH v9 13/26] prctl: arch-agnostic prctl for indirect branch tracking

. - PR_LOCK_INDIR_BR_LP_STATUS: Locks configured status for indirect branch tracking for user thread. Signed-off-by: Deepak Gupta Reviewed-by: Mark Brown --- arch/riscv/include/asm/usercfi.h | 16 - arch/riscv/kernel/entry.S| 2 +- arch/riscv/kernel/process.c | 5 +++ arch/riscv

Re: [PATCH v9 03/26] riscv: zicfiss / zicfilp enumeration

On Thu, Feb 06, 2025 at 02:50:29PM +0100, Clément Léger wrote: On 05/02/2025 02:21, Deepak Gupta wrote: This patch adds support for detecting zicfiss and zicfilp. zicfiss and zicfilp stands for unprivleged integer spec extension for shadow stack and branch tracking on indirect branches

Re: [PATCH v9 01/26] mm: helper `is_shadow_stack_vma` to check shadow stack vma

On Fri, Feb 07, 2025 at 10:27:10AM +0100, Vlastimil Babka wrote: On 2/5/25 02:21, Deepak Gupta wrote: VM_SHADOW_STACK (alias to VM_HIGH_ARCH_5) is used to encode shadow stack I see that arm GCS uses VM_HIGH_ARCH_6. VMA on three architectures (x86 shadow stack, arm GCS and RISC-V shadow

Re: [PATCH v9 01/26] mm: helper `is_shadow_stack_vma` to check shadow stack vma

On Fri, Feb 07, 2025 at 08:06:59PM +, Mark Brown wrote: On Fri, Feb 07, 2025 at 10:27:10AM +0100, Vlastimil Babka wrote: On 2/5/25 02:21, Deepak Gupta wrote: > VM_SHADOW_STACK (alias to VM_HIGH_ARCH_5) is used to encode shadow stack I see that arm GCS uses VM_HIGH_ARCH_6. That&#x

Re: [PATCH v9 01/26] mm: helper `is_shadow_stack_vma` to check shadow stack vma

On Fri, Feb 07, 2025 at 10:27:10AM +0100, Vlastimil Babka wrote: On 2/5/25 02:21, Deepak Gupta wrote: VM_SHADOW_STACK (alias to VM_HIGH_ARCH_5) is used to encode shadow stack I see that arm GCS uses VM_HIGH_ARCH_6. Stale commit message. I thought I had fixed it. Sorry about that, will fix

Re: [PATCH v9 14/26] riscv/traps: Introduce software check exception

Hi Clement, Thanks for looking at it. Inline On Thu, Feb 06, 2025 at 02:49:09PM +0100, Clément Léger wrote: On 05/02/2025 02:22, Deepak Gupta wrote: zicfiss / zicfilp introduces a new exception to priv isa `software check exception` with cause code = 18. This patch implements software check

Re: [PATCH v9 01/26] mm: helper `is_shadow_stack_vma` to check shadow stack vma

On Fri, Feb 07, 2025 at 03:44:27PM -0800, Deepak Gupta wrote: On Fri, Feb 07, 2025 at 10:27:10AM +0100, Vlastimil Babka wrote: On 2/5/25 02:21, Deepak Gupta wrote: VM_SHADOW_STACK (alias to VM_HIGH_ARCH_5) is used to encode shadow stack I see that arm GCS uses VM_HIGH_ARCH_6. VMA on three

[PATCH v10 08/27] riscv mmu: teach pte_mkwrite to manufacture shadow stack PTEs

can select write PTE encoding based on VMA range (i.e. VM_SHADOW_STACK) Signed-off-by: Deepak Gupta Reviewed-by: Alexandre Ghiti --- arch/riscv/include/asm/pgtable.h | 7 +++ arch/riscv/mm/pgtable.c | 17 + 2 files changed, 24 insertions(+) diff --git a/arch/riscv

[PATCH v10 07/27] riscv mm: manufacture shadow stack pte

This patch implements creating shadow stack pte (on riscv). Creating shadow stack PTE on riscv means that clearing RWX and then setting W=1. Signed-off-by: Deepak Gupta Reviewed-by: Alexandre Ghiti --- arch/riscv/include/asm/pgtable.h | 10 ++ 1 file changed, 10 insertions(+) diff

[PATCH v10 06/27] riscv/mm : ensure PROT_WRITE leads to VM_READ | VM_WRITE

encodings. Signed-off-by: Deepak Gupta --- arch/riscv/include/asm/mman.h| 25 + arch/riscv/include/asm/pgtable.h | 1 + arch/riscv/kernel/sys_riscv.c| 10 ++ arch/riscv/mm/init.c | 2 +- 4 files changed, 37 insertions(+), 1 deletion(-) diff --git a

[PATCH v10 10/27] riscv/mm: Implement map_shadow_stack() syscall

setup by kernel because user mode can do that by itself. However to provide compatibility and portability with other architectues, user mode can specify token set flag. Signed-off-by: Deepak Gupta --- arch/riscv/kernel/Makefile | 1 + arch/riscv/kernel/

