[Backport] RISC-V User CFI (Control Flow Integrity) Support#261
Open
zhuzhenxxx-collab wants to merge 39 commits into
Open
[Backport] RISC-V User CFI (Control Flow Integrity) Support#261zhuzhenxxx-collab wants to merge 39 commits into
zhuzhenxxx-collab wants to merge 39 commits into
Conversation
|
开始测试 log: https://github.com/RVCK-Project/rvck/actions/runs/24988400550 参数解析结果
测试完成 详细结果:RVCK result
Kunit Test Result[09:59:28] Testing complete. Ran 457 tests: passed: 445, skipped: 12
Kernel Build ResultKernel build succeeded: RVCK-Project/rvck/261_24988400550_1/ 966d009765b5442903cdd2ffa5c4505d /srv/guix_result/7d02a061ab12f1602afafd49e577ed162222e84f/Image
LAVA Check
result: Lava check done!
Check Patch Result
|
zhuzhenxxx-collab
force-pushed
the
feat/cfi
branch
from
7d02a06 to
99d9886
Compare
|
开始测试 log: https://github.com/RVCK-Project/rvck/actions/runs/25030054701 参数解析结果
测试完成 详细结果:RVCK result
Kunit Test Result[02:12:59] Testing complete. Ran 457 tests: passed: 445, skipped: 12
Kernel Build ResultKernel build succeeded: RVCK-Project/rvck/261_25030054701_1/ cb5e3563f24de7a5f817637fbf2d98fd /srv/guix_result/99d98861ce594627a0900f0a012cea71d4e42e64/Image
LAVA Check
result: Lava check done!
Check Patch Result
|
zhuzhenxxx-collab
force-pushed
the
feat/cfi
branch
from
99d9886 to
dc12830
Compare
|
开始测试 log: https://github.com/RVCK-Project/rvck/actions/runs/26085251269 参数解析结果
测试完成 详细结果:
Kunit Test Result[08:25:31] Testing complete. Ran 457 tests: passed: 445, skipped: 12
Kernel Build Result
Check Patch Result
LAVA Check (qemu)
result: Lava check done!
LAVA Checklava 执行失败.LAVA Checklava 执行失败. |
zhuzhenxxx-collab
force-pushed
the
feat/cfi
branch
from
dc12830 to
83727d4
Compare
|
开始测试 log: https://github.com/RVCK-Project/rvck/actions/runs/26146937899 参数解析结果
测试完成 详细结果:
Kunit Test Result[07:07:39] Testing complete. Ran 457 tests: passed: 445, skipped: 12
Kernel Build Result
Check Patch Result
LAVA Check (qemu)
result: Lava check done!
LAVA Checklava 执行失败.LAVA Checklava 执行失败.LAVA Checklava 执行失败. |
zhuzhenxxx-collab
force-pushed
the
feat/cfi
branch
from
83727d4 to
11314d3
Compare
|
开始测试 log: https://github.com/RVCK-Project/rvck/actions/runs/26149828693 参数解析结果
测试完成 详细结果:
Kunit Test Result[08:11:40] Testing complete. Ran 457 tests: passed: 445, skipped: 12
Kernel Build Result
Check Patch Result
LAVA Check (qemu)
result: Lava check done!
