| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <aPAKmCwDeXXvU7VD@debug.ba.rivosinc.com>
Date: Wed, 15 Oct 2025 13:56:56 -0700
From: Deepak Gupta <debug@...osinc.com>
To: Charles Mirabile <cmirabil@...hat.com>
Cc: Liam.Howlett@...cle.com, a.hindborg@...nel.org,
akpm@...ux-foundation.org, alex.gaynor@...il.com,
alexghiti@...osinc.com, aliceryhl@...gle.com,
alistair.francis@....com, andybnac@...il.com, aou@...s.berkeley.edu,
arnd@...db.de, atishp@...osinc.com, bjorn3_gh@...tonmail.com,
boqun.feng@...il.com, bp@...en8.de, brauner@...nel.org,
broonie@...nel.org, charlie@...osinc.com, cleger@...osinc.com,
conor+dt@...nel.org, conor@...nel.org, corbet@....net,
dave.hansen@...ux.intel.com, devicetree@...r.kernel.org,
ebiederm@...ssion.com, evan@...osinc.com, gary@...yguo.net,
hpa@...or.com, jannh@...gle.com, jim.shu@...ive.com,
kees@...nel.org, kito.cheng@...ive.com, krzk+dt@...nel.org,
linux-arch@...r.kernel.org, linux-doc@...r.kernel.org,
linux-fsdevel@...r.kernel.org, linux-kernel@...r.kernel.org,
linux-kselftest@...r.kernel.org, linux-mm@...ck.org,
linux-riscv@...ts.infradead.org, lorenzo.stoakes@...cle.com,
lossin@...nel.org, mingo@...hat.com, ojeda@...nel.org,
oleg@...hat.com, palmer@...belt.com, paul.walmsley@...ive.com,
peterz@...radead.org, richard.henderson@...aro.org,
rick.p.edgecombe@...el.com, robh@...nel.org,
rust-for-linux@...r.kernel.org, samitolvanen@...gle.com,
shuah@...nel.org, tglx@...utronix.de, tmgross@...ch.edu,
vbabka@...e.cz, x86@...nel.org
Subject: Re: [PATCH v20 24/28] arch/riscv: dual vdso creation logic and
select vdso based on hw
Hi Charles,
On Wed, Oct 15, 2025 at 04:36:11PM -0400, Charles Mirabile wrote:
>Hi Deepak -
>
>On Mon, Oct 13, 2025 at 02:56:16PM -0700, Deepak Gupta wrote:
>> Shadow stack instructions are taken from zimop (mandated on RVA23).
>> Any hardware prior to RVA23 profile will fault on shado stack instruction.
>> Any userspace with shadow stack instruction in it will fault on such
>> hardware. Thus such userspace can't be brought onto such a hardware.
>>
>> It's not known how userspace will respond to such binary fragmentation.
>> However in order to keep kernel portable across such different hardware,
>> `arch/riscv/kernel/vdso_cfi` is created which has logic (Makefile) to
>> compile `arch/riscv/kernel/vdso` sources with cfi flags and then changes
>> in `arch/riscv/kernel/vdso.c` for selecting appropriate vdso depending
>> on whether underlying hardware(cpu) implements zimop extension. Offset
>> of vdso symbols will change due to having two different vdso binaries,
>> there is added logic to include new generated vdso offset header and
>> dynamically select offset (like for rt_sigreturn).
>
>This looks great. As kernel test robot highlighted, the code doesn't build
>when the config is off, but I was able to fix it with the attached patch.
Yes sorry about that. Locally include/generated had both files and that's how
I missed it.
>
>Assuming that these changes or equivalent are folded in, you have my:
>
Yes v21 changes are equivalent to what you proposed.
>Acked-by: Charles Mirabile <cmirabil@...hat.com>
If I send another version due to some other issue, I'll collect your tag.
Else
Paul,
Can you apply the tag when you take it in.
-Deepak
>
>As merely a user whose previous concerns have been addressed, I am not
>sure what that is worth, but I appreciate your effort on this.