[PATCH v10 09/27] riscv mmu: write protect and shadow stack

mless. Signed-off-by: Deepak Gupta Reviewed-by: Alexandre Ghiti --- arch/riscv/include/asm/pgtable.h | 12 ++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/arch/riscv/include/asm/pgtable.h b/arch/riscv/include/asm/pgtable.h index ccd2fa34afb8..54707686f042 100644 --- a

[PATCH v10 12/27] riscv: Implements arch agnostic shadow stack prctls

PR_SHADOW_STACK_ENABLE is implemented because RISCV allows each mode to write to their own shadow stack using `sspush` or `ssamoswap`. PR_LOCK_SHADOW_STACK_STATUS locks current configuration of shadow stack enabling. Signed-off-by: Deepak Gupta --- arch/riscv/include/asm/usercfi.h | 18 ++- arch/riscv/kernel

[PATCH v10 13/27] prctl: arch-agnostic prctl for indirect branch tracking

. - PR_LOCK_INDIR_BR_LP_STATUS: Locks configured status for indirect branch tracking for user thread. Signed-off-by: Deepak Gupta Reviewed-by: Mark Brown --- arch/riscv/include/asm/usercfi.h | 16 - arch/riscv/kernel/entry.S| 2 +- arch/riscv/kernel/process.c | 5 +++ arch/riscv

[PATCH v10 11/27] riscv/shstk: If needed allocate a new shadow stack on clone

can be provided. This is not settled yet and being extensively discussed on mailing list. Once that's settled, this commit will adapt to that. Signed-off-by: Deepak Gupta --- arch/riscv/include/asm/mmu_context.h | 7 ++ arch/riscv/include/asm/usercfi.h | 25 arch/riscv/k

[PATCH v10 16/27] riscv/signal: save and restore of shadow stack for signal

and a magic identifier of the extension. Then, the extensions body contains the new architectural states in the form defined by uapi. Signed-off-by: Andy Chiu Signed-off-by: Deepak Gupta --- arch/riscv/include/asm/usercfi.h | 10 arch/riscv/include/uapi/asm/ptrace.h | 4 ++ arch/

[PATCH v10 14/27] riscv/traps: Introduce software check exception

(on execution of `sspopchk`). In case of cfi violation, SIGSEGV is raised with code=SEGV_CPERR. SEGV_CPERR was introduced by x86 shadow stack patches. Signed-off-by: Deepak Gupta --- arch/riscv/include/asm/asm-prototypes.h | 1 + arch/riscv/include/asm/entry-common.h | 2 ++ arch/riscv/kernel

[PATCH v10 15/27] riscv: signal: abstract header saving for setup_sigcontext

From: Andy Chiu The function save_v_state() served two purposes. First, it saved extension context into the signal stack. Then, it constructed the extension header if there was no fault. The second part is independent of the extension itself. As a result, we can pull that part out, so future exte

[PATCH v10 17/27] riscv/kernel: update __show_regs to print shadow stack register

Updating __show_regs to print captured shadow stack pointer as well. On tasks where shadow stack is disabled, it'll simply print 0. Signed-off-by: Deepak Gupta Reviewed-by: Alexandre Ghiti --- arch/riscv/kernel/process.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --

[PATCH v10 18/27] riscv/ptrace: riscv cfi status and state via ptrace and in core files

allowed via ptrace set interface. However setting `elp` state or setting shadow stack pointer are allowed via ptrace set interface. It is expected `gdb` might have use to fixup `elp` state or `shadow stack` pointer. Signed-off-by: Deepak Gupta --- arch/riscv/include/uapi/asm/ptrace.h | 18

[PATCH v10 19/27] riscv/hwprobe: zicfilp / zicfiss enumeration in hwprobe

Adding enumeration of zicfilp and zicfiss extensions in hwprobe syscall. Signed-off-by: Deepak Gupta --- arch/riscv/include/uapi/asm/hwprobe.h | 2 ++ arch/riscv/kernel/sys_hwprobe.c | 2 ++ 2 files changed, 4 insertions(+) diff --git a/arch/riscv/include/uapi/asm/hwprobe.h b/arch/riscv

[PATCH v10 20/27] riscv: Add Firmware Feature SBI extensions definitions

From: Clément Léger Add necessary SBI definitions to use the FWFT extension. Signed-off-by: Clément Léger --- arch/riscv/include/asm/sbi.h | 26 ++ 1 file changed, 26 insertions(+) diff --git a/arch/riscv/include/asm/sbi.h b/arch/riscv/include/asm/sbi.h index 3d2508241

[PATCH v10 22/27] riscv: kernel command line option to opt out of user cfi

This commit adds a kernel command line option using which user cfi can be disabled. Signed-off-by: Deepak Gupta --- arch/riscv/kernel/usercfi.c | 21 + 1 file changed, 21 insertions(+) diff --git a/arch/riscv/kernel/usercfi.c b/arch/riscv/kernel/usercfi.c index 6e561256bfaf

[PATCH v10 26/27] riscv: Documentation for shadow stack on riscv

Adding documentation on shadow stack for user mode on riscv and kernel interfaces exposed so that user tasks can enable it. Signed-off-by: Deepak Gupta --- Documentation/arch/riscv/index.rst | 1 + Documentation/arch/riscv/zicfiss.rst | 176 +++ 2 files

