RISC-V User-Space Control Flow Integrity / Shadow Stack Appears Finally Ready
Similar to what has been available on Intel and AMD processors for users with the shadow stack for control-flow integrity, Linux on RISC-V is finally ready to roll-out its user-space control-flow integrity support.
After going through 23 rounds of patches, the Control Flow Integrity "CFI" for user-mode on RISC-V is approaching the mainline kernel. This security feature is for fending off ROP attacks manipulating the control flow of the user-space software to gain control. RISC-V uses the "zicfilp" instruction to enforce that all indirect calls land on a landing pad "lpad" instruction or will otherwise raise a software check exception. There are also RISC-V instructions introduced for helping ensure the return flow of software.
x86_64 and AArch64 already support user-space control-flow integrity for Linux with capable CPUs while RISC-V is joining the party now that these patches are finally baked. Those patches have made it into risv/linux.git's "for-next" Git branch. With these RISC-V user-mode CFI patches now in their "for-next" queue, they should be submitted as part of the upcoming Linux 7.0 merge window in February.
The patches add a new RISCV_USER_CFI Kconfig kernel option at build-time for enabling RISC-V user-space control flow integrity, assuming the RISC-V processors being used support the necessary instructions. For enabled kernels and where having the necessary RISC-V hardware support, the patches also add a new riscv_nousercfi= command line boot option for the kernel with a value of all possible to disable the user control-flow integrity, bcfi to disable user-backward CFI ABI, or fcfi to disable the user-forward CFI ABI.
After going through 23 rounds of patches, the Control Flow Integrity "CFI" for user-mode on RISC-V is approaching the mainline kernel. This security feature is for fending off ROP attacks manipulating the control flow of the user-space software to gain control. RISC-V uses the "zicfilp" instruction to enforce that all indirect calls land on a landing pad "lpad" instruction or will otherwise raise a software check exception. There are also RISC-V instructions introduced for helping ensure the return flow of software.
x86_64 and AArch64 already support user-space control-flow integrity for Linux with capable CPUs while RISC-V is joining the party now that these patches are finally baked. Those patches have made it into risv/linux.git's "for-next" Git branch. With these RISC-V user-mode CFI patches now in their "for-next" queue, they should be submitted as part of the upcoming Linux 7.0 merge window in February.
The patches add a new RISCV_USER_CFI Kconfig kernel option at build-time for enabling RISC-V user-space control flow integrity, assuming the RISC-V processors being used support the necessary instructions. For enabled kernels and where having the necessary RISC-V hardware support, the patches also add a new riscv_nousercfi= command line boot option for the kernel with a value of all possible to disable the user control-flow integrity, bcfi to disable user-backward CFI ABI, or fcfi to disable the user-forward CFI ABI.