[PATCH v14 11/27] riscv/shstk: If needed allocate a new shadow stack on clone

can be provided. This is not settled yet and being extensively discussed on mailing list. Once that's settled, this commit will adapt to that. Reviewed-by: Zong Li Signed-off-by: Deepak Gupta --- arch/riscv/include/asm/mmu_context.h | 7 ++ arch/riscv/include/asm/usercfi.h

[PATCH v14 17/27] riscv/signal: save and restore of shadow stack for signal

and a magic identifier of the extension. Then, the extensions body contains the new architectural states in the form defined by uapi. Signed-off-by: Andy Chiu Signed-off-by: Deepak Gupta --- arch/riscv/include/asm/usercfi.h | 10 arch/riscv/include/uapi/asm/ptrace.h | 4 ++ arch/

[PATCH v14 15/27] riscv/traps: Introduce software check exception

(on execution of `sspopchk`). In case of cfi violation, SIGSEGV is raised with code=SEGV_CPERR. SEGV_CPERR was introduced by x86 shadow stack patches. Reviewed-by: Zong Li Signed-off-by: Deepak Gupta --- arch/riscv/include/asm/asm-prototypes.h | 1 + arch/riscv/include/asm/entry-common.h | 2

[PATCH v14 16/27] riscv: signal: abstract header saving for setup_sigcontext

From: Andy Chiu The function save_v_state() served two purposes. First, it saved extension context into the signal stack. Then, it constructed the extension header if there was no fault. The second part is independent of the extension itself. As a result, we can pull that part out, so future exte

[PATCH v14 18/27] riscv/kernel: update __show_regs to print shadow stack register

Updating __show_regs to print captured shadow stack pointer as well. On tasks where shadow stack is disabled, it'll simply print 0. Signed-off-by: Deepak Gupta Reviewed-by: Alexandre Ghiti --- arch/riscv/kernel/process.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --

[PATCH v14 26/27] riscv: Documentation for shadow stack on riscv

Adding documentation on shadow stack for user mode on riscv and kernel interfaces exposed so that user tasks can enable it. Reviewed-by: Zong Li Signed-off-by: Deepak Gupta --- Documentation/arch/riscv/index.rst | 1 + Documentation/arch/riscv/zicfiss.rst | 179

[PATCH v14 25/27] riscv: Documentation for landing pad / indirect branch tracking

Adding documentation on landing pad aka indirect branch tracking on riscv and kernel interfaces exposed so that user tasks can enable it. Reviewed-by: Zong Li Signed-off-by: Deepak Gupta --- Documentation/arch/riscv/index.rst | 1 + Documentation/arch/riscv/zicfilp.rst | 115

[PATCH v14 22/27] riscv: enable kernel access to shadow stack memory via FWFT sbi call

, it must be enabled as early as possible for better coverage and prevent imbalance between regular stack and shadow stack. After `relocate_enable_mmu` has been done, this is as early as possible it can enabled. Reviewed-by: Zong Li Signed-off-by: Deepak Gupta --- arch/riscv/kernel/asm-offsets.c

[PATCH v14 24/27] riscv: create a config for shadow stack and landing pad instr support

support cpu assisted user mode cfi. If CONFIG_RISCV_USER_CFI is selected, select `ARCH_USES_HIGH_VMA_FLAGS`, `ARCH_HAS_USER_SHADOW_STACK` and DYNAMIC_SIGFRAME for riscv. Reviewed-by: Zong Li Signed-off-by: Deepak Gupta --- arch/riscv/Kconfig | 20 1 file changed, 20

[PATCH v14 12/27] riscv: Implements arch agnostic shadow stack prctls

PR_SHADOW_STACK_ENABLE is implemented because RISCV allows each mode to write to their own shadow stack using `sspush` or `ssamoswap`. PR_LOCK_SHADOW_STACK_STATUS locks current configuration of shadow stack enabling. Reviewed-by: Zong Li Signed-off-by: Deepak Gupta --- arch/riscv/include/asm/usercfi.h | 16

[PATCH v14 21/27] riscv: kernel command line option to opt out of user cfi

;bcfi" : Disable backward cfi. - "fcfi" : Disable forward cfi Signed-off-by: Deepak Gupta --- Documentation/admin-guide/kernel-parameters.txt | 8 arch/riscv/include/asm/usercfi.h| 7 +++ arch/riscv/kernel/usercfi.c | 59 +

[PATCH v14 14/27] riscv: Implements arch agnostic indirect branch tracking prctls

prctls implemented are: PR_SET_INDIR_BR_LP_STATUS, PR_GET_INDIR_BR_LP_STATUS and PR_LOCK_INDIR_BR_LP_STATUS Reviewed-by: Zong Li Signed-off-by: Deepak Gupta --- arch/riscv/include/asm/usercfi.h | 14 +++ arch/riscv/kernel/entry.S| 2 +- arch/riscv/kernel/process.c | 5

[PATCH v14 13/27] prctl: arch-agnostic prctl for indirect branch tracking

. - PR_LOCK_INDIR_BR_LP_STATUS: Locks configured status for indirect branch tracking for user thread. Reviewed-by: Mark Brown Reviewed-by: Zong Li Signed-off-by: Deepak Gupta --- include/linux/cpu.h| 4 include/uapi/linux/prctl.h | 27 +++ kernel/sys.c