LAVA Checklava 执行失败.LAVA Checklava 执行失败.LAVA Checklava 执行失败. |
Author
|
/check 开始测试 log: https://github.com/RVCK-Project/rvck/actions/runs/26207959685 参数解析结果
测试完成 详细结果:
Kunit Test Result[05:51:16] Testing complete. Ran 457 tests: passed: 445, skipped: 12
Check Patch Result
|
zhuzhenxxx-collab
force-pushed
the
feat/cfi
branch
from
11314d3 to
15c0d01
Compare
|
开始测试 log: https://github.com/RVCK-Project/rvck/actions/runs/26209293762 参数解析结果
测试完成 详细结果:
Kunit Test Result[06:28:40] Testing complete. Ran 457 tests: passed: 445, skipped: 12
Check Patch Result
|
zhuzhenxxx-collab
force-pushed
the
feat/cfi
branch
from
15c0d01 to
925b5ad
Compare
|
开始测试 log: https://github.com/RVCK-Project/rvck/actions/runs/26393436460 参数解析结果
测试完成 详细结果:
Kunit Test Result[09:31:11] Testing complete. Ran 457 tests: passed: 445, skipped: 12
Check Patch Result
|
Contributor
|
/check 开始测试 log: https://github.com/RVCK-Project/rvck/actions/runs/26708555179 参数解析结果
测试完成 详细结果:
Kunit Test Result[09:15:02] Testing complete. Ran 457 tests: passed: 445, skipped: 12
Kernel Build Result
Check Patch Result
|
| # SPDX-License-Identifier: GPL-2.0 | ||
|
|
||
| GENERIC_VDSO_MK_PATH := $(abspath $(lastword $(MAKEFILE_LIST))) | ||
| GENERIC_VDSO_DIR := $(dir $(GENERIC_VDSO_MK_PATH)) |
| @@ -0,0 +1,30 @@ | |||
| /* SPDX-License-Identifier: GPL-2.0-only */ | |||
| /* | |||
|
|
||
| # Force dependency | ||
| $(obj)/vdso.o: $(obj)/vdso.so | ||
|
|
| .endm | ||
|
|
||
| #endif /* __ASM_ASSEMBLER_H */ | ||
|
|
Author
There was a problem hiding this comment.
这个提交我这边校验了一下格式,checkpatch的log没看到这个补丁的报错。请问这个检查规范是什么,我这边本地统一检查一下。
| #define __VVAR_PAGES 2 | ||
|
|
||
| #ifndef __ASSEMBLY__ | ||
| #include <generated/vdso-offsets.h> |
Contributor
|
这个pr的补丁backport自上游社区,只要通过lavaci就可以合并,但是有多个补丁的头部信息格式不正确,请修改。 另外,当前的lavaci出现了一些问题,导致不能通过测试,我们正在排查。5月无法合并了,6月rebase后会优先审阅合并这个pr。 |
mainline inclusion from mainline-7.0 commit 2fd0eba ("arch: Reserve map_shadow_stack() syscall number for all architectures") category: feature Link: RVCK-Project#255 -------------------------------- commit c35559f ("x86/shstk: Introduce map_shadow_stack syscall") recently added support for map_shadow_stack() but it is limited to x86 only for now. There is a possibility that other architectures (namely, arm64 and RISC-V), that are implementing equivalent support for shadow stacks, might need to add support for it. Independent of that, reserving arch-specific syscall numbers in the syscall tables of all architectures is good practice and would help avoid future conflicts. map_shadow_stack() is marked as a conditional syscall in sys_ni.c. Adding it to the syscall tables of other architectures is harmless and would return ENOSYS when exercised. Note, map_shadow_stack() was assigned #453 during the merge process since #452 was taken by fchmodat2(). For Powerpc, map it to sys_ni_syscall() as is the norm for Powerpc syscall tables. For Alpha, map_shadow_stack() takes up #563 as Alpha still diverges from the common syscall numbering system in the other architectures. Link: https://lore.kernel.org/lkml/20230515212255.GA562920@debug.ba.rivosinc.com/ Link: https://lore.kernel.org/lkml/b402b80b-a7c6-4ef0-b977-c0f5f582b78a@sirena.org.uk/ Signed-off-by: Sohil Mehta <sohil.mehta@intel.com> Reviewed-by: Rick Edgecombe <rick.p.edgecombe@intel.com> Reviewed-by: Arnd Bergmann <arnd@arndb.de> Acked-by: Michael Ellerman <mpe@ellerman.id.au> (powerpc) Acked-by: Catalin Marinas <catalin.marinas@arm.com> Acked-by: Geert Uytterhoeven <geert@linux-m68k.org> Signed-off-by: Arnd Bergmann <arnd@arndb.de> Signed-off-by: Fangyu Yu <fangyu.yu@linux.alibaba.com> Signed-off-by: ZhenXing Zhu <zhenxing.zhu@linux.alibaba.com>