Thanks.
>
>>
>> Signed-off-by: Deepak Gupta <debug@...osinc.com>
>> ---
>> arch/riscv/Makefile | 3 +++
>> arch/riscv/include/asm/vdso.h | 7 ++++++-
>> arch/riscv/kernel/Makefile | 1 +
>> arch/riscv/kernel/vdso.c | 7 +++++++
>> arch/riscv/kernel/vdso/Makefile | 29 ++++++++++++++++++++---------
>> arch/riscv/kernel/vdso/gen_vdso_offsets.sh | 4 +++-
>> arch/riscv/kernel/vdso_cfi/Makefile | 25 +++++++++++++++++++++++++
>> arch/riscv/kernel/vdso_cfi/vdso-cfi.S | 11 +++++++++++
>> 8 files changed, 76 insertions(+), 11 deletions(-)
>>
>> diff --git a/arch/riscv/Makefile b/arch/riscv/Makefile
>> index f60c2de0ca08..b74b63da16a7 100644
>> --- a/arch/riscv/Makefile
>> +++ b/arch/riscv/Makefile
>> @@ -176,6 +176,8 @@ ifeq ($(CONFIG_MMU),y)
>> prepare: vdso_prepare
>> vdso_prepare: prepare0
>> $(Q)$(MAKE) $(build)=arch/riscv/kernel/vdso include/generated/vdso-offsets.h
>> + $(if $(CONFIG_RISCV_USER_CFI),$(Q)$(MAKE) \
>> + $(build)=arch/riscv/kernel/vdso_cfi include/generated/vdso-cfi-offsets.h)
>> $(if $(CONFIG_COMPAT),$(Q)$(MAKE) \
>> $(build)=arch/riscv/kernel/compat_vdso include/generated/compat_vdso-offsets.h)
>>
>> @@ -183,6 +185,7 @@ endif
>> endif
>>
>> vdso-install-y += arch/riscv/kernel/vdso/vdso.so.dbg
>> +vdso-install-$(CONFIG_RISCV_USER_CFI) += arch/riscv/kernel/vdso_cfi/vdso-cfi.so.dbg
>> vdso-install-$(CONFIG_COMPAT) += arch/riscv/kernel/compat_vdso/compat_vdso.so.dbg
>>
>> BOOT_TARGETS := Image Image.gz Image.bz2 Image.lz4 Image.lzma Image.lzo Image.zst Image.xz loader loader.bin xipImage vmlinuz.efi
>> diff --git a/arch/riscv/include/asm/vdso.h b/arch/riscv/include/asm/vdso.h
>> index f80357fe24d1..3fc8f72b8bfb 100644
>> --- a/arch/riscv/include/asm/vdso.h
>> +++ b/arch/riscv/include/asm/vdso.h
>> @@ -18,9 +18,13 @@
>>
>> #ifndef __ASSEMBLER__
>> #include <generated/vdso-offsets.h>
>> +#include <generated/vdso-cfi-offsets.h>
>>
>> #define VDSO_SYMBOL(base, name) \
>> - (void __user *)((unsigned long)(base) + __vdso_##name##_offset)
>> + ((IS_ENABLED(CONFIG_RISCV_USER_CFI) && \
>> + riscv_has_extension_unlikely(RISCV_ISA_EXT_ZIMOP)) ? \
>> + (void __user *)((unsigned long)(base) + __vdso_##name##_cfi_offset) : \
>> + (void __user *)((unsigned long)(base) + __vdso_##name##_offset))
>>
>> #ifdef CONFIG_COMPAT
>> #include <generated/compat_vdso-offsets.h>
>> @@ -33,6 +37,7 @@ extern char compat_vdso_start[], compat_vdso_end[];
>> #endif /* CONFIG_COMPAT */
>>
>> extern char vdso_start[], vdso_end[];
>> +extern char vdso_cfi_start[], vdso_cfi_end[];