[PATCH v14 08/27] riscv mmu: teach pte_mkwrite to manufacture shadow stack PTEs

can select write PTE encoding based on VMA range (i.e. VM_SHADOW_STACK) Reviewed-by: Alexandre Ghiti Reviewed-by: Zong Li Signed-off-by: Deepak Gupta --- arch/riscv/include/asm/pgtable.h | 7 +++ arch/riscv/mm/pgtable.c | 17 + 2 files changed, 24 insertions

[PATCH v14 20/27] riscv/hwprobe: zicfilp / zicfiss enumeration in hwprobe

Adding enumeration of zicfilp and zicfiss extensions in hwprobe syscall. Reviewed-by: Zong Li Signed-off-by: Deepak Gupta --- arch/riscv/include/uapi/asm/hwprobe.h | 2 ++ arch/riscv/kernel/sys_hwprobe.c | 2 ++ 2 files changed, 4 insertions(+) diff --git a/arch/riscv/include/uapi/asm

[PATCH v14 23/27] arch/riscv: compile vdso with landing pad

Signed-off-by: Deepak Gupta --- arch/riscv/Makefile | 5 +++- arch/riscv/include/asm/assembler.h| 44 +++ arch/riscv/kernel/vdso/Makefile | 6 + arch/riscv/kernel/vdso/flush_icache.S | 4 arch/riscv/kernel/vdso/getcpu.S

[PATCH v14 19/27] riscv/ptrace: riscv cfi status and state via ptrace and in core files

feature is not allowed via ptrace set interface. However setting `elp` state or setting shadow stack pointer are allowed via ptrace set interface . It is expected `gdb` might have use to fixup `elp` state or `shadow stack` pointer. Signed-off-by: Deepak Gupta --- arch/riscv/include/uapi/asm/ptrace.h

[PATCH v14 27/27] kselftest/riscv: kselftest for user mode cfi

o ensure shadow stack is indeed enabled and working This is to ensure shadow stack is indeed enabled and working ok 1 shstk fork test ok 2 map shadow stack syscall ok 3 shadow stack gup tests ok 4 shadow stack signal tests ok 5 memory protections of shadow stack memory """

[PATCH v13 13/28] prctl: arch-agnostic prctl for indirect branch tracking

. - PR_LOCK_INDIR_BR_LP_STATUS: Locks configured status for indirect branch tracking for user thread. Reviewed-by: Mark Brown Reviewed-by: Zong Li Signed-off-by: Deepak Gupta --- include/linux/cpu.h| 4 include/uapi/linux/prctl.h | 27 +++ kernel/sys.c

[PATCH v13 00/28] riscv control-flow integrity for usermode

w cover letter - Link to v10: https://lore.kernel.org/r/20250210-v5_user_cfi_series-v10-0-163dcfa31...@rivosinc.com --- Andy Chiu (1): riscv: signal: abstract header saving for setup_sigcontext Clément Léger (1): riscv: Add Firmware Feature SBI extensions definitions Deepak Gupta (

[PATCH v13 01/28] mm: VM_SHADOW_STACK definition for riscv

VM_HIGH_ARCH_5 is used for riscv Reviewed-by: Zong Li Reviewed-by: Alexandre Ghiti Signed-off-by: Deepak Gupta --- include/linux/mm.h | 7 +++ 1 file changed, 7 insertions(+) diff --git a/include/linux/mm.h b/include/linux/mm.h index 7b1068ddcbb7..1ef231cbc8fe 100644 --- a/include/linux

[PATCH v13 02/28] dt-bindings: riscv: zicfilp and zicfiss in dt-bindings (extensions.yaml)

Make an entry for cfi extensions in extensions.yaml. Signed-off-by: Deepak Gupta Acked-by: Rob Herring (Arm) --- Documentation/devicetree/bindings/riscv/extensions.yaml | 14 ++ 1 file changed, 14 insertions(+) diff --git a/Documentation/devicetree/bindings/riscv/extensions.yaml

[PATCH v13 03/28] riscv: zicfiss / zicfilp enumeration

feature bitmap. Furthermore this patch adds detection utility functions to return whether shadow stack or landing pads are supported by cpu. Reviewed-by: Zong Li Reviewed-by: Alexandre Ghiti Signed-off-by: Deepak Gupta --- arch/riscv/include/asm/cpufeature.h | 12 arch/riscv/include/asm

[PATCH v13 15/28] riscv/traps: Introduce software check exception

(on execution of `sspopchk`). In case of cfi violation, SIGSEGV is raised with code=SEGV_CPERR. SEGV_CPERR was introduced by x86 shadow stack patches. Reviewed-by: Zong Li Signed-off-by: Deepak Gupta --- arch/riscv/include/asm/asm-prototypes.h | 1 + arch/riscv/include/asm/entry-common.h | 2

[PATCH v13 28/28] kselftest/riscv: kselftest for user mode cfi

o ensure shadow stack is indeed enabled and working This is to ensure shadow stack is indeed enabled and working ok 1 shstk fork test ok 2 map shadow stack syscall ok 3 shadow stack gup tests ok 4 shadow stack signal tests ok 5 memory protections of shadow stack memory """