mainline inclusion from mainline-6.19 commit 818d78b ("riscv: signal: abstract header saving for setup_sigcontext") category: feature bugzilla: RVCK-Project#255 -------------------------------- The function save_v_state() served two purposes. First, it saved extension context into the signal stack. Then, it constructed the extension header if there was no fault. The second part is independent of the extension itself. As a result, we can pull that part out, so future extensions may reuse it. This patch adds arch_ext_list and makes setup_sigcontext() go through all possible extensions' save() callback. The callback returns a positive value indicating the size of the successfully saved extension. Then the kernel proceeds to construct the header for that extension. The kernel skips an extension if it does not exist, or if the saving fails for some reasons. The error code is propagated out on the later case. This patch does not introduce any functional changes. Signed-off-by: Andy Chiu <andybnac@gmail.com> Link: https://patch.msgid.link/20251112-v5_user_cfi_series-v23-16-b55691eacf4f@rivosinc.com Signed-off-by: Paul Walmsley <pjw@kernel.org> Signed-off-by: Fangyu Yu <fangyu.yu@linux.alibaba.com> Signed-off-by: ZhenXing Zhu <zhenxing.zhu@linux.alibaba.com>
mainline inclusion from mainline-7.0 commit 81723e3 ("random: vDSO: add missing c-getrandom-y in Makefile") category: feature Link: RVCK-Project#255 -------------------------------- Same as for the gettimeofday CVDSO implementation, add c-getrandom-y to ease the inclusion of lib/vdso/getrandom.c in architectures' VDSO builds. Signed-off-by: Christophe Leroy <christophe.leroy@csgroup.eu> Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com> Signed-off-by: Fangyu Yu <fangyu.yu@linux.alibaba.com> Signed-off-by: ZhenXing Zhu <zhenxing.zhu@linux.alibaba.com>
mainline inclusion from mainline-7.0 commit ee0d030 ("RISC-V: vDSO: Wire up getrandom() vDSO implementation") category: feature Link: RVCK-Project#255 -------------------------------- Hook up the generic vDSO implementation to the generic vDSO getrandom implementation by providing the required __arch_chacha20_blocks_nostack and getrandom_syscall implementations. Also wire up the selftests. The benchmark result: vdso: 25000000 times in 2.466341333 seconds libc: 25000000 times in 41.447720005 seconds syscall: 25000000 times in 41.043926672 seconds vdso: 25000000 x 256 times in 162.286219353 seconds libc: 25000000 x 256 times in 2953.855018685 seconds syscall: 25000000 x 256 times in 2796.268546000 seconds [ alex: - Fix dynamic relocation - Squash Nathan's fix https://lore.kernel.org/all/20250423-riscv-fix-compat_vdso-lld-v2-1-b7bbbc244501@kernel.org/ - Add comment from Loongarch ] Signed-off-by: Xi Ruoyao <xry111@xry111.site> Link: https://lore.kernel.org/r/20250411024600.16045-1-xry111@xry111.site Tested-by: Alexandre Ghiti <alexghiti@rivosinc.com> Signed-off-by: Alexandre Ghiti <alexghiti@rivosinc.com> Signed-off-by: Palmer Dabbelt <palmer@dabbelt.com> Signed-off-by: Fangyu Yu <fangyu.yu@linux.alibaba.com> Signed-off-by: ZhenXing Zhu <zhenxing.zhu@linux.alibaba.com>
mainline inclusion from mainline-7.0 commit f955aa8 ("riscv: entry: Convert ret_from_fork() to C") category: feature Link: RVCK-Project#255 -------------------------------- Move the main section of ret_from_fork() to C to allow inlining of syscall_exit_to_user_mode(). Signed-off-by: Charlie Jenkins <charlie@rivosinc.com> Signed-off-by: Thomas Gleixner <tglx@linutronix.de> Reviewed-by: Alexandre Ghiti <alexghiti@rivosinc.com> Link: https://lore.kernel.org/all/20250320-riscv_optimize_entry-v6-1-63e187e26041@rivosinc.com Signed-off-by: Fangyu Yu <fangyu.yu@linux.alibaba.com> Signed-off-by: ZhenXing Zhu <zhenxing.zhu@linux.alibaba.com>
