Re: [PATCH 11/11] riscv: Kconfig & Makefile for riscv kernel control flow integrity

[Heinrich Schuchardt]

On 25.07.25 16:23, Deepak Gupta wrote:
> On Fri, Jul 25, 2025 at 01:26:44PM +0200, Heinrich Schuchardt wrote:
> > On 25.07.25 01:37, Deepak Gupta wrote:
> > > Defines `CONFIG_RISCV_KERNEL_CFI` and selects SHADOW_CALL_STACK
> > > and ARCH_HAS_KERNEL_SHADOW_STACK both so that zicfiss can be wired up.
> > >
> > > Makefile checks if CONFIG_RISCV_KERNEL_CFI is enabled, then light
> > > up zicfiss and zicfilp compiler flags. CONFIG_RISCV_KERNEL_CFI is
> > > dependent on CONFIG_RISCV_USER_CFI. There is no reason for user to
> > > not select support for user cfi while enabling for kernel.
> > >
> > > compat vdso don't need fcf-protection (toolchain lacks support).
> > >
> > > Signed-off-by: Deepak Gupta <debug@xxxxxxxxxxxx>
> > > ---
> > >  arch/riscv/Kconfig                     | 37 ++++++++++++++++++++++++ 
> > > +++++++++-
> > >  arch/riscv/Makefile                    |  8 ++++++++
> > >  arch/riscv/kernel/compat_vdso/Makefile |  2 +-
> > >  arch/riscv/kernel/vdso/Makefile        |  2 +-
> > >  4 files changed, 46 insertions(+), 3 deletions(-)
> > >
> > > diff --git a/arch/riscv/Kconfig b/arch/riscv/Kconfig
> > > index 385c3d93e378..305ba5787f74 100644
> > > --- a/arch/riscv/Kconfig
> > > +++ b/arch/riscv/Kconfig
> > > @@ -245,7 +245,7 @@ config GCC_SUPPORTS_DYNAMIC_FTRACE
> > >      depends on CC_HAS_MIN_FUNCTION_ALIGNMENT || !RISCV_ISA_C
> > >  config HAVE_SHADOW_CALL_STACK
> > > -    def_bool $(cc-option,-fsanitize=shadow-call-stack)
> > > +    def_bool $(cc-option,-fsanitize=shadow-call-stack) || $(cc- 
> > > option,-mabi=lp64 -march=rv64ima_zicfilp_zicfiss)
> > >      # https://github.com/riscv-non-isa/riscv-elf-psabi-doc/commit/ 
> > > a484e843e6eeb51f0cb7b8819e50da6d2444d769
> > >      depends on $(ld-option,--no-relax-gp)
> > > @@ -864,6 +864,16 @@ config RISCV_ISA_ZICBOP
> > >        If you don't know what to do here, say Y.
> > > +config TOOLCHAIN_HAS_ZICFILP
> > > +    bool
> > > +    default y
> > > +    depends on 64BIT && $(cc-option,-mabi=lp64 -march=rv64ima_zicfilp)
> > > +
> > > +config TOOLCHAIN_HAS_ZICFISS
> > > +    bool
> > > +    default y
> > > +    depends on 64BIT && $(cc-option,-mabi=lp64 -march=rv64ima_zicfiss)
> > > +
> > >  config TOOLCHAIN_NEEDS_EXPLICIT_ZICSR_ZIFENCEI
> > >      def_bool y
> > >      # https://sourceware.org/git/?p=binutils- 
> > > gdb.git;a=commit;h=aed44286efa8ae8717a77d94b51ac3614e2ca6dc
> > > @@ -1182,6 +1192,31 @@ config RISCV_USER_CFI
> > >        space does not get protection "for free".
> > >        default n.
> > > +config RISCV_KERNEL_CFI
> > > +    def_bool n
> > > +    bool "hw assisted riscv kernel control flow integrity (kcfi)"
> > > +    depends on 64BIT && $(cc-option,-mabi=lp64 - 
> > > march=rv64ima_zicfilp_zicfiss)
> > > +    depends on RISCV_USER_CFI
> > > +    select ARCH_SUPPORTS_SHADOW_CALL_STACK
> > > +    select SHADOW_CALL_STACK
> > > +    select ARCH_HAS_KERNEL_SHADOW_STACK
> > > +    help
> > > +      Provides CPU assisted control flow integrity to for riscv kernel.
> > > +      Control flow integrity is provided by implementing shadow 
> > > stack for
> > > +      backward edge and indirect branch tracking for forward edge. 
> > > Shadow
> > > +      stack protection is a hardware feature that detects function 
> > > return
> > > +      address corruption. This helps mitigate ROP attacks. 
> > > RISCV_KERNEL_CFI
> > > +      selects CONFIG_SHADOW_CALL_STACK which uses software based shadow
> > > +      stack but is unprotected against stray writes. Selecting 
> > > RISCV_KERNEL_CFI
> > > +      will select CONFIG_DYNAMIC_SCS and will enable hardware 
> > > assisted shadow
> > > +      stack protection against stray writes.
> >
> > Please, consider adding a blank line for better readability.
>
> Noted. Will do.
>
> > > +      Indirect branch tracking enforces that all indirect branches 
> > > must land
> > > +      on a landing pad instruction else CPU will fault. This enables 
> > > forward
> > > +      control flow (call/jmp) protection in kernel and restricts all 
> > > indirect
> > > +      call or jump in kernel to a landing pad instruction which 
> > > mostly likely
> > > +      will be start of the function.
> > > +      default n
> >
> > For Linux distributions it is important that the same kernel can run 
> > both on hardware both with and without CFI support. The description 
> > provided does not help to understand if RISCV_KERNEL_CFI=y will result 
> > in such a kernel. Please, enumerate the minimum set of extensions 
> > needed for supporting a kernel built with RISCV_KERNEL_CFI=y. I guess 
> > this will at least include Zimop.
>
> Yes, it is expected anyone selecting this config is going to take this 
> kernel to
> a RVA23 hardware. RVA23 mandates zimop and thus shouldn't be an issue on 
> such a
> hardware. Anyone selecting this config and trying to run this kernel on 
> hardware
> prior to RVA23 will run into issues. I can add a comment here to 
> highlight that.
>
> I assume you wanted that awareness and goal is not maintain compat of same
> kernel between RVA20 and RVA23 hardware, right?