[PATCH v13 20/28] riscv/hwprobe: zicfilp / zicfiss enumeration in hwprobe

Adding enumeration of zicfilp and zicfiss extensions in hwprobe syscall. Reviewed-by: Zong Li Signed-off-by: Deepak Gupta --- arch/riscv/include/uapi/asm/hwprobe.h | 2 ++ arch/riscv/kernel/sys_hwprobe.c | 2 ++ 2 files changed, 4 insertions(+) diff --git a/arch/riscv/include/uapi/asm

[PATCH v13 07/28] riscv mm: manufacture shadow stack pte

This patch implements creating shadow stack pte (on riscv). Creating shadow stack PTE on riscv means that clearing RWX and then setting W=1. Reviewed-by: Alexandre Ghiti Reviewed-by: Zong Li Signed-off-by: Deepak Gupta --- arch/riscv/include/asm/pgtable.h | 10 ++ 1 file changed, 10

[PATCH v13 06/28] riscv/mm : ensure PROT_WRITE leads to VM_READ | VM_WRITE

encodings. Reviewed-by: Zong Li Reviewed-by: Alexandre Ghiti Signed-off-by: Deepak Gupta --- arch/riscv/include/asm/mman.h| 25 + arch/riscv/include/asm/pgtable.h | 1 + arch/riscv/kernel/sys_riscv.c| 10 ++ arch/riscv/mm/init.c | 2 +- 4 files

[PATCH v13 11/28] riscv/shstk: If needed allocate a new shadow stack on clone

can be provided. This is not settled yet and being extensively discussed on mailing list. Once that's settled, this commit will adapt to that. Reviewed-by: Zong Li Signed-off-by: Deepak Gupta --- arch/riscv/include/asm/mmu_context.h | 7 ++ arch/riscv/include/asm/usercfi.h

[PATCH v13 12/28] riscv: Implements arch agnostic shadow stack prctls

PR_SHADOW_STACK_ENABLE is implemented because RISCV allows each mode to write to their own shadow stack using `sspush` or `ssamoswap`. PR_LOCK_SHADOW_STACK_STATUS locks current configuration of shadow stack enabling. Reviewed-by: Zong Li Signed-off-by: Deepak Gupta --- arch/riscv/include/asm/usercfi.h | 18

[PATCH v13 14/28] riscv: Implements arch agnostic indirect branch tracking prctls

prctls implemented are: PR_SET_INDIR_BR_LP_STATUS, PR_GET_INDIR_BR_LP_STATUS and PR_LOCK_INDIR_BR_LP_STATUS Reviewed-by: Zong Li Signed-off-by: Deepak Gupta --- arch/riscv/include/asm/usercfi.h | 16 +++- arch/riscv/kernel/entry.S| 2 +- arch/riscv/kernel/process.c | 5

[PATCH v13 17/28] riscv/signal: save and restore of shadow stack for signal

and a magic identifier of the extension. Then, the extensions body contains the new architectural states in the form defined by uapi. Signed-off-by: Andy Chiu Signed-off-by: Deepak Gupta --- arch/riscv/include/asm/usercfi.h | 10 arch/riscv/include/uapi/asm/ptrace.h | 4 ++ arch/

[PATCH v13 18/28] riscv/kernel: update __show_regs to print shadow stack register

Updating __show_regs to print captured shadow stack pointer as well. On tasks where shadow stack is disabled, it'll simply print 0. Signed-off-by: Deepak Gupta Reviewed-by: Alexandre Ghiti --- arch/riscv/kernel/process.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --

[PATCH v13 05/28] riscv: usercfi state for task and save/restore of CSR_SSP on trap entry/exit

shadow stack, that means that it needs to be supported. And thus save/restore of shadow stack pointer in entry.S instead of in `switch_to.h`. Reviewed-by: Charlie Jenkins Reviewed-by: Zong Li Reviewed-by: Alexandre Ghiti Signed-off-by: Deepak Gupta --- arch/riscv/include/asm/processor.h | 1 +

[PATCH v13 04/28] riscv: zicfiss / zicfilp extension csr and bit definitions

-by: Deepak Gupta Reviewed-by: Charlie Jenkins --- arch/riscv/include/asm/csr.h | 16 1 file changed, 16 insertions(+) diff --git a/arch/riscv/include/asm/csr.h b/arch/riscv/include/asm/csr.h index 6fed42e37705..2f49b9663640 100644 --- a/arch/riscv/include/asm/csr.h +++ b/arch

[PATCH v13 10/28] riscv/mm: Implement map_shadow_stack() syscall

setup by kernel because user mode can do that by itself. However to provide compatibility and portability with other architectues, user mode can specify token set flag. Reviewed-by: Zong Li Signed-off-by: Deepak Gupta --- arch/riscv/kernel/Makefile | 1 + arch/riscv/kernel/

[PATCH v13 09/28] riscv mmu: write protect and shadow stack

mless. Reviewed-by: Alexandre Ghiti Reviewed-by: Zong Li Signed-off-by: Deepak Gupta --- arch/riscv/include/asm/pgtable.h | 12 ++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/arch/riscv/include/asm/pgtable.h b/arch/riscv/include/asm/pgtable.h index ccd2fa34afb8..5470768

[PATCH v13 08/28] riscv mmu: teach pte_mkwrite to manufacture shadow stack PTEs

can select write PTE encoding based on VMA range (i.e. VM_SHADOW_STACK) Reviewed-by: Alexandre Ghiti Reviewed-by: Zong Li Signed-off-by: Deepak Gupta --- arch/riscv/include/asm/pgtable.h | 7 +++ arch/riscv/mm/pgtable.c | 17 + 2 files changed, 24 insertions