mainline inclusion from mainline-7.0 commit 5b3d610 ("riscv: entry: Split ret_from_fork() into user and kernel") category: feature Link: RVCK-Project#255 -------------------------------- This function was unified into a single function in commit ab9164d ("riscv: entry: Consolidate ret_from_kernel_thread into ret_from_fork"). However that imposed a performance degradation. Partially reverting this commit to have ret_from_fork() split again, results in a 1% increase on the number of times fork is able to be called per second. Signed-off-by: Charlie Jenkins <charlie@rivosinc.com> Signed-off-by: Thomas Gleixner <tglx@linutronix.de> Acked-by: Alexandre Ghiti <alexghiti@rivosinc.com> Link: https://lore.kernel.org/all/20250320-riscv_optimize_entry-v6-2-63e187e26041@rivosinc.com Signed-off-by: Fangyu Yu <fangyu.yu@linux.alibaba.com> Signed-off-by: ZhenXing Zhu <zhenxing.zhu@linux.alibaba.com>
mainline inclusion from mainline-7.0 commit c68c2ef ("riscv/mm: teach pte_mkwrite to manufacture shadow stack PTEs") category: feature Link: RVCK-Project#255 -------------------------------- pte_mkwrite() creates PTEs with WRITE encodings for the underlying architecture. The underlying architecture can have two types of writeable mappings: one that can be written using regular store instructions, and another one that can only be written using specialized store instructions (like shadow stack stores). pte_mkwrite can select write PTE encoding based on VMA range (i.e. VM_SHADOW_STACK) Reviewed-by: Alexandre Ghiti <alexghiti@rivosinc.com> Reviewed-by: Zong Li <zong.li@sifive.com> Signed-off-by: Deepak Gupta <debug@rivosinc.com> Tested-by: Andreas Korb <andreas.korb@aisec.fraunhofer.de> # QEMU, custom CVA6 Tested-by: Valentin Haudiquet <valentin.haudiquet@canonical.com> Link: https://patch.msgid.link/20251112-v5_user_cfi_series-v23-8-b55691eacf4f@rivosinc.com [pjw@kernel.org: cleaned up patch description] Signed-off-by: Paul Walmsley <pjw@kernel.org> Signed-off-by: Fangyu Yu <fangyu.yu@linux.alibaba.com> Signed-off-by: ZhenXing Zhu <zhenxing.zhu@linux.alibaba.com>
mainline inclusion from mainline-7.0 commit 540de7a ("riscv/mm: update write protect to work on shadow stacks") category: feature Link: RVCK-Project#255 -------------------------------- 'fork' implements copy-on-write (COW) by making pages readonly in both child and parent. ptep_set_wrprotect() and pte_wrprotect() clear _PAGE_WRITE in PTE. The assumption is that the page is readable and, on a fault, copy-on-write happens. To implement COW on shadow stack pages, clearing the W bit makes them XWR = 000. This will result in the wrong PTE setting, which allows no permissions, but with V=1 and the PFN field pointing to the final page. Instead, the desired behavior is to turn it into a readable page, take an access (load/store) fault on sspush/sspop (shadow stack) and then perform COW on such pages. This way regular reads would still be allowed and not lead to COW maintaining current behavior of COW on non-shadow stack but writeable memory. On the other hand, this doesn't interfere with existing COW for read-write memory. The assumption is always that _PAGE_READ must have been set, and thus, setting _PAGE_READ is harmless. Reviewed-by: Alexandre Ghiti <alexghiti@rivosinc.com> Reviewed-by: Zong Li <zong.li@sifive.com> Signed-off-by: Deepak Gupta <debug@rivosinc.com> Tested-by: Andreas Korb <andreas.korb@aisec.fraunhofer.de> # QEMU, custom CVA6 Tested-by: Valentin Haudiquet <valentin.haudiquet@canonical.com> Link: https://patch.msgid.link/20251112-v5_user_cfi_series-v23-9-b55691eacf4f@rivosinc.com [pjw@kernel.org: clarify patch description] Signed-off-by: Paul Walmsley <pjw@kernel.org> Signed-off-by: Fangyu Yu <fangyu.yu@linux.alibaba.com> Signed-off-by: ZhenXing Zhu <zhenxing.zhu@linux.alibaba.com>
