| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <b50da4ef-53ca-4edf-bd74-f5e037a14f99@canonical.com> Date: Fri, 25 Jul 2025 13:26:44 +0200 From: Heinrich Schuchardt <heinrich.schuchardt@...onical.com> To: Deepak Gupta <debug@...osinc.com> Cc: linux-riscv@...ts.infradead.org, linux-kernel@...r.kernel.org, linux-kbuild@...r.kernel.org, linux-mm@...ck.org, llvm@...ts.linux.dev, rick.p.edgecombe@...el.com, broonie@...nel.org, cleger@...osinc.com, samitolvanen@...gle.com, apatel@...tanamicro.com, ajones@...tanamicro.com, conor.dooley@...rochip.com, charlie@...osinc.com, samuel.holland@...ive.com, bjorn@...osinc.com, fweimer@...hat.com, jeffreyalaw@...il.com, andrew@...ive.com, ved@...osinc.com, Paul Walmsley <paul.walmsley@...ive.com>, Palmer Dabbelt <palmer@...belt.com>, Albert Ou <aou@...s.berkeley.edu>, Alexandre Ghiti <alex@...ti.fr>, Masahiro Yamada <masahiroy@...nel.org>, Nathan Chancellor <nathan@...nel.org>, Nicolas Schier <nicolas.schier@...ux.dev>, Andrew Morton <akpm@...ux-foundation.org>, David Hildenbrand <david@...hat.com>, Lorenzo Stoakes <lorenzo.stoakes@...cle.com>, "Liam R. Howlett" <Liam.Howlett@...cle.com>, Vlastimil Babka <vbabka@...e.cz>, Mike Rapoport <rppt@...nel.org>, Suren Baghdasaryan <surenb@...gle.com>, Michal Hocko <mhocko@...e.com>, Nick Desaulniers <nick.desaulniers+lkml@...il.com>, Bill Wendling <morbo@...gle.com>, Monk Chiang <monk.chiang@...ive.com>, Kito Cheng <kito.cheng@...ive.com>, Justin Stitt <justinstitt@...gle.com> Subject: Re: [PATCH 11/11] riscv: Kconfig & Makefile for riscv kernel control flow integrity On 25.07.25 01:37, Deepak Gupta wrote: > Defines `CONFIG_RISCV_KERNEL_CFI` and selects SHADOW_CALL_STACK > and ARCH_HAS_KERNEL_SHADOW_STACK both so that zicfiss can be wired up. > > Makefile checks if CONFIG_RISCV_KERNEL_CFI is enabled, then light > up zicfiss and zicfilp compiler flags. CONFIG_RISCV_KERNEL_CFI is > dependent on CONFIG_RISCV_USER_CFI. There is no reason for user to > not select support for user cfi while enabling for kernel. > > compat vdso don't need fcf-protection (toolchain lacks support). > > Signed-off-by: Deepak Gupta <debug@...osinc.com> > --- > arch/riscv/Kconfig | 37 +++++++++++++++++++++++++++++++++- > arch/riscv/Makefile | 8 ++++++++ > arch/riscv/kernel/compat_vdso/Makefile | 2 +- > arch/riscv/kernel/vdso/Makefile | 2 +- > 4 files changed, 46 insertions(+), 3 deletions(-) > > diff --git a/arch/riscv/Kconfig b/arch/riscv/Kconfig > index 385c3d93e378..305ba5787f74 100644 > --- a/arch/riscv/Kconfig > +++ b/arch/riscv/Kconfig > @@ -245,7 +245,7 @@ config GCC_SUPPORTS_DYNAMIC_FTRACE > depends on CC_HAS_MIN_FUNCTION_ALIGNMENT || !RISCV_ISA_C > > config HAVE_SHADOW_CALL_STACK > - def_bool $(cc-option,-fsanitize=shadow-call-stack) > + def_bool $(cc-option,-fsanitize=shadow-call-stack) || $(cc-option,-mabi=lp64 -march=rv64ima_zicfilp_zicfiss) > # https://github.com/riscv-non-isa/riscv-elf-psabi-doc/commit/a484e843e6eeb51f0cb7b8819e50da6d2444d769 > depends on $(ld-option,--no-relax-gp) > > @@ -864,6 +864,16 @@ config RISCV_ISA_ZICBOP > > If you don't know what to do here, say Y. > > +config TOOLCHAIN_HAS_ZICFILP > + bool > + default y > + depends on 64BIT && $(cc-option,-mabi=lp64 -march=rv64ima_zicfilp) > + > +config TOOLCHAIN_HAS_ZICFISS > + bool > + default y > + depends on 64BIT && $(cc-option,-mabi=lp64 -march=rv64ima_zicfiss) > + > config TOOLCHAIN_NEEDS_EXPLICIT_ZICSR_ZIFENCEI > def_bool y > # https://sourceware.org/git/?p=binutils-gdb.git;a=commit;h=aed44286efa8ae8717a77d94b51ac3614e2ca6dc > @@ -1182,6 +1192,31 @@ config RISCV_USER_CFI > space does not get protection "for free". > default n. > > +config RISCV_KERNEL_CFI > + def_bool n > + bool "hw assisted riscv kernel control flow integrity (kcfi)" > + depends on 64BIT && $(cc-option,-mabi=lp64 -march=rv64ima_zicfilp_zicfiss) > + depends