[PATCH v13 16/28] riscv: signal: abstract header saving for setup_sigcontext

From: Andy Chiu The function save_v_state() served two purposes. First, it saved extension context into the signal stack. Then, it constructed the extension header if there was no fault. The second part is independent of the extension itself. As a result, we can pull that part out, so future exte

[PATCH v13 19/28] riscv/ptrace: riscv cfi status and state via ptrace and in core files

feature is not allowed via ptrace set interface. However setting `elp` state or setting shadow stack pointer are allowed via ptrace set interface . It is expected `gdb` might have use to fixup `elp` state or `shadow stack` pointer. Signed-off-by: Deepak Gupta --- arch/riscv/include/uapi/asm/ptrace.h

[PATCH v13 21/28] riscv: kernel command line option to opt out of user cfi

;bcfi" : Disable backward cfi. - "fcfi" : Disable forward cfi Signed-off-by: Deepak Gupta --- Documentation/admin-guide/kernel-parameters.txt | 8 arch/riscv/include/asm/usercfi.h| 7 +++ arch/riscv/kernel/usercfi.c | 59 +

[PATCH v13 24/28] arch/riscv: compile vdso with landing pad

Signed-off-by: Deepak Gupta --- arch/riscv/Makefile | 5 +++- arch/riscv/include/asm/assembler.h| 44 +++ arch/riscv/kernel/vdso/Makefile | 6 + arch/riscv/kernel/vdso/flush_icache.S | 4 arch/riscv/kernel/vdso/getcpu.S

[PATCH v13 22/28] riscv: Add Firmware Feature SBI extensions definitions

From: Clément Léger Add necessary SBI definitions to use the FWFT extension. Signed-off-by: Clément Léger Reviewed-by: Zong Li --- arch/riscv/include/asm/sbi.h | 26 ++ 1 file changed, 26 insertions(+) diff --git a/arch/riscv/include/asm/sbi.h b/arch/riscv/include/asm

[PATCH v13 25/28] riscv: create a config for shadow stack and landing pad instr support

support cpu assisted user mode cfi. If CONFIG_RISCV_USER_CFI is selected, select `ARCH_USES_HIGH_VMA_FLAGS`, `ARCH_HAS_USER_SHADOW_STACK` and DYNAMIC_SIGFRAME for riscv. Reviewed-by: Zong Li Signed-off-by: Deepak Gupta --- arch/riscv/Kconfig | 20 1 file changed, 20

[PATCH v13 27/28] riscv: Documentation for shadow stack on riscv

Adding documentation on shadow stack for user mode on riscv and kernel interfaces exposed so that user tasks can enable it. Reviewed-by: Zong Li Signed-off-by: Deepak Gupta --- Documentation/arch/riscv/index.rst | 1 + Documentation/arch/riscv/zicfiss.rst | 179

[PATCH v13 26/28] riscv: Documentation for landing pad / indirect branch tracking

Adding documentation on landing pad aka indirect branch tracking on riscv and kernel interfaces exposed so that user tasks can enable it. Reviewed-by: Zong Li Signed-off-by: Deepak Gupta --- Documentation/arch/riscv/index.rst | 1 + Documentation/arch/riscv/zicfilp.rst | 115

Re: [PATCH v13 05/28] riscv: usercfi state for task and save/restore of CSR_SSP on trap entry/exit

On Thu, Apr 24, 2025 at 12:20:20AM -0700, Deepak Gupta wrote: Carves out space in arch specific thread struct for cfi status and shadow stack in usermode on riscv. This patch does following - defines a new structure cfi_status with status bit for cfi feature - defines shadow stack pointer, base

[PATCH v13 23/28] riscv: enable kernel access to shadow stack memory via FWFT sbi call

, it must be enabled as early as possible for better coverage and prevent imbalance between regular stack and shadow stack. After `relocate_enable_mmu` has been done, this is as early as possible it can enabled. Reviewed-by: Zong Li Signed-off-by: Deepak Gupta --- arch/riscv/kernel/asm-offsets.c

Re: [PATCH v12 06/28] riscv/mm : ensure PROT_WRITE leads to VM_READ | VM_WRITE

On Thu, Apr 10, 2025 at 12:03:44PM +0200, Radim Krčmář wrote: 2025-03-14T14:39:25-07:00, Deepak Gupta : diff --git a/arch/riscv/include/asm/mman.h b/arch/riscv/include/asm/mman.h +static inline unsigned long arch_calc_vm_prot_bits(unsigned long prot

Re: [PATCH v12 12/28] riscv: Implements arch agnostic shadow stack prctls

On Thu, Apr 10, 2025 at 11:45:58AM +0200, Radim Krčmář wrote: 2025-03-14T14:39:31-07:00, Deepak Gupta : diff --git a/arch/riscv/include/asm/usercfi.h b/arch/riscv/include/asm/usercfi.h @@ -14,7 +15,8 @@ struct kernel_clone_args; struct cfi_status { unsigned long ubcfi_en : 1; /* Enable

Re: [PATCH v12 05/28] riscv: usercfi state for task and save/restore of CSR_SSP on trap entry/exit