mainline inclusion from mainline-7.0 commit c70772a ("riscv/mm: Implement map_shadow_stack() syscall") category: feature Link: RVCK-Project#255 -------------------------------- As discussed extensively in the changelog for the addition of this syscall on x86 ("x86/shstk: Introduce map_shadow_stack syscall") the existing mmap() and madvise() syscalls do not map entirely well onto the security requirements for shadow stack memory since they lead to windows where memory is allocated but not yet protected or stacks which are not properly and safely initialised. Instead a new syscall map_shadow_stack() has been defined which allocates and initialises a shadow stack page. This patch implements this syscall for riscv. riscv doesn't require tokens to be setup by kernel because user mode can do that by itself. However to provide compatibility and portability with other architectues, user mode can specify token set flag. Signed-off-by: Deepak Gupta <debug@rivosinc.com> Link: https://patch.msgid.link/20251112-v5_user_cfi_series-v23-10-b55691eacf4f@rivosinc.com Link: https://lore.kernel.org/linux-riscv/aXfRPJvoSsOW8AwM@debug.ba.rivosinc.com/ [pjw@kernel.org: added allocate_shadow_stack() fix per Deepak; fixed bug found by sparse] Signed-off-by: Paul Walmsley <pjw@kernel.org> Signed-off-by: Fangyu Yu <fangyu.yu@linux.alibaba.com> Signed-off-by: ZhenXing Zhu <zhenxing.zhu@linux.alibaba.com>
mainline inclusion from mainline-7.0 commit fd44a4a ("riscv/shstk: If needed allocate a new shadow stack on clone") category: feature Link: RVCK-Project#255 -------------------------------- Userspace specifies CLONE_VM to share address space and spawn new thread. 'clone' allows userspace to specify a new stack for a new thread. However there is no way to specify a new shadow stack base address without changing the API. This patch allocates a new shadow stack whenever CLONE_VM is given. In case of CLONE_VFORK, the parent is suspended until the child finishes; thus the child can use the parent's shadow stack. In case of !CLONE_VM, COW kicks in because entire address space is copied from parent to child. 'clone3' is extensible and can provide mechanisms for specifying the shadow stack as an input parameter. This is not settled yet and is being extensively discussed on the mailing list. Once that's settled, this code should be adapted. Reviewed-by: Zong Li <zong.li@sifive.com> Signed-off-by: Deepak Gupta <debug@rivosinc.com> Tested-by: Andreas Korb <andreas.korb@aisec.fraunhofer.de> # QEMU, custom CVA6 Tested-by: Valentin Haudiquet <valentin.haudiquet@canonical.com> Link: https://patch.msgid.link/20251112-v5_user_cfi_series-v23-11-b55691eacf4f@rivosinc.com [pjw@kernel.org: cleaned up patch description] Signed-off-by: Paul Walmsley <pjw@kernel.org> Signed-off-by: Fangyu Yu <fangyu.yu@linux.alibaba.com> Signed-off-by: ZhenXing Zhu <zhenxing.zhu@linux.alibaba.com>
mainline inclusion from mainline-7.0 commit 61a0200 ("riscv: Implement arch-agnostic shadow stack prctls") category: feature Link: RVCK-Project#255 -------------------------------- Implement an architecture-agnostic prctl() interface for setting and getting shadow stack status. The prctls implemented are PR_GET_SHADOW_STACK_STATUS, PR_SET_SHADOW_STACK_STATUS and PR_LOCK_SHADOW_STACK_STATUS. As part of PR_SET_SHADOW_STACK_STATUS/PR_GET_SHADOW_STACK_STATUS, only PR_SHADOW_STACK_ENABLE is implemented because RISCV allows each mode to write to their own shadow stack using 'sspush' or 'ssamoswap'. PR_LOCK_SHADOW_STACK_STATUS locks the current shadow stack