on RISCV_USER_CFI > + select ARCH_SUPPORTS_SHADOW_CALL_STACK > + select SHADOW_CALL_STACK > + select ARCH_HAS_KERNEL_SHADOW_STACK > + help > + Provides CPU assisted control flow integrity to for riscv kernel. > + Control flow integrity is provided by implementing shadow stack for > + backward edge and indirect branch tracking for forward edge. Shadow > + stack protection is a hardware feature that detects function return > + address corruption. This helps mitigate ROP attacks. RISCV_KERNEL_CFI > + selects CONFIG_SHADOW_CALL_STACK which uses software based shadow > + stack but is unprotected against stray writes. Selecting RISCV_KERNEL_CFI > + will select CONFIG_DYNAMIC_SCS and will enable hardware assisted shadow > + stack protection against stray writes. Please, consider adding a blank line for better readability. > + Indirect branch tracking enforces that all indirect branches must land > + on a landing pad instruction else CPU will fault. This enables forward > + control flow (call/jmp) protection in kernel and restricts all indirect > + call or jump in kernel to a landing pad instruction which mostly likely > + will be start of the function. > + default n For Linux distributions it is important that the same kernel can run both on hardware both with and without CFI support. The description provided does not help to understand if RISCV_KERNEL_CFI=y will result in such a kernel. Please, enumerate the minimum set of extensions needed for supporting a kernel built with RISCV_KERNEL_CFI=y. I guess this will at least include Zimop. Best regards Heinrich > + > endmenu # "Kernel features" > > menu "Boot options" > diff --git a/arch/riscv/Makefile b/arch/riscv/Makefile > index 7128df832b28..6ef30a3d2bc4 100644 > --- a/arch/riscv/Makefile > +++ b/arch/riscv/Makefile > @@ -61,8 +61,10 @@ else ifeq ($(CONFIG_LTO_CLANG),y) > endif > > ifeq ($(CONFIG_SHADOW_CALL_STACK),y) > +ifndef CONFIG_ARCH_HAS_KERNEL_SHADOW_STACK > KBUILD_LDFLAGS += --no-relax-gp > endif > +endif > > # ISA string setting > riscv-march-$(CONFIG_ARCH_RV32I) := rv32ima > @@ -91,6 +93,12 @@ riscv-march-$(CONFIG_TOOLCHAIN_HAS_ZABHA) := $(riscv-march-y)_zabha > KBUILD_BASE_ISA = -march=$(shell echo $(riscv-march-y) | sed -E 's/(rv32ima|rv64ima)fd([^v_]*)v?/\1\2/') > export KBUILD_BASE_ISA > > +ifeq ($(CONFIG_RISCV_KERNEL_CFI),y) > +riscv-march-$(CONFIG_TOOLCHAIN_HAS_ZICFILP) := $(riscv-march-y)_zicfilp > +riscv-march-$(CONFIG_TOOLCHAIN_HAS_ZICFISS) := $(riscv-march-y)_zicfiss > +KBUILD_CFLAGS += -fcf-protection=full > +KBUILD_AFLAGS += -fcf-protection=full > +endif > # Remove F,D,V from isa string for all. Keep extensions between "fd" and "v" by > # matching non-v and non-multi-letter extensions out with the filter ([^v_]*) > KBUILD_CFLAGS += $(KBUILD_BASE_ISA) > diff --git a/arch/riscv/kernel/compat_vdso/Makefile b/arch/riscv/kernel/compat_vdso/Makefile > index 24e37d1ef7ec..552131bc34d7 100644 > --- a/arch/riscv/kernel/compat_vdso/Makefile > +++ b/arch/riscv/kernel/compat_vdso/Makefile > @@ -69,4 +69,4 @@ quiet_cmd_compat_vdsold = VDSOLD $@ > > # actual build commands > quiet_cmd_compat_vdsoas = VDSOAS $@ > - cmd_compat_vdsoas = $(COMPAT_CC) $(a_flags) $(COMPAT_CC_FLAGS) -c -o $@ $< > + cmd_compat_vdsoas = $(COMPAT_CC) $(filter-out -fcf-protection=full, $(a_flags)) $(COMPAT_CC_FLAGS) -c -o $@ $< > diff --git a/arch/riscv/kernel/vdso/Makefile b/arch/riscv/kernel/vdso/Makefile > index 2b528d82fa7d..7b1446b63ebc 100644 > --- a/arch/riscv/kernel/vdso/Makefile > +++ b/arch/riscv/kernel/vdso/Makefile > @@ -17,7 +17,7 @@ ifdef CONFIG_VDSO_GETRANDOM > vdso-syms += getrandom > endif > > -ifdef CONFIG_RISCV_USER_CFI > +ifneq ($(CONFIG_RISCV_USER_CFI), $(CONFIG_RISCV_KERNEL_CFI)) > CFI_MARCH = _zicfilp_zicfiss > CFI_FULL = -fcf-protection=full > endif >
Powered by blists - more mailing lists