| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <fe83a3cc-e8fb-e15b-4673-8caaf1ab39b8@kernel.org>
Date: Wed, 19 Nov 2025 09:24:35 -0700 (MST)
From: Paul Walmsley <pjw@...nel.org>
To: Deepak Gupta <debug@...osinc.com>
cc: Thomas Gleixner <tglx@...utronix.de>, Ingo Molnar <mingo@...hat.com>,
Borislav Petkov <bp@...en8.de>, Dave Hansen <dave.hansen@...ux.intel.com>,
x86@...nel.org, "H. Peter Anvin" <hpa@...or.com>,
Andrew Morton <akpm@...ux-foundation.org>,
"Liam R. Howlett" <Liam.Howlett@...cle.com>,
Vlastimil Babka <vbabka@...e.cz>,
Lorenzo Stoakes <lorenzo.stoakes@...cle.com>,
Paul Walmsley <paul.walmsley@...ive.com>,
Palmer Dabbelt <palmer@...belt.com>, Albert Ou <aou@...s.berkeley.edu>,
Conor Dooley <conor@...nel.org>, Rob Herring <robh@...nel.org>,
Krzysztof Kozlowski <krzk+dt@...nel.org>, Arnd Bergmann <arnd@...db.de>,
Christian Brauner <brauner@...nel.org>,
Peter Zijlstra <peterz@...radead.org>, Oleg Nesterov <oleg@...hat.com>,
Eric Biederman <ebiederm@...ssion.com>, Kees Cook <kees@...nel.org>,
Jonathan Corbet <corbet@....net>, Shuah Khan <shuah@...nel.org>,
Jann Horn <jannh@...gle.com>, Conor Dooley <conor+dt@...nel.org>,
Miguel Ojeda <ojeda@...nel.org>, Alex Gaynor <alex.gaynor@...il.com>,
Boqun Feng <boqun.feng@...il.com>, Gary Guo <gary@...yguo.net>,
Björn Roy Baron <bjorn3_gh@...tonmail.com>,
Andreas Hindborg <a.hindborg@...nel.org>,
Alice Ryhl <aliceryhl@...gle.com>, Trevor Gross <tmgross@...ch.edu>,
Benno Lossin <lossin@...nel.org>, linux-kernel@...r.kernel.org,
linux-fsdevel@...r.kernel.org, linux-mm@...ck.org,
linux-riscv@...ts.infradead.org, devicetree@...r.kernel.org,
linux-arch@...r.kernel.org, linux-doc@...r.kernel.org,
linux-kselftest@...r.kernel.org, alistair.francis@....com,
richard.henderson@...aro.org, jim.shu@...ive.com, andybnac@...il.com,
kito.cheng@...ive.com, charlie@...osinc.com, atishp@...osinc.com,
evan@...osinc.com, cleger@...osinc.com, alexghiti@...osinc.com,
samitolvanen@...gle.com, broonie@...nel.org, rick.p.edgecombe@...el.com,
rust-for-linux@...r.kernel.org
Subject: Re: [PATCH v23 21/28] riscv: kernel command line option to opt out
of user cfi
On Wed, 12 Nov 2025, Deepak Gupta via B4 Relay wrote:
> From: Deepak Gupta <debug@...osinc.com>
>
> This commit adds a kernel command line option using which user cfi can be
> disabled. User backward cfi and forward cfi can be enabled independently.
> Kernel command line parameter "riscv_nousercfi" can take below values:
> - "all" : Disable forward and backward cfi both.
> - "bcfi" : Disable backward cfi.
> - "fcfi" : Disable forward cfi
>
> Signed-off-by: Deepak Gupta <debug@...osinc.com>
I fixed the checkpatch warnings on this patch and cleaned up the patch
description slightly; see below.
- Paul
From: Deepak Gupta <debug@...osinc.com>
Date: Wed, 12 Nov 2025 16:43:19 -0800
Subject: [PATCH v23 21/28] riscv: add kernel command line option to opt out of user cfi
This commit adds a kernel command line option to disable part or all of
user cfi. User backward cfi and forward cfi can be controlled independently.
Kernel command line parameter "riscv_nousercfi" can take the following values:
- "all" : Disable forward and backward cfi both
- "bcfi" : Disable backward cfi
- "fcfi" : Disable forward cfi
Signed-off-by: Deepak Gupta <debug@...osinc.com>
Link: https://patch.msgid.link/20251112-v5_user_cfi_series-v23-21-b55691eacf4f@rivosinc.com
[pjw@...nel.org: fixed warnings from checkpatch; cleaned up patch description]
Signed-off-by: Paul Walmsley <pjw@...nel.org>
---
.../admin-guide/kernel-parameters.txt | 8 +++
arch/riscv/include/asm/usercfi.h | 9 +++
arch/riscv/kernel/cpufeature.c | 9 ++-
arch/riscv/kernel/usercfi.c | 58 +++++++++++++++----
4 files changed, 71 insertions(+), 13 deletions(-)
diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt
index 6c42061ca20e..453127ef8746 100644
--- a/Documentation/admin-guide/kernel-parameters.txt
+++ b/Documentation/admin-guide/kernel-parameters.txt
@@ -6453,6 +6453,14 @@
replacement properties are not found. See the Kconfig
entry for RISCV_ISA_FALLBACK.