>>
>> #endif /* !__ASSEMBLER__ */
>>
>> diff --git a/arch/riscv/kernel/Makefile b/arch/riscv/kernel/Makefile
>> index 2d0e0dcedbd3..9026400cba10 100644
>> --- a/arch/riscv/kernel/Makefile
>> +++ b/arch/riscv/kernel/Makefile
>> @@ -72,6 +72,7 @@ obj-y += vendor_extensions/
>> obj-y += probes/
>> obj-y += tests/
>> obj-$(CONFIG_MMU) += vdso.o vdso/
>> +obj-$(CONFIG_RISCV_USER_CFI) += vdso_cfi/
>>
>> obj-$(CONFIG_RISCV_MISALIGNED) += traps_misaligned.o
>> obj-$(CONFIG_RISCV_MISALIGNED) += unaligned_access_speed.o
>> diff --git a/arch/riscv/kernel/vdso.c b/arch/riscv/kernel/vdso.c
>> index 3a8e038b10a2..bf080e519101 100644
>> --- a/arch/riscv/kernel/vdso.c
>> +++ b/arch/riscv/kernel/vdso.c
>> @@ -98,6 +98,13 @@ static struct __vdso_info compat_vdso_info __ro_after_init = {
>>
>> static int __init vdso_init(void)
>> {
>> + /* Hart implements zimop, expose cfi compiled vdso */
>> + if (IS_ENABLED(CONFIG_RISCV_USER_CFI) &&
>> + riscv_has_extension_unlikely(RISCV_ISA_EXT_ZIMOP)) {
>> + vdso_info.vdso_code_start = vdso_cfi_start;
>> + vdso_info.vdso_code_end = vdso_cfi_end;
>> + }
>> +
>> __vdso_init(&vdso_info);
>> #ifdef CONFIG_COMPAT
>> __vdso_init(&compat_vdso_info);
>> diff --git a/arch/riscv/kernel/vdso/Makefile b/arch/riscv/kernel/vdso/Makefile
>> index 272f1d837a80..a842dc034571 100644
>> --- a/arch/riscv/kernel/vdso/Makefile
>> +++ b/arch/riscv/kernel/vdso/Makefile
>> @@ -20,6 +20,10 @@ endif
>> ifdef VDSO_CFI_BUILD
>> CFI_MARCH = _zicfilp_zicfiss
>> CFI_FULL = -fcf-protection=full
>> +CFI_SUFFIX = -cfi
>> +OFFSET_SUFFIX = _cfi
>> +ccflags-y += -DVDSO_CFI=1
>> +asflags-y += -DVDSO_CFI=1
>> endif
>>
>> # Files to link into the vdso
>> @@ -48,13 +52,20 @@ endif
>> CFLAGS_hwprobe.o += -fPIC
>>
>> # Build rules
>> -targets := $(obj-vdso) vdso.so vdso.so.dbg vdso.lds
>> +vdso_offsets := vdso$(if $(VDSO_CFI_BUILD),$(CFI_SUFFIX),)-offsets.h
>> +vdso_o := vdso$(if $(VDSO_CFI_BUILD),$(CFI_SUFFIX),).o
>> +vdso_so := vdso$(if $(VDSO_CFI_BUILD),$(CFI_SUFFIX),).so
>> +vdso_so_dbg := vdso$(if $(VDSO_CFI_BUILD),$(CFI_SUFFIX),).so.dbg
>> +vdso_lds := vdso.lds
>> +
>> +targets := $(obj-vdso) $(vdso_so) $(vdso_so_dbg) $(vdso_lds)
>> +
>> obj-vdso := $(addprefix $(obj)/, $(obj-vdso))
>>
>> -obj-y += vdso.o
>> -CPPFLAGS_vdso.lds += -P -C -U$(ARCH)
>> +obj-y += vdso$(if $(VDSO_CFI_BUILD),$(CFI_SUFFIX),).o
>> +CPPFLAGS_$(vdso_lds) += -P -C -U$(ARCH)
>> ifneq ($(filter vgettimeofday, $(vdso-syms)),)
>> -CPPFLAGS_vdso.lds += -DHAS_VGETTIMEOFDAY