enablement configuration. Reviewed-by: Zong Li <zong.li@sifive.com> Signed-off-by: Deepak Gupta <debug@rivosinc.com> Tested-by: Andreas Korb <andreas.korb@aisec.fraunhofer.de> # QEMU, custom CVA6 Tested-by: Valentin Haudiquet <valentin.haudiquet@canonical.com> Link: https://patch.msgid.link/20251112-v5_user_cfi_series-v23-12-b55691eacf4f@rivosinc.com [pjw@kernel.org: cleaned up patch description] Signed-off-by: Paul Walmsley <pjw@kernel.org> Signed-off-by: Fangyu Yu <fangyu.yu@linux.alibaba.com> Signed-off-by: ZhenXing Zhu <zhenxing.zhu@linux.alibaba.com>
mainline inclusion from mainline-6.13 commit 91e102e ("prctl: arch-agnostic prctl for shadow stack") category: feature Link: RVCK-Project#255 -------------------------------- Three architectures (x86, aarch64, riscv) have announced support for shadow stacks with fairly similar functionality. While x86 is using arch_prctl() to control the functionality neither arm64 nor riscv uses that interface so this patch adds arch-agnostic prctl() support to get and set status of shadow stacks and lock the current configuation to prevent further changes, with support for turning on and off individual subfeatures so applications can limit their exposure to features that they do not need. The features are: - PR_SHADOW_STACK_ENABLE: Tracking and enforcement of shadow stacks, including allocation of a shadow stack if one is not already allocated. - PR_SHADOW_STACK_WRITE: Writes to specific addresses in the shadow stack. - PR_SHADOW_STACK_PUSH: Push additional values onto the shadow stack. These features are expected to be inherited by new threads and cleared on exec(), unknown features should be rejected for enable but accepted for locking (in order to allow for future proofing). This is based on a patch originally written by Deepak Gupta but modified fairly heavily, support for indirect landing pads is removed, additional modes added and the locking interface reworked. The set status prctl() is also reworked to just set flags, if setting/reading the shadow stack pointer is required this could be a separate prctl. Reviewed-by: Thiago Jung Bauermann <thiago.bauermann@linaro.org> Reviewed-by: Catalin Marinas <catalin.marinas@arm.com> Acked-by: Yury Khrustalev <yury.khrustalev@arm.com> Signed-off-by: Mark Brown <broonie@kernel.org> Reviewed-by: Deepak Gupta <debug@rivosinc.com> Link: https://lore.kernel.org/r/20241001-arm64-gcs-v13-4-222b78d87eee@kernel.org Signed-off-by: Catalin Marinas <catalin.marinas@arm.com> Signed-off-by: Fangyu Yu <fangyu.yu@linux.alibaba.com> Signed-off-by: ZhenXing Zhu <zhenxing.zhu@linux.alibaba.com>
mainline inclusion from mainline-6.13 commit 3630e82 ("mman: Add map_shadow_stack() flags") category: feature Link: RVCK-Project#255 -------------------------------- In preparation for adding arm64 GCS support make the map_shadow_stack() SHADOW_STACK_SET_TOKEN flag generic and add _SET_MARKER. The existing flag indicates that a token usable for stack switch should be added to the top of the newly mapped GCS region while the new flag indicates that a top of stack marker suitable for use by unwinders should be added above that. For arm64 the top of stack marker is all bits 0. Reviewed-by: Thiago Jung Bauermann <thiago.bauermann@linaro.org> Reviewed-by: Catalin Marinas <catalin.marinas@arm.com> Acked-by: Yury Khrustalev <yury.khrustalev@arm.com> Signed-off-by: Mark Brown <broonie@kernel.org> Link: https://lore.kernel.org/r/20241001-arm64-gcs-v13-5-222b78d87eee@kernel.org Signed-off-by: Catalin Marinas <catalin.marinas@arm.com> Signed-off-by: Fangyu Yu <fangyu.yu@linux.alibaba.com> Signed-off-by: ZhenXing Zhu <zhenxing.zhu@linux.alibaba.com>