[PATCH v10 23/27] arch/riscv: compile vdso with landing pad

: Deepak Gupta --- arch/riscv/Makefile | 7 +- arch/riscv/include/asm/assembler.h| 44 +++ arch/riscv/kernel/vdso/Makefile | 8 +++ arch/riscv/kernel/vdso/flush_icache.S | 4 arch/riscv/kernel/vdso/getcpu.S | 4 arch

[PATCH v10 25/27] riscv: Documentation for landing pad / indirect branch tracking

Adding documentation on landing pad aka indirect branch tracking on riscv and kernel interfaces exposed so that user tasks can enable it. Signed-off-by: Deepak Gupta --- Documentation/arch/riscv/index.rst | 1 + Documentation/arch/riscv/zicfilp.rst | 115

[PATCH v10 27/27] kselftest/riscv: kselftest for user mode cfi

indeed enabled and working This is to ensure shadow stack is indeed enabled and working ok 1 shstk fork test ok 2 map shadow stack syscall ok 3 shadow stack gup tests ok 4 shadow stack signal tests ok 5 memory protections of shadow stack memory """ Signed-off-by: Deepak Gupta

[PATCH v10 00/27] riscv control-flow integrity for usermode

scv. --- --- Andy Chiu (1): riscv: signal: abstract header saving for setup_sigcontext Clément Léger (1): riscv: Add Firmware Feature SBI extensions definitions Deepak Gupta (24): mm: VM_SHADOW_STACK definition for riscv dt-bindings: riscv: zicfilp and zicfiss in dt-bindings (extens

[PATCH v10 02/27] dt-bindings: riscv: zicfilp and zicfiss in dt-bindings (extensions.yaml)

Make an entry for cfi extensions in extensions.yaml. Signed-off-by: Deepak Gupta Acked-by: Rob Herring (Arm) --- Documentation/devicetree/bindings/riscv/extensions.yaml | 14 ++ 1 file changed, 14 insertions(+) diff --git a/Documentation/devicetree/bindings/riscv/extensions.yaml

[PATCH v10 05/27] riscv: usercfi state for task and save/restore of CSR_SSP on trap entry/exit

shadow stack, that means that it needs to be supported. And thus save/restore of shadow stack pointer in entry.S instead of in `switch_to.h`. Signed-off-by: Deepak Gupta Reviewed-by: Charlie Jenkins --- arch/riscv/include/asm/processor.h | 1 + arch/riscv/include/asm/thread_info.h | 3 +++

[PATCH v10 03/27] riscv: zicfiss / zicfilp enumeration

feature bitmap. Furthermore this patch adds detection utility functions to return whether shadow stack or landing pads are supported by cpu. Signed-off-by: Deepak Gupta --- arch/riscv/include/asm/cpufeature.h | 13 + arch/riscv/include/asm/hwcap.h | 2 ++ arch/riscv/include/asm

[PATCH v10 04/27] riscv: zicfiss / zicfilp extension csr and bit definitions

-by: Deepak Gupta Reviewed-by: Charlie Jenkins --- arch/riscv/include/asm/csr.h | 16 1 file changed, 16 insertions(+) diff --git a/arch/riscv/include/asm/csr.h b/arch/riscv/include/asm/csr.h index 6fed42e37705..2f49b9663640 100644 --- a/arch/riscv/include/asm/csr.h +++ b/arch

[PATCH v10 01/27] mm: VM_SHADOW_STACK definition for riscv

VM_HIGH_ARCH_5 is used for riscv Signed-off-by: Deepak Gupta --- include/linux/mm.h | 7 +++ 1 file changed, 7 insertions(+) diff --git a/include/linux/mm.h b/include/linux/mm.h index 7b1068ddcbb7..1ef231cbc8fe 100644 --- a/include/linux/mm.h +++ b/include/linux/mm.h @@ -378,6 +378,13

Re: [PATCH v2 14/15] RISC-V: KVM: add support for FWFT SBI extension

On Tue, Feb 11, 2025 at 11:31:28AM +0100, Clément Léger wrote: On 11/02/2025 06:43, Deepak Gupta wrote: +static int kvm_sbi_fwft_get(struct kvm_vcpu *vcpu, unsigned long feature, +    unsigned long *value) +{ +    int ret; +    struct kvm_sbi_fwft_config *conf; + +    ret

Re: [PATCH v2 14/15] RISC-V: KVM: add support for FWFT SBI extension

On Mon, Feb 10, 2025 at 10:35:47PM +0100, Clément Léger wrote: Add basic infrastructure to support the FWFT extension in KVM. Signed-off-by: Clément Léger --- arch/riscv/include/asm/kvm_host.h | 4 + arch/riscv/include/asm/kvm_vcpu_sbi.h | 1 + arch/riscv/include/asm/kvm_vcpu_sb

Re: [PATCH v2 01/15] riscv: add Firmware Feature (FWFT) SBI extensions definitions

_feature { #define SBI_ERR_ALREADY_STARTED -7 #define SBI_ERR_ALREADY_STOPPED -8 #define SBI_ERR_NO_SHMEM-9 +#define SBI_ERR_INVALID_STATE -10 +#define SBI_ERR_BAD_RANGE -11 +#define SBI_ERR_TIMEOUT-12 nit: Space mis-aligned(^) ^ otherwise Reviewed-by: Deepak Gupta +