+ riscv_nousercfi=
+ all Disable user cfi ABI to userspace even if cpu extension
+ are available.
+ bcfi Disable user backward cfi ABI to userspace even if
+ shadow stack extension is available.
+ fcfi Disable user forward cfi ABI to userspace even if landing
+ pad extension is available.
+
ro [KNL] Mount root device read-only on boot
rodata= [KNL,EARLY]
diff --git a/arch/riscv/include/asm/usercfi.h b/arch/riscv/include/asm/usercfi.h
index ec4b8a53eb74..7495baae1e3c 100644
--- a/arch/riscv/include/asm/usercfi.h
+++ b/arch/riscv/include/asm/usercfi.h
@@ -5,6 +5,10 @@
#ifndef _ASM_RISCV_USERCFI_H
#define _ASM_RISCV_USERCFI_H
+#define CMDLINE_DISABLE_RISCV_USERCFI_FCFI 1
+#define CMDLINE_DISABLE_RISCV_USERCFI_BCFI 2
+#define CMDLINE_DISABLE_RISCV_USERCFI 3
+
#ifndef __ASSEMBLER__
#include <linux/types.h>
#include <linux/prctl.h>
@@ -13,6 +17,8 @@
struct task_struct;
struct kernel_clone_args;
+extern unsigned long riscv_nousercfi;
+
#ifdef CONFIG_RISCV_USER_CFI
struct cfi_state {
unsigned long ubcfi_en : 1; /* Enable for backward cfi. */
@@ -83,6 +89,9 @@ void set_indir_lp_lock(struct task_struct *task);
#endif /* CONFIG_RISCV_USER_CFI */
+bool is_user_shstk_enabled(void);
+bool is_user_lpad_enabled(void);
+
#endif /* __ASSEMBLER__ */
#endif /* _ASM_RISCV_USERCFI_H */
diff --git a/arch/riscv/kernel/cpufeature.c b/arch/riscv/kernel/cpufeature.c
index 106f6bcde5c8..b220fec9a239 100644
--- a/arch/riscv/kernel/cpufeature.c
+++ b/arch/riscv/kernel/cpufeature.c
@@ -28,6 +28,7 @@
#include <asm/vector.h>
#include <asm/vendor_extensions.h>
#include <asm/vendor_extensions/thead.h>
+#include <asm/usercfi.h>
#define NUM_ALPHA_EXTS ('z' - 'a' + 1)
@@ -45,6 +46,8 @@ struct riscv_isainfo hart_isa[NR_CPUS];
u32 thead_vlenb_of;
+unsigned long riscv_nousercfi;
+
/**
* riscv_isa_extension_base() - Get base extension word
*
@@ -277,7 +280,8 @@ static int riscv_ext_svadu_validate(const struct riscv_isa_ext_data *data,
static int riscv_cfilp_validate(const struct riscv_isa_ext_data *data,
const unsigned long *isa_bitmap)
{
- if (!IS_ENABLED(CONFIG_RISCV_USER_CFI))
+ if (!IS_ENABLED(CONFIG_RISCV_USER_CFI) ||
+ (riscv_nousercfi & CMDLINE_DISABLE_RISCV_USERCFI_FCFI))
return -EINVAL;
return 0;
@@ -286,7 +290,8 @@ static int riscv_cfilp_validate(const struct riscv_isa_ext_data *data,
static int riscv_cfiss_validate(const struct riscv_isa_ext_data *data,
const unsigned long *isa_bitmap)
{
- if (!IS_ENABLED(CONFIG_RISCV_USER_CFI))
+ if (!IS_ENABLED(CONFIG_RISCV_USER_CFI) ||
+ (riscv_nousercfi & CMDLINE_DISABLE_RISCV_USERCFI_BCFI))
return -EINVAL;
return 0;
diff --git a/arch/riscv/kernel/usercfi.c b/arch/riscv/kernel/usercfi.c
index 33c955d56eb3..d7a973c58943 100644
--- a/arch/riscv/kernel/usercfi.c
+++ b/arch/riscv/kernel/usercfi.c
@@ -17,6 +17,8 @@
#include <asm/csr.h>
#include <asm/usercfi.h>
+unsigned long riscv_nousercfi;
+
#define SHSTK_ENTRY_SIZE sizeof(void *)
bool is_shstk_enabled(struct task_struct *task)
@@ -59,7 +61,7 @@ unsigned long get_active_shstk(struct task_struct *task)
void set_shstk_status(struct task_struct *task, bool enable)
{
- if (!cpu_supports_shadow_stack())
+ if (!is_user_shstk_enabled())
return;
task->thread_info.user_cfi_state.ubcfi_en = enable ? 1 : 0;
@@ -89,7 +91,7 @@ bool is_indir_lp_locked(struct task_struct *task)
void set_indir_lp_status(struct task_struct *task, bool enable)
{
- if (!cpu_supports_indirect_br_lp_instr())
+ if (!is_user_lpad_enabled())
return;
task->thread_info.user_cfi_state.ufcfi_en = enable ? 1 : 0;
@@ -259,7 +261,7 @@ SYSCALL_DEFINE3(map_shadow_stack, unsigned long, addr, unsigned long, size, unsi
bool set_tok = flags & SHADOW_STACK_SET_TOKEN;
