| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 3 Apr 2024 16:35:14 -0700 From: Deepak Gupta <debug@...osinc.com> To: paul.walmsley@...ive.com, rick.p.edgecombe@...el.com, broonie@...nel.org, Szabolcs.Nagy@....com, kito.cheng@...ive.com, keescook@...omium.org, ajones@...tanamicro.com, conor.dooley@...rochip.com, cleger@...osinc.com, atishp@...shpatra.org, alex@...ti.fr, bjorn@...osinc.com, alexghiti@...osinc.com, samuel.holland@...ive.com, conor@...nel.org Cc: linux-doc@...r.kernel.org, linux-riscv@...ts.infradead.org, linux-kernel@...r.kernel.org, devicetree@...r.kernel.org, linux-mm@...ck.org, linux-arch@...r.kernel.org, linux-kselftest@...r.kernel.org, corbet@....net, palmer@...belt.com, aou@...s.berkeley.edu, robh+dt@...nel.org, krzysztof.kozlowski+dt@...aro.org, oleg@...hat.com, akpm@...ux-foundation.org, arnd@...db.de, ebiederm@...ssion.com, Liam.Howlett@...cle.com, vbabka@...e.cz, lstoakes@...il.com, shuah@...nel.org, brauner@...nel.org, debug@...osinc.com, andy.chiu@...ive.com, jerry.shih@...ive.com, hankuan.chen@...ive.com, greentime.hu@...ive.com, evan@...osinc.com, xiao.w.wang@...el.com, charlie@...osinc.com, apatel@...tanamicro.com, mchitale@...tanamicro.com, dbarboza@...tanamicro.com, sameo@...osinc.com, shikemeng@...weicloud.com, willy@...radead.org, vincent.chen@...ive.com, guoren@...nel.org, samitolvanen@...gle.com, songshuaishuai@...ylab.org, gerg@...nel.org, heiko@...ech.de, bhe@...hat.com, jeeheng.sia@...rfivetech.com, cyy@...self.name, maskray@...gle.com, ancientmodern4@...il.com, mathis.salmen@...sal.de, cuiyunhui@...edance.com, bgray@...ux.ibm.com, mpe@...erman.id.au, baruch@...s.co.il, alx@...nel.org, david@...hat.com, catalin.marinas@....com, revest@...omium.org, josh@...htriplett.org, shr@...kernel.io, deller@....de, omosnace@...hat.com, ojeda@...nel.org, jhubbard@...dia.com Subject: [PATCH v3 26/29] riscv: create a config for shadow stack and landing pad instr support This patch creates a config for shadow stack support and landing pad instr support. Shadow stack support and landing instr support can be enabled by selecting `CONFIG_RISCV_USER_CFI`. Selecting `CONFIG_RISCV_USER_CFI` wires up path to enumerate CPU support and if cpu support exists, kernel will support cpu assisted user mode cfi. Signed-off-by: Deepak Gupta <debug@...osinc.com> --- arch/riscv/Kconfig | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/arch/riscv/Kconfig b/arch/riscv/Kconfig index 7e0b2bcc388f..d6f1303ef660 100644 --- a/arch/riscv/Kconfig +++ b/arch/riscv/Kconfig @@ -203,6 +203,24 @@ config ARCH_HAS_BROKEN_DWARF5 # https://github.com/llvm/llvm-project/commit/7ffabb61a5569444b5ac9322e22e5471cc5e4a77 depends on LD_IS_LLD && LLD_VERSION < 180000 +config RISCV_USER_CFI + def_bool y + bool "riscv userspace control flow integrity" + depends on 64BIT && $(cc-option,-mabi=lp64 -march=rv64ima_zicfiss) + depends on RISCV_ALTERNATIVE + select ARCH_USES_HIGH_VMA_FLAGS + help + Provides CPU assisted control flow integrity to userspace tasks. + Control flow integrity is provided by implementing shadow stack for + backward edge and indirect branch tracking for forward edge in program. + Shadow stack protection is a hardware feature that detects function + return address corruption. This helps mitigate ROP attacks. + Indirect branch tracking enforces that all indirect branches must land + on a landing pad instruction else CPU will fault. This mitigates against + JOP / COP attacks. Applications must be enabled to use it, and old user- + space does not get protection "for free". + default y + config ARCH_MMAP_RND_BITS_MIN default 18 if 64BIT default 8 -- 2.43.2
Powered by blists - more mailing lists