riscv: create a Kconfig fragment for shadow stack and landing pad support

This patch creates a Kconfig fragment for shadow stack support and
landing pad instruction support. Shadow stack support and landing pad
instruction support can be enabled by selecting
'CONFIG_RISCV_USER_CFI'. Selecting 'CONFIG_RISCV_USER_CFI' wires up
the path to enumerate CPU support.  If support exists, the kernel will
support CPU-assisted user mode CFI.

If CONFIG_RISCV_USER_CFI is selected, select 'ARCH_USES_HIGH_VMA_FLAGS',
'ARCH_HAS_USER_SHADOW_STACK' and 'DYNAMIC_SIGFRAME' for riscv.

Reviewed-by: Zong Li <zong.li@sifive.com>
Signed-off-by: Deepak Gupta <debug@rivosinc.com>
Tested-by: Andreas Korb <andreas.korb@aisec.fraunhofer.de> # QEMU, custom CVA6
Tested-by: Valentin Haudiquet <valentin.haudiquet@canonical.com>
Link: https://patch.msgid.link/20251112-v5_user_cfi_series-v23-25-b55691eacf4f@rivosinc.com
[pjw@kernel.org: cleaned up patch description, Kconfig text; added CONFIG_MMU exclusion]
Signed-off-by: Paul Walmsley <pjw@kernel.org>

diff --git a/arch/riscv/Kconfig b/arch/riscv/Kconfig
index 6b39f37f769a29f6fd31db75a57dbc113df3a8ce..7e76b63164259aea6528f856c02ae3b25740f806 100644 (file)
--- a/arch/riscv/Kconfig
+++ b/arch/riscv/Kconfig
@@ -1162,6 +1162,28 @@ config RANDOMIZE_BASE
 
           If unsure, say N.
 
+config RISCV_USER_CFI
+       def_bool y
+       bool "riscv userspace control flow integrity"
+       depends on 64BIT && MMU && \
+               $(cc-option,-mabi=lp64 -march=rv64ima_zicfiss_zicfilp -fcf-protection=full)
+       depends on RISCV_ALTERNATIVE
+       select RISCV_SBI
+       select ARCH_HAS_USER_SHADOW_STACK
+       select ARCH_USES_HIGH_VMA_FLAGS
+       select DYNAMIC_SIGFRAME
+       help
+         Provides CPU-assisted control flow integrity to userspace tasks.
+         Control flow integrity is provided by implementing shadow stack for
+         backward edge and indirect branch tracking for forward edge.
+         Shadow stack protection is a hardware feature that detects function
+         return address corruption. This helps mitigate ROP attacks.
+         Indirect branch tracking enforces that all indirect branches must land
+         on a landing pad instruction else CPU will fault. This mitigates against
+         JOP / COP attacks. Applications must be enabled to use it, and old userspace
+         does not get protection "for free".
+         default y.
+
 endmenu # "Kernel features"
 
 menu "Boot options"

diff --git a/arch/riscv/configs/hardening.config b/arch/riscv/configs/hardening.config
new file mode 100644 (file)
index 0000000..089f4ce
--- /dev/null
+++ b/arch/riscv/configs/hardening.config
@@ -0,0 +1,4 @@
+# RISCV specific kernel hardening options
+
+# Enable control flow integrity support for usermode.
+CONFIG_RISCV_USER_CFI=y