On Thu, Apr 24, 2025 at 01:52:43PM +0200, Radim Krčmář wrote: 2025-04-23T17:00:29-07:00, Deepak Gupta : On Thu, Apr 10, 2025 at 01:04:39PM +0200, Radim Krčmář wrote: 2025-03-14T14:39:24-07:00, Deepak Gupta : diff --git a/arch/riscv/include/asm/thread_info.h b/arch/riscv/include/asm

Re: [PATCH v12 12/28] riscv: Implements arch agnostic shadow stack prctls

On Thu, Apr 24, 2025 at 03:36:54PM +0200, Radim Krčmář wrote: 2025-04-23T21:44:09-07:00, Deepak Gupta : On Thu, Apr 10, 2025 at 11:45:58AM +0200, Radim Krčmář wrote: 2025-03-14T14:39:31-07:00, Deepak Gupta : diff --git a/arch/riscv/include/asm/usercfi.h b/arch/riscv/include/asm/usercfi.h

Re: [PATCH v13 20/28] riscv/hwprobe: zicfilp / zicfiss enumeration in hwprobe

On Thu, Apr 24, 2025 at 12:05:04PM +0200, Miquel Sabaté Solà wrote: On dj., d’abr. 24 2025, Deepak Gupta wrote: Hello, Adding enumeration of zicfilp and zicfiss extensions in hwprobe syscall. Reviewed-by: Zong Li Signed-off-by: Deepak Gupta --- arch/riscv/include/uapi/asm/hwprobe.h | 2

Re: [PATCH v12 12/28] riscv: Implements arch agnostic shadow stack prctls

On Fri, Apr 25, 2025 at 01:42:44PM +0200, Radim Krčmář wrote: 2025-04-24T11:16:19-07:00, Deepak Gupta : On Thu, Apr 24, 2025 at 03:36:54PM +0200, Radim Krčmář wrote: 2025-04-23T21:44:09-07:00, Deepak Gupta : On Thu, Apr 10, 2025 at 11:45:58AM +0200, Radim Krčmář wrote: 2025-03-14T14:39:31-07

Re: [PATCH v12 27/28] riscv: Documentation for shadow stack on riscv

On Tue, Apr 08, 2025 at 10:48:08AM +0200, Alexandre Ghiti wrote: On 14/03/2025 22:39, Deepak Gupta wrote: Adding documentation on shadow stack for user mode on riscv and kernel interfaces exposed so that user tasks can enable it. Reviewed-by: Zong Li Signed-off-by: Deepak Gupta

[PATCH v15 23/27] arch/riscv: compile vdso with landing pad

Signed-off-by: Deepak Gupta --- arch/riscv/Makefile | 5 +++- arch/riscv/include/asm/assembler.h| 44 +++ arch/riscv/kernel/vdso/Makefile | 6 + arch/riscv/kernel/vdso/flush_icache.S | 4 arch/riscv/kernel/vdso/getcpu.S

[PATCH v15 25/27] riscv: Documentation for landing pad / indirect branch tracking

Adding documentation on landing pad aka indirect branch tracking on riscv and kernel interfaces exposed so that user tasks can enable it. Reviewed-by: Zong Li Signed-off-by: Deepak Gupta --- Documentation/arch/riscv/index.rst | 1 + Documentation/arch/riscv/zicfilp.rst | 115

[PATCH v15 24/27] riscv: create a config for shadow stack and landing pad instr support

support cpu assisted user mode cfi. If CONFIG_RISCV_USER_CFI is selected, select `ARCH_USES_HIGH_VMA_FLAGS`, `ARCH_HAS_USER_SHADOW_STACK` and DYNAMIC_SIGFRAME for riscv. Reviewed-by: Zong Li Signed-off-by: Deepak Gupta --- arch/riscv/Kconfig | 21 + 1 file changed, 21

[PATCH v15 22/27] riscv: enable kernel access to shadow stack memory via FWFT sbi call

, it must be enabled as early as possible for better coverage and prevent imbalance between regular stack and shadow stack. After `relocate_enable_mmu` has been done, this is as early as possible it can enabled. Reviewed-by: Zong Li Signed-off-by: Deepak Gupta --- arch/riscv/kernel/asm-offsets.c

[PATCH v15 20/27] riscv/hwprobe: zicfilp / zicfiss enumeration in hwprobe

Adding enumeration of zicfilp and zicfiss extensions in hwprobe syscall. Reviewed-by: Zong Li Signed-off-by: Deepak Gupta --- arch/riscv/include/uapi/asm/hwprobe.h | 2 ++ arch/riscv/kernel/sys_hwprobe.c | 2 ++ 2 files changed, 4 insertions(+) diff --git a/arch/riscv/include/uapi/asm

[PATCH v15 26/27] riscv: Documentation for shadow stack on riscv

Adding documentation on shadow stack for user mode on riscv and kernel interfaces exposed so that user tasks can enable it. Reviewed-by: Zong Li Signed-off-by: Deepak Gupta --- Documentation/arch/riscv/index.rst | 1 + Documentation/arch/riscv/zicfiss.rst | 179

[PATCH v15 27/27] kselftest/riscv: kselftest for user mode cfi

sts ok 5 memory protections of shadow stack memory """ Signed-off-by: Deepak Gupta squash Signed-off-by: Deepak Gupta --- tools/testing/selftests/riscv/Makefile | 2 +- tools/testing/selftests/riscv/cfi/.gitignore | 3 + tools/testing/selftests/riscv/cfi/Makefile