Re: [PATCH v2 14/15] RISC-V: KVM: add support for FWFT SBI extension

On Mon, Feb 10, 2025 at 10:35:47PM +0100, Clément Léger wrote: Add basic infrastructure to support the FWFT extension in KVM. Signed-off-by: Clément Léger --- arch/riscv/include/asm/kvm_host.h | 4 + arch/riscv/include/asm/kvm_vcpu_sbi.h | 1 + arch/riscv/include/asm/kvm_vcpu_sb

Re: [PATCH v2 15/15] RISC-V: KVM: add support for SBI_FWFT_MISALIGNED_DELEG

On Mon, Feb 10, 2025 at 10:35:48PM +0100, Clément Léger wrote: SBI_FWFT_MISALIGNED_DELEG needs hedeleg to be modified to delegate misaligned load/store exceptions. Save and restore it during CPU load/put. Signed-off-by: Clément Léger Reviewed-by: Deepak Gupta --- arch/riscv/kvm/vcpu.c

[PATCH v10 21/27] riscv: enable kernel access to shadow stack memory via FWFT sbi call

, it must be enabled as early as possible for better coverage and prevent imbalance between regular stack and shadow stack. After `relocate_enable_mmu` has been done, this is as early as possible it can enabled. Signed-off-by: Deepak Gupta --- arch/riscv/kernel/asm-offsets.c | 4 arch/riscv

[PATCH v10 24/27] riscv: create a config for shadow stack and landing pad instr support

support cpu assisted user mode cfi. If CONFIG_RISCV_USER_CFI is selected, select `ARCH_USES_HIGH_VMA_FLAGS`, `ARCH_HAS_USER_SHADOW_STACK` and DYNAMIC_SIGFRAME for riscv. Signed-off-by: Deepak Gupta --- arch/riscv/Kconfig | 20 1 file changed, 20 insertions(+) diff --git a

[PATCH v12 05/28] riscv: usercfi state for task and save/restore of CSR_SSP on trap entry/exit

shadow stack, that means that it needs to be supported. And thus save/restore of shadow stack pointer in entry.S instead of in `switch_to.h`. Reviewed-by: Charlie Jenkins Reviewed-by: Zong Li Signed-off-by: Deepak Gupta --- arch/riscv/include/asm/processor.h | 1 + arch/riscv/inclu

[PATCH v12 07/28] riscv mm: manufacture shadow stack pte

This patch implements creating shadow stack pte (on riscv). Creating shadow stack PTE on riscv means that clearing RWX and then setting W=1. Reviewed-by: Alexandre Ghiti Reviewed-by: Zong Li Signed-off-by: Deepak Gupta --- arch/riscv/include/asm/pgtable.h | 10 ++ 1 file changed, 10

[PATCH v12 00/28] riscv control-flow integrity for usermode

rnel.org/r/20250210-v5_user_cfi_series-v10-0-163dcfa31...@rivosinc.com --- Andy Chiu (1): riscv: signal: abstract header saving for setup_sigcontext Clément Léger (1): riscv: Add Firmware Feature SBI extensions definitions Deepak Gupta (25): mm: VM_SHADOW_STACK definition for ris

[PATCH v12 27/28] riscv: Documentation for shadow stack on riscv

Adding documentation on shadow stack for user mode on riscv and kernel interfaces exposed so that user tasks can enable it. Reviewed-by: Zong Li Signed-off-by: Deepak Gupta --- Documentation/arch/riscv/index.rst | 1 + Documentation/arch/riscv/zicfiss.rst | 176

[PATCH v12 09/28] riscv mmu: write protect and shadow stack

mless. Reviewed-by: Alexandre Ghiti Reviewed-by: Zong Li Signed-off-by: Deepak Gupta --- arch/riscv/include/asm/pgtable.h | 12 ++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/arch/riscv/include/asm/pgtable.h b/arch/riscv/include/asm/pgtable.h index ccd2fa34afb8..5470768

[PATCH v11 20/27] riscv: Add Firmware Feature SBI extensions definitions

From: Clément Léger Add necessary SBI definitions to use the FWFT extension. Signed-off-by: Clément Léger --- arch/riscv/include/asm/sbi.h | 26 ++ 1 file changed, 26 insertions(+) diff --git a/arch/riscv/include/asm/sbi.h b/arch/riscv/include/asm/sbi.h index 3d2508241

[PATCH v12 28/28] kselftest/riscv: kselftest for user mode cfi

indeed enabled and working This is to ensure shadow stack is indeed enabled and working ok 1 shstk fork test ok 2 map shadow stack syscall ok 3 shadow stack gup tests ok 4 shadow stack signal tests ok 5 memory protections of shadow stack memory """ Signed-off-by: Deepak Gupta

[PATCH v11 24/27] riscv: create a config for shadow stack and landing pad instr support

support cpu assisted user mode cfi. If CONFIG_RISCV_USER_CFI is selected, select `ARCH_USES_HIGH_VMA_FLAGS`, `ARCH_HAS_USER_SHADOW_STACK` and DYNAMIC_SIGFRAME for riscv. Signed-off-by: Deepak Gupta --- arch/riscv/Kconfig | 20 1 file changed, 20 insertions(+) diff --git a