unsigned long aligned_size = 0;
- if (!cpu_supports_shadow_stack())
+ if (!is_user_shstk_enabled())
return -EOPNOTSUPP;
/* Anything other than set token should result in invalid param */
@@ -306,7 +308,7 @@ unsigned long shstk_alloc_thread_stack(struct task_struct *tsk,
unsigned long addr, size;
/* If shadow stack is not supported, return 0 */
- if (!cpu_supports_shadow_stack())
+ if (!is_user_shstk_enabled())
return 0;
/*
@@ -352,7 +354,7 @@ void shstk_release(struct task_struct *tsk)
{
unsigned long base = 0, size = 0;
/* If shadow stack is not supported or not enabled, nothing to release */
- if (!cpu_supports_shadow_stack() || !is_shstk_enabled(tsk))
+ if (!is_user_shstk_enabled() || !is_shstk_enabled(tsk))
return;
/*
@@ -381,7 +383,7 @@ int arch_get_shadow_stack_status(struct task_struct *t, unsigned long __user *st
{
unsigned long bcfi_status = 0;
- if (!cpu_supports_shadow_stack())
+ if (!is_user_shstk_enabled())
return -EINVAL;
/* this means shadow stack is enabled on the task */
@@ -395,7 +397,7 @@ int arch_set_shadow_stack_status(struct task_struct *t, unsigned long status)
unsigned long size = 0, addr = 0;
bool enable_shstk = false;
- if (!cpu_supports_shadow_stack())
+ if (!is_user_shstk_enabled())
return -EINVAL;
/* Reject unknown flags */
@@ -448,7 +450,7 @@ int arch_lock_shadow_stack_status(struct task_struct *task,
unsigned long arg)
{
/* If shtstk not supported or not enabled on task, nothing to lock here */
- if (!cpu_supports_shadow_stack() ||
+ if (!is_user_shstk_enabled() ||
!is_shstk_enabled(task) || arg != 0)
return -EINVAL;
@@ -461,7 +463,7 @@ int arch_get_indir_br_lp_status(struct task_struct *t, unsigned long __user *sta
{
unsigned long fcfi_status = 0;
- if (!cpu_supports_indirect_br_lp_instr())
+ if (!is_user_lpad_enabled())
return -EINVAL;
/* indirect branch tracking is enabled on the task or not */
@@ -474,7 +476,7 @@ int arch_set_indir_br_lp_status(struct task_struct *t, unsigned long status)
{
bool enable_indir_lp = false;
- if (!cpu_supports_indirect_br_lp_instr())
+ if (!is_user_lpad_enabled())
return -EINVAL;
/* indirect branch tracking is locked and further can't be modified by user */
@@ -498,7 +500,7 @@ int arch_lock_indir_br_lp_status(struct task_struct *task,
* If indirect branch tracking is not supported or not enabled on task,
* nothing to lock here
*/
- if (!cpu_supports_indirect_br_lp_instr() ||
+ if (!is_user_lpad_enabled() ||
!is_indir_lp_enabled(task) || arg != 0)
return -EINVAL;
@@ -506,3 +508,37 @@ int arch_lock_indir_br_lp_status(struct task_struct *task,
return 0;
}
+
+bool is_user_shstk_enabled(void)
+{
+ return (cpu_supports_shadow_stack() &&
+ !(riscv_nousercfi & CMDLINE_DISABLE_RISCV_USERCFI_BCFI));
+}
+
+bool is_user_lpad_enabled(void)
+{
+ return (cpu_supports_indirect_br_lp_instr() &&
+ !(riscv_nousercfi & CMDLINE_DISABLE_RISCV_USERCFI_FCFI));
+}
+
+static int __init setup_global_riscv_enable(char *str)
+{
+ if (strcmp(str, "all") == 0)
+ riscv_nousercfi = CMDLINE_DISABLE_RISCV_USERCFI;
+
+ if (strcmp(str, "fcfi") == 0)
+ riscv_nousercfi |= CMDLINE_DISABLE_RISCV_USERCFI_FCFI;
+
+ if (strcmp(str, "bcfi") == 0)
+ riscv_nousercfi |= CMDLINE_DISABLE_RISCV_USERCFI_BCFI;
+
+ if (riscv_nousercfi)
+ pr_info("riscv user cfi disabled via cmdline - shadow stack status : %s, landing pad status : %s\n",
+ (riscv_nousercfi & CMDLINE_DISABLE_RISCV_USERCFI_BCFI) ? "disabled" :
+ "enabled", (riscv_nousercfi & CMDLINE_DISABLE_RISCV_USERCFI_FCFI) ?
+ "disabled" : "enabled");
+
+ return 1;
+}
+
+__setup("riscv_nousercfi=", setup_global_riscv_enable);
--
2.48.1
Powered by blists - more mailing lists