[PATCH v15 00/27] riscv control-flow integrity for usermode

cover letter - Link to v11: https://lore.kernel.org/r/20250310-v5_user_cfi_series-v11-0-86b36cbfb...@rivosinc.com Changes in v11: - changelog posted just below cover letter - Link to v10: https://lore.kernel.org/r/20250210-v5_user_cfi_series-v10-0-163dcfa31...@rivosinc.com --- Andy Chiu (1):

[PATCH v15 01/27] mm: VM_SHADOW_STACK definition for riscv

VM_HIGH_ARCH_5 is used for riscv Reviewed-by: Zong Li Reviewed-by: Alexandre Ghiti Signed-off-by: Deepak Gupta --- include/linux/mm.h | 7 +++ 1 file changed, 7 insertions(+) diff --git a/include/linux/mm.h b/include/linux/mm.h index b7f13f087954..3487f28fa0bf 100644 --- a/include/linux

[PATCH v15 02/27] dt-bindings: riscv: zicfilp and zicfiss in dt-bindings (extensions.yaml)

Make an entry for cfi extensions in extensions.yaml. Signed-off-by: Deepak Gupta Acked-by: Rob Herring (Arm) --- Documentation/devicetree/bindings/riscv/extensions.yaml | 14 ++ 1 file changed, 14 insertions(+) diff --git a/Documentation/devicetree/bindings/riscv/extensions.yaml

[PATCH v15 06/27] riscv/mm : ensure PROT_WRITE leads to VM_READ | VM_WRITE

encodings. Reviewed-by: Zong Li Reviewed-by: Alexandre Ghiti Signed-off-by: Deepak Gupta --- arch/riscv/include/asm/mman.h| 25 + arch/riscv/include/asm/pgtable.h | 1 + arch/riscv/kernel/sys_riscv.c| 10 ++ arch/riscv/mm/init.c | 2 +- 4 files

[PATCH v15 03/27] riscv: zicfiss / zicfilp enumeration

feature bitmap. Furthermore this patch adds detection utility functions to return whether shadow stack or landing pads are supported by cpu. Reviewed-by: Zong Li Reviewed-by: Alexandre Ghiti Signed-off-by: Deepak Gupta --- arch/riscv/include/asm/cpufeature.h | 12 arch/riscv/include/asm

[PATCH v15 04/27] riscv: zicfiss / zicfilp extension csr and bit definitions

-by: Deepak Gupta Reviewed-by: Charlie Jenkins --- arch/riscv/include/asm/csr.h | 16 1 file changed, 16 insertions(+) diff --git a/arch/riscv/include/asm/csr.h b/arch/riscv/include/asm/csr.h index 6fed42e37705..2f49b9663640 100644 --- a/arch/riscv/include/asm/csr.h +++ b/arch

[PATCH v15 05/27] riscv: usercfi state for task and save/restore of CSR_SSP on trap entry/exit

shadow stack, that means that it needs to be supported. And thus save/restore of shadow stack pointer in entry.S instead of in `switch_to.h`. Reviewed-by: Charlie Jenkins Reviewed-by: Zong Li Reviewed-by: Alexandre Ghiti Signed-off-by: Deepak Gupta --- arch/riscv/include/asm/processor.h | 1 +

[PATCH v15 07/27] riscv mm: manufacture shadow stack pte

This patch implements creating shadow stack pte (on riscv). Creating shadow stack PTE on riscv means that clearing RWX and then setting W=1. Reviewed-by: Alexandre Ghiti Reviewed-by: Zong Li Signed-off-by: Deepak Gupta --- arch/riscv/include/asm/pgtable.h | 10 ++ 1 file changed, 10

[PATCH v15 11/27] riscv/shstk: If needed allocate a new shadow stack on clone

can be provided. This is not settled yet and being extensively discussed on mailing list. Once that's settled, this commit will adapt to that. Reviewed-by: Zong Li Signed-off-by: Deepak Gupta --- arch/riscv/include/asm/mmu_context.h | 7 ++ arch/riscv/include/asm/usercfi.h

[PATCH v15 10/27] riscv/mm: Implement map_shadow_stack() syscall

setup by kernel because user mode can do that by itself. However to provide compatibility and portability with other architectues, user mode can specify token set flag. Reviewed-by: Zong Li Signed-off-by: Deepak Gupta --- arch/riscv/kernel/Makefile | 1 + arch/riscv/kernel/

[PATCH v15 09/27] riscv mmu: write protect and shadow stack

mless. Reviewed-by: Alexandre Ghiti Reviewed-by: Zong Li Signed-off-by: Deepak Gupta --- arch/riscv/include/asm/pgtable.h | 12 ++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/arch/riscv/include/asm/pgtable.h b/arch/riscv/include/asm/pgtable.h index 60d4821627d2..4e3431c

[PATCH v15 08/27] riscv mmu: teach pte_mkwrite to manufacture shadow stack PTEs

can select write PTE encoding based on VMA range (i.e. VM_SHADOW_STACK) Reviewed-by: Alexandre Ghiti Reviewed-by: Zong Li Signed-off-by: Deepak Gupta --- arch/riscv/include/asm/pgtable.h | 7 +++ arch/riscv/mm/pgtable.c | 17 + 2 files changed, 24 insertions