>> +CPPFLAGS_$(vdso_lds) += -DHAS_VGETTIMEOFDAY
>> endif
>>
>> # Disable -pg to prevent insert call site
>> @@ -63,12 +74,12 @@ CFLAGS_REMOVE_getrandom.o = $(CC_FLAGS_FTRACE) $(CC_FLAGS_SCS)
>> CFLAGS_REMOVE_hwprobe.o = $(CC_FLAGS_FTRACE) $(CC_FLAGS_SCS)
>>
>> # Force dependency
>> -$(obj)/vdso.o: $(obj)/vdso.so
>> +$(obj)/$(vdso_o): $(obj)/$(vdso_so)
>>
>> # link rule for the .so file, .lds has to be first
>> -$(obj)/vdso.so.dbg: $(obj)/vdso.lds $(obj-vdso) FORCE
>> +$(obj)/$(vdso_so_dbg): $(obj)/$(vdso_lds) $(obj-vdso) FORCE
>> $(call if_changed,vdsold_and_check)
>> -LDFLAGS_vdso.so.dbg = -shared -soname=linux-vdso.so.1 \
>> +LDFLAGS_$(vdso_so_dbg) = -shared -soname=linux-vdso.so.1 \
>> --build-id=sha1 --eh-frame-hdr
>>
>> # strip rule for the .so file
>> @@ -79,9 +90,9 @@ $(obj)/%.so: $(obj)/%.so.dbg FORCE
>> # Generate VDSO offsets using helper script
>> gen-vdsosym := $(src)/gen_vdso_offsets.sh
>> quiet_cmd_vdsosym = VDSOSYM $@
>> - cmd_vdsosym = $(NM) $< | $(gen-vdsosym) | LC_ALL=C sort > $@
>> + cmd_vdsosym = $(NM) $< | $(gen-vdsosym) $(OFFSET_SUFFIX) | LC_ALL=C sort > $@
>>
>> -include/generated/vdso-offsets.h: $(obj)/vdso.so.dbg FORCE
>> +include/generated/$(vdso_offsets): $(obj)/$(vdso_so_dbg) FORCE
>> $(call if_changed,vdsosym)
>>
>> # actual build commands
>> diff --git a/arch/riscv/kernel/vdso/gen_vdso_offsets.sh b/arch/riscv/kernel/vdso/gen_vdso_offsets.sh
>> index c2e5613f3495..bd5d5afaaa14 100755
>> --- a/arch/riscv/kernel/vdso/gen_vdso_offsets.sh
>> +++ b/arch/riscv/kernel/vdso/gen_vdso_offsets.sh
>> @@ -2,4 +2,6 @@
>> # SPDX-License-Identifier: GPL-2.0
>>
>> LC_ALL=C
>> -sed -n -e 's/^[0]\+\(0[0-9a-fA-F]*\) . \(__vdso_[a-zA-Z0-9_]*\)$/\#define \2_offset\t0x\1/p'
>> +SUFFIX=${1:-""}
>> +sed -n -e \
>> +'s/^[0]\+\(0[0-9a-fA-F]*\) . \(__vdso_[a-zA-Z0-9_]*\)$/\#define \2'$SUFFIX'_offset\t0x\1/p'
>> diff --git a/arch/riscv/kernel/vdso_cfi/Makefile b/arch/riscv/kernel/vdso_cfi/Makefile
>> new file mode 100644
>> index 000000000000..8ebd190782b0
>> --- /dev/null
>> +++ b/arch/riscv/kernel/vdso_cfi/Makefile
>> @@ -0,0 +1,25 @@
>> +# SPDX-License-Identifier: GPL-2.0-only
>> +# RISC-V VDSO CFI Makefile
>> +# This Makefile builds the VDSO with CFI support when CONFIG_RISCV_USER_CFI is enabled
>> +
>> +# setting VDSO_CFI_BUILD triggers build for vdso differently
>> +VDSO_CFI_BUILD := 1
>> +
>> +# Set the source directory to the main vdso directory
>> +src := $(srctree)/arch/riscv/kernel/vdso
>> +