Re: [PATCH v12 19/28] riscv/ptrace: riscv cfi status and state via ptrace and in core files

On Thu, Mar 20, 2025 at 3:24 PM Radim Krčmář wrote: > > 2025-03-14T14:39:38-07:00, Deepak Gupta : > > Expose a new register type NT_RISCV_USER_CFI for risc-v cfi status and > > state. Intentionally both landing pad and shadow stack status and state > > are rolled into

Re: [PATCH v12 25/28] riscv: create a config for shadow stack and landing pad instr support

On Thu, Mar 20, 2025 at 2:25 PM Radim Krčmář wrote: > > 2025-03-14T14:39:44-07:00, Deepak Gupta : > > This patch creates a config for shadow stack support and landing pad instr > > support. Shadow stack support and landing instr support can be enabled by > > selectin

Re: [PATCH v12 22/28] riscv: enable kernel access to shadow stack memory via FWFT sbi call

On Thu, Mar 20, 2025 at 3:10 PM Radim Krčmář wrote: > > 2025-03-14T14:39:41-07:00, Deepak Gupta : > > Kernel will have to perform shadow stack operations on user shadow stack. > > Like during signal delivery and sigreturn, shadow stack token must be > > created and vali

[PATCH v12 02/28] dt-bindings: riscv: zicfilp and zicfiss in dt-bindings (extensions.yaml)

Make an entry for cfi extensions in extensions.yaml. Signed-off-by: Deepak Gupta Acked-by: Rob Herring (Arm) --- Documentation/devicetree/bindings/riscv/extensions.yaml | 14 ++ 1 file changed, 14 insertions(+) diff --git a/Documentation/devicetree/bindings/riscv/extensions.yaml

[PATCH v12 11/28] riscv/shstk: If needed allocate a new shadow stack on clone

can be provided. This is not settled yet and being extensively discussed on mailing list. Once that's settled, this commit will adapt to that. Reviewed-by: Zong Li Signed-off-by: Deepak Gupta --- arch/riscv/include/asm/mmu_context.h | 7 ++ arch/riscv/include/asm/usercfi.h

[PATCH v12 10/28] riscv/mm: Implement map_shadow_stack() syscall

setup by kernel because user mode can do that by itself. However to provide compatibility and portability with other architectues, user mode can specify token set flag. Reviewed-by: Zong Li Signed-off-by: Deepak Gupta --- arch/riscv/kernel/Makefile | 1 + arch/riscv/kernel/

[PATCH v12 08/28] riscv mmu: teach pte_mkwrite to manufacture shadow stack PTEs

can select write PTE encoding based on VMA range (i.e. VM_SHADOW_STACK) Reviewed-by: Alexandre Ghiti Reviewed-by: Zong Li Signed-off-by: Deepak Gupta --- arch/riscv/include/asm/pgtable.h | 7 +++ arch/riscv/mm/pgtable.c | 17 + 2 files changed, 24 insertions

[PATCH v12 16/28] riscv: signal: abstract header saving for setup_sigcontext

From: Andy Chiu The function save_v_state() served two purposes. First, it saved extension context into the signal stack. Then, it constructed the extension header if there was no fault. The second part is independent of the extension itself. As a result, we can pull that part out, so future exte

[PATCH v12 12/28] riscv: Implements arch agnostic shadow stack prctls

PR_SHADOW_STACK_ENABLE is implemented because RISCV allows each mode to write to their own shadow stack using `sspush` or `ssamoswap`. PR_LOCK_SHADOW_STACK_STATUS locks current configuration of shadow stack enabling. Signed-off-by: Deepak Gupta --- arch/riscv/include/asm/usercfi.h | 18 ++- arch/riscv/kernel

[PATCH v12 14/28] riscv: Implements arch agnostic indirect branch tracking prctls

prctls implemented are: PR_SET_INDIR_BR_LP_STATUS, PR_GET_INDIR_BR_LP_STATUS and PR_LOCK_INDIR_BR_LP_STATUS Signed-off-by: Deepak Gupta --- arch/riscv/include/asm/usercfi.h | 16 +++- arch/riscv/kernel/entry.S| 2 +- arch/riscv/kernel/process.c | 5 +++ arch/riscv/kernel

[PATCH v12 13/28] prctl: arch-agnostic prctl for indirect branch tracking

. - PR_LOCK_INDIR_BR_LP_STATUS: Locks configured status for indirect branch tracking for user thread. Signed-off-by: Deepak Gupta Reviewed-by: Mark Brown --- include/linux/cpu.h| 4 include/uapi/linux/prctl.h | 27 +++ kernel/sys.c | 30

[PATCH v12 15/28] riscv/traps: Introduce software check exception

(on execution of `sspopchk`). In case of cfi violation, SIGSEGV is raised with code=SEGV_CPERR. SEGV_CPERR was introduced by x86 shadow stack patches. Reviewed-by: Zong Li Signed-off-by: Deepak Gupta --- arch/riscv/include/asm/asm-prototypes.h | 1 + arch/riscv/include/asm/entry-common.h | 2