[PATCH v15 15/27] riscv/traps: Introduce software check exception

(on execution of `sspopchk`). In case of cfi violation, SIGSEGV is raised with code=SEGV_CPERR. SEGV_CPERR was introduced by x86 shadow stack patches. Reviewed-by: Zong Li Signed-off-by: Deepak Gupta --- arch/riscv/include/asm/asm-prototypes.h | 1 + arch/riscv/include/asm/entry-common.h | 2

[PATCH v15 12/27] riscv: Implements arch agnostic shadow stack prctls

PR_SHADOW_STACK_ENABLE is implemented because RISCV allows each mode to write to their own shadow stack using `sspush` or `ssamoswap`. PR_LOCK_SHADOW_STACK_STATUS locks current configuration of shadow stack enabling. Reviewed-by: Zong Li Signed-off-by: Deepak Gupta --- arch/riscv/include/asm/usercfi.h | 16

[PATCH v15 16/27] riscv: signal: abstract header saving for setup_sigcontext

From: Andy Chiu The function save_v_state() served two purposes. First, it saved extension context into the signal stack. Then, it constructed the extension header if there was no fault. The second part is independent of the extension itself. As a result, we can pull that part out, so future exte

[PATCH v15 14/27] riscv: Implements arch agnostic indirect branch tracking prctls

prctls implemented are: PR_SET_INDIR_BR_LP_STATUS, PR_GET_INDIR_BR_LP_STATUS and PR_LOCK_INDIR_BR_LP_STATUS Reviewed-by: Zong Li Signed-off-by: Deepak Gupta --- arch/riscv/include/asm/usercfi.h | 14 +++ arch/riscv/kernel/entry.S| 2 +- arch/riscv/kernel/process.c | 5

[PATCH v15 13/27] prctl: arch-agnostic prctl for indirect branch tracking

. - PR_LOCK_INDIR_BR_LP_STATUS: Locks configured status for indirect branch tracking for user thread. Reviewed-by: Mark Brown Reviewed-by: Zong Li Signed-off-by: Deepak Gupta --- include/linux/cpu.h| 4 include/uapi/linux/prctl.h | 27 +++ kernel/sys.c

[PATCH v15 17/27] riscv/signal: save and restore of shadow stack for signal

and a magic identifier of the extension. Then, the extensions body contains the new architectural states in the form defined by uapi. Signed-off-by: Andy Chiu Signed-off-by: Deepak Gupta --- arch/riscv/include/asm/usercfi.h | 10 arch/riscv/include/uapi/asm/ptrace.h | 4 ++ arch/

[PATCH v15 19/27] riscv/ptrace: riscv cfi status and state via ptrace and in core files

feature is not allowed via ptrace set interface. However setting `elp` state or setting shadow stack pointer are allowed via ptrace set interface . It is expected `gdb` might have use to fixup `elp` state or `shadow stack` pointer. Signed-off-by: Deepak Gupta --- arch/riscv/include/uapi/asm/ptrace.h

[PATCH v15 21/27] riscv: kernel command line option to opt out of user cfi

;bcfi" : Disable backward cfi. - "fcfi" : Disable forward cfi Signed-off-by: Deepak Gupta --- Documentation/admin-guide/kernel-parameters.txt | 8 arch/riscv/include/asm/usercfi.h| 7 +++ arch/riscv/kernel/usercfi.c | 59 +

[PATCH v15 18/27] riscv/kernel: update __show_regs to print shadow stack register

Updating __show_regs to print captured shadow stack pointer as well. On tasks where shadow stack is disabled, it'll simply print 0. Signed-off-by: Deepak Gupta Reviewed-by: Alexandre Ghiti --- arch/riscv/kernel/process.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --

[PATCH v11 07/27] riscv mm: manufacture shadow stack pte

This patch implements creating shadow stack pte (on riscv). Creating shadow stack PTE on riscv means that clearing RWX and then setting W=1. Signed-off-by: Deepak Gupta Reviewed-by: Alexandre Ghiti --- arch/riscv/include/asm/pgtable.h | 10 ++ 1 file changed, 10 insertions(+) diff

[PATCH v11 26/27] riscv: Documentation for shadow stack on riscv

Adding documentation on shadow stack for user mode on riscv and kernel interfaces exposed so that user tasks can enable it. Signed-off-by: Deepak Gupta --- Documentation/arch/riscv/index.rst | 1 + Documentation/arch/riscv/zicfiss.rst | 176 +++ 2 files

[PATCH v11 05/27] riscv: usercfi state for task and save/restore of CSR_SSP on trap entry/exit

shadow stack, that means that it needs to be supported. And thus save/restore of shadow stack pointer in entry.S instead of in `switch_to.h`. Signed-off-by: Deepak Gupta Reviewed-by: Charlie Jenkins --- arch/riscv/include/asm/processor.h | 1 + arch/riscv/include/asm/thread_info.h | 3 +++

[PATCH v11 00/27] riscv control-flow integrity for usermode

ns. - Link to v10: https://lore.kernel.org/r/20250210-v5_user_cfi_series-v10-0-163dcfa31...@rivosinc.com --- Andy Chiu (1): riscv: signal: abstract header saving for setup_sigcontext Clément Léger (1): riscv: Add Firmware Feature SBI extensions definitions Deepak Gupta (24): m