>> +# Copy all .S and .c files from vdso directory to vdso_cfi object build directory
>> +vdso_c_sources := $(wildcard $(src)/*.c)
>> +vdso_S_sources := $(wildcard $(src)/*.S)
>> +vdso_c_objects := $(addprefix $(obj)/, $(notdir $(vdso_c_sources)))
>> +vdso_S_objects := $(addprefix $(obj)/, $(notdir $(vdso_S_sources)))
>> +
>> +$(vdso_S_objects): $(obj)/%.S: $(src)/%.S
>> + $(Q)cp $< $@
>> +
>> +$(vdso_c_objects): $(obj)/%.c: $(src)/%.c
>> + $(Q)cp $< $@
>> +
>> +# Include the main VDSO Makefile which contains all the build rules and sources
>> +# The VDSO_CFI_BUILD variable will be passed to it to enable CFI compilation
>> +include $(src)/Makefile
>> diff --git a/arch/riscv/kernel/vdso_cfi/vdso-cfi.S b/arch/riscv/kernel/vdso_cfi/vdso-cfi.S
>> new file mode 100644
>> index 000000000000..d426f6accb35
>> --- /dev/null
>> +++ b/arch/riscv/kernel/vdso_cfi/vdso-cfi.S
>> @@ -0,0 +1,11 @@
>> +/* SPDX-License-Identifier: GPL-2.0-only */
>> +/*
>> + * Copyright 2025 Rivos, Inc
>> + */
>> +
>> +#define vdso_start vdso_cfi_start
>> +#define vdso_end vdso_cfi_end
>> +
>> +#define __VDSO_PATH "arch/riscv/kernel/vdso_cfi/vdso-cfi.so"
>> +
>> +#include "../vdso/vdso.S"
>>
>> --
>> 2.43.0
>>
>>
>> _______________________________________________
>> linux-riscv mailing list
>> linux-riscv@...ts.infradead.org
>> http://lists.infradead.org/mailman/listinfo/linux-riscv
>---
>diff --git a/arch/riscv/include/asm/vdso.h b/arch/riscv/include/asm/vdso.h
>index 3fc8f72b8bfb..9cfbb390270f 100644
>--- a/arch/riscv/include/asm/vdso.h
>+++ b/arch/riscv/include/asm/vdso.h
>@@ -18,13 +18,21 @@
>
> #ifndef __ASSEMBLER__
> #include <generated/vdso-offsets.h>
>+#if IS_ENABLED(CONFIG_RISCV_USER_CFI)
>+
> #include <generated/vdso-cfi-offsets.h>
>
> #define VDSO_SYMBOL(base, name) \
>- ((IS_ENABLED(CONFIG_RISCV_USER_CFI) && \
>- riscv_has_extension_unlikely(RISCV_ISA_EXT_ZIMOP)) ? \
>- (void __user *)((unsigned long)(base) + __vdso_##name##_cfi_offset) : \
>- (void __user *)((unsigned long)(base) + __vdso_##name##_offset))
>+ (riscv_has_extension_unlikely(RISCV_ISA_EXT_ZIMOP)) ? \
>+ (void __user *)((unsigned long)(base) + __vdso_##name##_cfi_offset) : \
>+ (void __user *)((unsigned long)(base) + __vdso_##name##_offset)
>+
>+#else /* !CONFIG_RISCV_USER_CFI */
>+
>+#define VDSO_SYMBOL(base, name) \
>+ (void __user *)((unsigned long)(base) + __vdso_##name##_offset)
>+
>+#endif /* CONFIG_RISCV_USER_CFI */
>
> #ifdef CONFIG_COMPAT
> #include <generated/compat_vdso-offsets.h>
>
Powered by blists - more mailing lists