I am aware that this option is not RVA20 compatible. Could we either 
mention RVA23 or Zimop here so users will understand the implications.

Best regards

Heinrich

> > Best regards
> >
> > Heinrich
> >
> > > +
> > >  endmenu # "Kernel features"
> > >  menu "Boot options"
> > > diff --git a/arch/riscv/Makefile b/arch/riscv/Makefile
> > > index 7128df832b28..6ef30a3d2bc4 100644
> > > --- a/arch/riscv/Makefile
> > > +++ b/arch/riscv/Makefile
> > > @@ -61,8 +61,10 @@ else ifeq ($(CONFIG_LTO_CLANG),y)
> > >  endif
> > >  ifeq ($(CONFIG_SHADOW_CALL_STACK),y)
> > > +ifndef CONFIG_ARCH_HAS_KERNEL_SHADOW_STACK
> > >      KBUILD_LDFLAGS += --no-relax-gp
> > >  endif
> > > +endif
> > >  # ISA string setting
> > >  riscv-march-$(CONFIG_ARCH_RV32I)    := rv32ima
> > > @@ -91,6 +93,12 @@ riscv-march-$(CONFIG_TOOLCHAIN_HAS_ZABHA) := 
> > > $(riscv-march-y)_zabha
> > >  KBUILD_BASE_ISA = -march=$(shell echo $(riscv-march-y) | sed -E 's/ 
> > > (rv32ima|rv64ima)fd([^v_]*)v?/\1\2/')
> > >  export KBUILD_BASE_ISA
> > > +ifeq ($(CONFIG_RISCV_KERNEL_CFI),y)
> > > +riscv-march-$(CONFIG_TOOLCHAIN_HAS_ZICFILP) := $(riscv-march-y)_zicfilp
> > > +riscv-march-$(CONFIG_TOOLCHAIN_HAS_ZICFISS) := $(riscv-march-y)_zicfiss
> > > +KBUILD_CFLAGS += -fcf-protection=full
> > > +KBUILD_AFLAGS += -fcf-protection=full
> > > +endif
> > >  # Remove F,D,V from isa string for all. Keep extensions between "fd" 
> > > and "v" by
> > >  # matching non-v and non-multi-letter extensions out with the filter 
> > > ([^v_]*)
> > >  KBUILD_CFLAGS += $(KBUILD_BASE_ISA)
> > > diff --git a/arch/riscv/kernel/compat_vdso/Makefile b/arch/riscv/ 
> > > kernel/compat_vdso/Makefile
> > > index 24e37d1ef7ec..552131bc34d7 100644
> > > --- a/arch/riscv/kernel/compat_vdso/Makefile
> > > +++ b/arch/riscv/kernel/compat_vdso/Makefile
> > > @@ -69,4 +69,4 @@ quiet_cmd_compat_vdsold = VDSOLD  $@
> > >  # actual build commands
> > >  quiet_cmd_compat_vdsoas = VDSOAS  $@
> > > -      cmd_compat_vdsoas = $(COMPAT_CC) $(a_flags) $(COMPAT_CC_FLAGS) 
> > > -c -o $@ $<
> > > +      cmd_compat_vdsoas = $(COMPAT_CC) $(filter-out -fcf- 
> > > protection=full, $(a_flags)) $(COMPAT_CC_FLAGS) -c -o $@ $<
> > > diff --git a/arch/riscv/kernel/vdso/Makefile b/arch/riscv/kernel/ 
> > > vdso/Makefile
> > > index 2b528d82fa7d..7b1446b63ebc 100644
> > > --- a/arch/riscv/kernel/vdso/Makefile
> > > +++ b/arch/riscv/kernel/vdso/Makefile
> > > @@ -17,7 +17,7 @@ ifdef CONFIG_VDSO_GETRANDOM
> > >  vdso-syms += getrandom
> > >  endif
> > > -ifdef CONFIG_RISCV_USER_CFI
> > > +ifneq ($(CONFIG_RISCV_USER_CFI), $(CONFIG_RISCV_KERNEL_CFI))
> > >  CFI_MARCH = _zicfilp_zicfiss
> > >  CFI_FULL = -fcf-protection=full
> > >  endif