[PATCH v12 17/28] riscv/signal: save and restore of shadow stack for signal

and a magic identifier of the extension. Then, the extensions body contains the new architectural states in the form defined by uapi. Signed-off-by: Andy Chiu Signed-off-by: Deepak Gupta --- arch/riscv/include/asm/usercfi.h | 10 arch/riscv/include/uapi/asm/ptrace.h | 4 ++ arch/

[PATCH v12 21/28] riscv: Add Firmware Feature SBI extensions definitions

From: Clément Léger Add necessary SBI definitions to use the FWFT extension. Signed-off-by: Clément Léger Reviewed-by: Zong Li --- arch/riscv/include/asm/sbi.h | 26 ++ 1 file changed, 26 insertions(+) diff --git a/arch/riscv/include/asm/sbi.h b/arch/riscv/include/asm

[PATCH v12 26/28] riscv: Documentation for landing pad / indirect branch tracking

Adding documentation on landing pad aka indirect branch tracking on riscv and kernel interfaces exposed so that user tasks can enable it. Reviewed-by: Zong Li Signed-off-by: Deepak Gupta --- Documentation/arch/riscv/index.rst | 1 + Documentation/arch/riscv/zicfilp.rst | 115

[PATCH v12 23/28] riscv: kernel command line option to opt out of user cfi

This commit adds a kernel command line option using which user cfi can be disabled. Signed-off-by: Deepak Gupta --- arch/riscv/kernel/usercfi.c | 21 + 1 file changed, 21 insertions(+) diff --git a/arch/riscv/kernel/usercfi.c b/arch/riscv/kernel/usercfi.c index d31d89618763

[PATCH v12 24/28] arch/riscv: compile vdso with landing pad

Signed-off-by: Deepak Gupta --- arch/riscv/Makefile | 5 +++- arch/riscv/include/asm/assembler.h| 44 +++ arch/riscv/kernel/vdso/Makefile | 12 ++ arch/riscv/kernel/vdso/flush_icache.S | 4 arch/riscv/kernel/vdso/getcpu.S

[PATCH v12 25/28] riscv: create a config for shadow stack and landing pad instr support

support cpu assisted user mode cfi. If CONFIG_RISCV_USER_CFI is selected, select `ARCH_USES_HIGH_VMA_FLAGS`, `ARCH_HAS_USER_SHADOW_STACK` and DYNAMIC_SIGFRAME for riscv. Reviewed-by: Zong Li Signed-off-by: Deepak Gupta --- arch/riscv/Kconfig | 20 1 file changed, 20

[PATCH v12 04/28] riscv: zicfiss / zicfilp extension csr and bit definitions

-by: Deepak Gupta Reviewed-by: Charlie Jenkins --- arch/riscv/include/asm/csr.h | 16 1 file changed, 16 insertions(+) diff --git a/arch/riscv/include/asm/csr.h b/arch/riscv/include/asm/csr.h index 6fed42e37705..2f49b9663640 100644 --- a/arch/riscv/include/asm/csr.h +++ b/arch

[PATCH v12 01/28] mm: VM_SHADOW_STACK definition for riscv

VM_HIGH_ARCH_5 is used for riscv Reviewed-by: Zong Li Signed-off-by: Deepak Gupta --- include/linux/mm.h | 7 +++ 1 file changed, 7 insertions(+) diff --git a/include/linux/mm.h b/include/linux/mm.h index 7b1068ddcbb7..1ef231cbc8fe 100644 --- a/include/linux/mm.h +++ b/include/linux/mm.h

[PATCH v12 06/28] riscv/mm : ensure PROT_WRITE leads to VM_READ | VM_WRITE

encodings. Reviewed-by: Zong Li Signed-off-by: Deepak Gupta --- arch/riscv/include/asm/mman.h| 25 + arch/riscv/include/asm/pgtable.h | 1 + arch/riscv/kernel/sys_riscv.c| 10 ++ arch/riscv/mm/init.c | 2 +- 4 files changed, 37 insertions(+), 1

[PATCH v12 22/28] riscv: enable kernel access to shadow stack memory via FWFT sbi call

, it must be enabled as early as possible for better coverage and prevent imbalance between regular stack and shadow stack. After `relocate_enable_mmu` has been done, this is as early as possible it can enabled. Reviewed-by: Zong Li Signed-off-by: Deepak Gupta --- arch/riscv/kernel/asm-offsets.c

[PATCH v12 03/28] riscv: zicfiss / zicfilp enumeration

feature bitmap. Furthermore this patch adds detection utility functions to return whether shadow stack or landing pads are supported by cpu. Reviewed-by: Zong Li Signed-off-by: Deepak Gupta --- arch/riscv/include/asm/cpufeature.h | 13 + arch/riscv/include/asm/hwcap.h | 2 ++ arch

[PATCH v12 19/28] riscv/ptrace: riscv cfi status and state via ptrace and in core files

allowed via ptrace set interface. However setting `elp` state or setting shadow stack pointer are allowed via ptrace set interface. It is expected `gdb` might have use to fixup `elp` state or `shadow stack` pointer. Signed-off-by: Deepak Gupta --- arch/riscv/include/uapi/asm/ptrace.h | 18