[PATCH v11 04/27] riscv: zicfiss / zicfilp extension csr and bit definitions

-by: Deepak Gupta Reviewed-by: Charlie Jenkins --- arch/riscv/include/asm/csr.h | 16 1 file changed, 16 insertions(+) diff --git a/arch/riscv/include/asm/csr.h b/arch/riscv/include/asm/csr.h index 6fed42e37705..2f49b9663640 100644 --- a/arch/riscv/include/asm/csr.h +++ b/arch

[PATCH v11 01/27] mm: VM_SHADOW_STACK definition for riscv

VM_HIGH_ARCH_5 is used for riscv Signed-off-by: Deepak Gupta --- include/linux/mm.h | 7 +++ 1 file changed, 7 insertions(+) diff --git a/include/linux/mm.h b/include/linux/mm.h index 7b1068ddcbb7..1ef231cbc8fe 100644 --- a/include/linux/mm.h +++ b/include/linux/mm.h @@ -378,6 +378,13

[PATCH v11 09/27] riscv mmu: write protect and shadow stack

mless. Signed-off-by: Deepak Gupta Reviewed-by: Alexandre Ghiti --- arch/riscv/include/asm/pgtable.h | 12 ++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/arch/riscv/include/asm/pgtable.h b/arch/riscv/include/asm/pgtable.h index ccd2fa34afb8..54707686f042 100644 --- a

[PATCH v11 14/27] riscv/traps: Introduce software check exception

(on execution of `sspopchk`). In case of cfi violation, SIGSEGV is raised with code=SEGV_CPERR. SEGV_CPERR was introduced by x86 shadow stack patches. Signed-off-by: Deepak Gupta --- arch/riscv/include/asm/asm-prototypes.h | 1 + arch/riscv/include/asm/entry-common.h | 2 ++ arch/riscv/kernel

[PATCH v11 23/27] arch/riscv: compile vdso with landing pad

: Deepak Gupta --- arch/riscv/Makefile | 7 +- arch/riscv/include/asm/assembler.h| 44 +++ arch/riscv/kernel/vdso/Makefile | 12 ++ arch/riscv/kernel/vdso/flush_icache.S | 4 arch/riscv/kernel/vdso/getcpu.S | 4

[PATCH v11 12/27] riscv: Implements arch agnostic shadow stack prctls

PR_SHADOW_STACK_ENABLE is implemented because RISCV allows each mode to write to their own shadow stack using `sspush` or `ssamoswap`. PR_LOCK_SHADOW_STACK_STATUS locks current configuration of shadow stack enabling. Signed-off-by: Deepak Gupta --- arch/riscv/include/asm/usercfi.h | 18 ++- arch/riscv/kernel

[PATCH v11 21/27] riscv: enable kernel access to shadow stack memory via FWFT sbi call

, it must be enabled as early as possible for better coverage and prevent imbalance between regular stack and shadow stack. After `relocate_enable_mmu` has been done, this is as early as possible it can enabled. Signed-off-by: Deepak Gupta --- arch/riscv/kernel/asm-offsets.c | 4 arch/riscv

[PATCH v11 17/27] riscv/kernel: update __show_regs to print shadow stack register

Updating __show_regs to print captured shadow stack pointer as well. On tasks where shadow stack is disabled, it'll simply print 0. Signed-off-by: Deepak Gupta Reviewed-by: Alexandre Ghiti --- arch/riscv/kernel/process.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --

[PATCH v11 15/27] riscv: signal: abstract header saving for setup_sigcontext

From: Andy Chiu The function save_v_state() served two purposes. First, it saved extension context into the signal stack. Then, it constructed the extension header if there was no fault. The second part is independent of the extension itself. As a result, we can pull that part out, so future exte

[PATCH v11 11/27] riscv/shstk: If needed allocate a new shadow stack on clone

can be provided. This is not settled yet and being extensively discussed on mailing list. Once that's settled, this commit will adapt to that. Signed-off-by: Deepak Gupta --- arch/riscv/include/asm/mmu_context.h | 7 ++ arch/riscv/include/asm/usercfi.h | 25 arch/riscv/k

[PATCH v11 19/27] riscv/hwprobe: zicfilp / zicfiss enumeration in hwprobe

Adding enumeration of zicfilp and zicfiss extensions in hwprobe syscall. Signed-off-by: Deepak Gupta --- arch/riscv/include/uapi/asm/hwprobe.h | 2 ++ arch/riscv/kernel/sys_hwprobe.c | 2 ++ 2 files changed, 4 insertions(+) diff --git a/arch/riscv/include/uapi/asm/hwprobe.h b/arch/riscv

[PATCH v11 03/27] riscv: zicfiss / zicfilp enumeration

feature bitmap. Furthermore this patch adds detection utility functions to return whether shadow stack or landing pads are supported by cpu. Signed-off-by: Deepak Gupta --- arch/riscv/include/asm/cpufeature.h | 13 + arch/riscv/include/asm/hwcap.h | 2 ++ arch/riscv/include/asm

[PATCH v11 18/27] riscv/ptrace: riscv cfi status and state via ptrace and in core files

allowed via ptrace set interface. However setting `elp` state or setting shadow stack pointer are allowed via ptrace set interface. It is expected `gdb` might have use to fixup `elp` state or `shadow stack` pointer. Signed-off-by: Deepak Gupta --- arch/riscv/include/uapi/asm/ptrace.h | 18

<    1   2   3   4   5   6   >