Re: [PATCH v12 13/28] prctl: arch-agnostic prctl for indirect branch tracking

On Wed, Apr 09, 2025 at 10:03:05AM +0200, Alexandre Ghiti wrote: On 14/03/2025 22:39, Deepak Gupta wrote: Three architectures (x86, aarch64, riscv) have support for indirect branch tracking feature in a very similar fashion. On a very high level, indirect branch tracking is a CPU feature where

Re: [PATCH v12 24/28] arch/riscv: compile vdso with landing pad

On Tue, Apr 08, 2025 at 02:45:25PM +0200, Alexandre Ghiti wrote: On 14/03/2025 22:39, Deepak Gupta wrote: From: Jim Shu user mode tasks compiled with zicfilp may call indirectly into vdso (like hwprobe indirect calls). Add landing pad compile support in vdso. vdso with landing pad in it will

Re: [PATCH v12 11/28] riscv/shstk: If needed allocate a new shadow stack on clone

On Tue, Apr 08, 2025 at 12:51:45PM +0200, Alexandre Ghiti wrote: On 14/03/2025 22:39, Deepak Gupta wrote: Userspace specifies CLONE_VM to share address space and spawn new thread. `clone` allow userspace to specify a new stack for new thread. However there is no way to specify new shadow stack

Re: [PATCH v12 03/28] riscv: zicfiss / zicfilp enumeration

On Mon, Apr 07, 2025 at 05:48:27PM +0200, Alexandre Ghiti wrote: On 14/03/2025 22:39, Deepak Gupta wrote: This patch adds support for detecting zicfiss and zicfilp. zicfiss and zicfilp stands for unprivleged integer spec extension for shadow stack and branch tracking on indirect branches

Re: [PATCH v12 10/28] riscv/mm: Implement map_shadow_stack() syscall

On Mon, Apr 07, 2025 at 12:50:35PM +0800, Zong Li wrote: On Sat, Mar 15, 2025 at 5:39 AM Deepak Gupta wrote: As discussed extensively in the changelog for the addition of this syscall on x86 ("x86/shstk: Introduce map_shadow_stack syscall") the existing mmap() and madvise() sysca

[PATCH v11 27/27] kselftest/riscv: kselftest for user mode cfi

indeed enabled and working This is to ensure shadow stack is indeed enabled and working ok 1 shstk fork test ok 2 map shadow stack syscall ok 3 shadow stack gup tests ok 4 shadow stack signal tests ok 5 memory protections of shadow stack memory """ Signed-off-by: Deepak Gupta

[PATCH v11 10/27] riscv/mm: Implement map_shadow_stack() syscall

setup by kernel because user mode can do that by itself. However to provide compatibility and portability with other architectues, user mode can specify token set flag. Signed-off-by: Deepak Gupta --- arch/riscv/kernel/Makefile | 1 + arch/riscv/kernel/

Re: [PATCH v11 13/27] prctl: arch-agnostic prctl for indirect branch tracking

On Fri, Mar 14, 2025 at 04:25:59PM +0800, Zong Li wrote: On Mon, Mar 10, 2025 at 11:42 PM Deepak Gupta wrote: Three architectures (x86, aarch64, riscv) have support for indirect branch tracking feature in a very similar fashion. On a very high level, indirect branch tracking is a CPU feature

[PATCH v12 18/28] riscv/kernel: update __show_regs to print shadow stack register

Updating __show_regs to print captured shadow stack pointer as well. On tasks where shadow stack is disabled, it'll simply print 0. Signed-off-by: Deepak Gupta Reviewed-by: Alexandre Ghiti --- arch/riscv/kernel/process.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --

[PATCH v12 20/28] riscv/hwprobe: zicfilp / zicfiss enumeration in hwprobe

Adding enumeration of zicfilp and zicfiss extensions in hwprobe syscall. Reviewed-by: Zong Li Signed-off-by: Deepak Gupta --- arch/riscv/include/uapi/asm/hwprobe.h | 2 ++ arch/riscv/kernel/sys_hwprobe.c | 2 ++ 2 files changed, 4 insertions(+) diff --git a/arch/riscv/include/uapi/asm

Re: [PATCH v12 05/28] riscv: usercfi state for task and save/restore of CSR_SSP on trap entry/exit

On Thu, Apr 10, 2025 at 01:04:39PM +0200, Radim Krčmář wrote: 2025-03-14T14:39:24-07:00, Deepak Gupta : diff --git a/arch/riscv/include/asm/thread_info.h b/arch/riscv/include/asm/thread_info.h @@ -62,6 +62,9 @@ struct thread_info { longuser_sp;/* User stack

Re: [PATCH v12 05/28] riscv: usercfi state for task and save/restore of CSR_SSP on trap entry/exit

Sorry forgot to respond to rest of your comments on this thread. On Thu, Apr 10, 2025 at 01:04:39PM +0200, Radim Krčmář wrote: 2025-03-14T14:39:24-07:00, Deepak Gupta : diff --git a/arch/riscv/include/asm/thread_info.h b/arch/riscv/include/asm/thread_info.h @@ -62,6 +62,9 @@ struct

Re: [PATCH v12 10/28] riscv/mm: Implement map_shadow_stack() syscall

On Thu, Apr 10, 2025 at 11:56:44AM +0200, Radim Krčmář wrote: 2025-03-14T14:39:29-07:00, Deepak Gupta : As discussed extensively in the changelog for the addition of this syscall on x86 ("x86/shstk: Introduce map_shadow_stack syscall") the existing mmap() and madvise() syscalls

Re: [PATCH v12 05/28] riscv: usercfi state for task and save/restore of CSR_SSP on trap entry/exit

On Thu, Apr 24, 2025 at 02:16:32PM +0200, Radim Krčmář wrote: 2025-04-23T17:23:56-07:00, Deepak Gupta : On Thu, Apr 10, 2025 at 01:04:39PM +0200, Radim Krčmář wrote: 2025-03-14T14:39:24-07:00, Deepak Gupta : diff --git a/arch/riscv/kernel/entry.S b/arch/riscv/kernel/entry.S @@ -147,6 +147,20

[PATCH v14 03/27] riscv: zicfiss / zicfilp enumeration

feature bitmap. Furthermore this patch adds detection utility functions to return whether shadow stack or landing pads are supported by cpu. Reviewed-by: Zong Li Reviewed-by: Alexandre Ghiti Signed-off-by: Deepak Gupta --- arch/riscv/include/asm/cpufeature.h | 12 arch/riscv/include/asm

[PATCH v14 02/27] dt-bindings: riscv: zicfilp and zicfiss in dt-bindings (extensions.yaml)

Make an entry for cfi extensions in extensions.yaml. Signed-off-by: Deepak Gupta Acked-by: Rob Herring (Arm) --- Documentation/devicetree/bindings/riscv/extensions.yaml | 14 ++ 1 file changed, 14 insertions(+) diff --git a/Documentation/devicetree/bindings/riscv/extensions.yaml

[PATCH v14 01/27] mm: VM_SHADOW_STACK definition for riscv

VM_HIGH_ARCH_5 is used for riscv Reviewed-by: Zong Li Reviewed-by: Alexandre Ghiti Signed-off-by: Deepak Gupta --- include/linux/mm.h | 7 +++ 1 file changed, 7 insertions(+) diff --git a/include/linux/mm.h b/include/linux/mm.h index b7f13f087954..3487f28fa0bf 100644 --- a/include/linux

[PATCH v14 00/27] riscv control-flow integrity for usermode

c.com Changes in v12: - changelog posted just below cover letter - Link to v11: https://lore.kernel.org/r/20250310-v5_user_cfi_series-v11-0-86b36cbfb...@rivosinc.com Changes in v11: - changelog posted just below cover letter - Link to v10: https://lore.kernel.org/r/20250210-v5_user_cfi_series-

[PATCH v14 09/27] riscv mmu: write protect and shadow stack

mless. Reviewed-by: Alexandre Ghiti Reviewed-by: Zong Li Signed-off-by: Deepak Gupta --- arch/riscv/include/asm/pgtable.h | 12 ++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/arch/riscv/include/asm/pgtable.h b/arch/riscv/include/asm/pgtable.h index 60d4821627d2..4e3431c

[PATCH v14 06/27] riscv/mm : ensure PROT_WRITE leads to VM_READ | VM_WRITE

encodings. Reviewed-by: Zong Li Reviewed-by: Alexandre Ghiti Signed-off-by: Deepak Gupta --- arch/riscv/include/asm/mman.h| 25 + arch/riscv/include/asm/pgtable.h | 1 + arch/riscv/kernel/sys_riscv.c| 10 ++ arch/riscv/mm/init.c | 2 +- 4 files

[PATCH v14 04/27] riscv: zicfiss / zicfilp extension csr and bit definitions

-by: Deepak Gupta Reviewed-by: Charlie Jenkins --- arch/riscv/include/asm/csr.h | 16 1 file changed, 16 insertions(+) diff --git a/arch/riscv/include/asm/csr.h b/arch/riscv/include/asm/csr.h index 6fed42e37705..2f49b9663640 100644 --- a/arch/riscv/include/asm/csr.h +++ b/arch

[PATCH v14 10/27] riscv/mm: Implement map_shadow_stack() syscall

setup by kernel because user mode can do that by itself. However to provide compatibility and portability with other architectues, user mode can specify token set flag. Reviewed-by: Zong Li Signed-off-by: Deepak Gupta --- arch/riscv/kernel/Makefile | 1 + arch/riscv/kernel/

[PATCH v14 05/27] riscv: usercfi state for task and save/restore of CSR_SSP on trap entry/exit

shadow stack, that means that it needs to be supported. And thus save/restore of shadow stack pointer in entry.S instead of in `switch_to.h`. Reviewed-by: Charlie Jenkins Reviewed-by: Zong Li Reviewed-by: Alexandre Ghiti Signed-off-by: Deepak Gupta --- arch/riscv/include/asm/processor.h | 1 +

[PATCH v14 07/27] riscv mm: manufacture shadow stack pte

This patch implements creating shadow stack pte (on riscv). Creating shadow stack PTE on riscv means that clearing RWX and then setting W=1. Reviewed-by: Alexandre Ghiti Reviewed-by: Zong Li Signed-off-by: Deepak Gupta --- arch/riscv/include/asm/pgtable.h | 10 ++ 1 file changed, 10

<    1   2   3   4   5   6   >