mainline inclusion from mainline-7.0 commit 5ca243f ("prctl: add arch-agnostic prctl()s for indirect branch tracking") category: feature Link: RVCK-Project#255 -------------------------------- Three architectures (x86, aarch64, riscv) have support for indirect branch tracking feature in a very similar fashion. On a very high level, indirect branch tracking is a CPU feature where CPU tracks branches which use a memory operand to transfer control. As part of this tracking, during an indirect branch, the CPU expects a landing pad instruction on the target PC, and if not found, the CPU raises some fault (architecture-dependent). x86 landing pad instr - 'ENDBRANCH' arch64 landing pad instr - 'BTI' riscv landing instr - 'lpad' Given that three major architectures have support for indirect branch tracking, this patch creates architecture-agnostic 'prctls' to allow userspace to control this feature. They are: - PR_GET_INDIR_BR_LP_STATUS: Get the current configured status for indirect branch tracking. - PR_SET_INDIR_BR_LP_STATUS: Set the configuration for indirect branch tracking. The following status options are allowed: - PR_INDIR_BR_LP_ENABLE: Enables indirect branch tracking on user thread. - PR_INDIR_BR_LP_DISABLE: Disables indirect branch tracking on user thread. - PR_LOCK_INDIR_BR_LP_STATUS: Locks configured status for indirect branch tracking for user thread. Reviewed-by: Mark Brown <broonie@kernel.org> Reviewed-by: Zong Li <zong.li@sifive.com> Signed-off-by: Deepak Gupta <debug@rivosinc.com> Tested-by: Andreas Korb <andreas.korb@aisec.fraunhofer.de> # QEMU, custom CVA6 Tested-by: Valentin Haudiquet <valentin.haudiquet@canonical.com> Link: https://patch.msgid.link/20251112-v5_user_cfi_series-v23-13-b55691eacf4f@rivosinc.com [pjw@kernel.org: cleaned up patch description, code comments] Signed-off-by: Paul Walmsley <pjw@kernel.org> Signed-off-by: Fangyu Yu <fangyu.yu@linux.alibaba.com> Signed-off-by: ZhenXing Zhu <zhenxing.zhu@linux.alibaba.com>
mainline inclusion from mainline-7.0 commit 8a9e22d ("riscv: Implement indirect branch tracking prctls") category: feature Link: RVCK-Project#255 -------------------------------- This patch adds a RISC-V implementation of the following prctls: PR_SET_INDIR_BR_LP_STATUS, PR_GET_INDIR_BR_LP_STATUS and PR_LOCK_INDIR_BR_LP_STATUS. Reviewed-by: Zong Li <zong.li@sifive.com> Signed-off-by: Deepak Gupta <debug@rivosinc.com> Tested-by: Andreas Korb <andreas.korb@aisec.fraunhofer.de> Tested-by: Valentin Haudiquet <valentin.haudiquet@canonical.com> Link: https://patch.msgid.link/20251112-v5_user_cfi_series-v23-14-b55691eacf4f@rivosinc.com [pjw@kernel.org: clean up patch description] Signed-off-by: Paul Walmsley <pjw@kernel.org> Signed-off-by: Fangyu Yu <fangyu.yu@linux.alibaba.com> Signed-off-by: ZhenXing Zhu <zhenxing.zhu@linux.alibaba.com>
mainline inclusion from mainline-7.0 commit 9d42fc2 ("riscv/traps: Introduce software check exception and uprobe handling") category: feature Link: RVCK-Project#255 -------------------------------- The Zicfiss and Zicfilp extensions introduce a new exception, the 'software check exception', in the privileged ISA, with cause code = 18. This patch implements support for software check exceptions. Additionally, the patch implements a CFI violation handler which checks the code in the xtval register. If xtval=2, the software check exception happened because of an indirect branch that didn't land on a 4 byte aligned PC or on a 'lpad' instruction, or the label value embedded in 'lpad' didn't match the label value set in the x7 register. If xtval=3, the software check exception happened due to a mismatch between the link register (x1 or x5) and the top of shadow stack (on execution of `sspopchk`). In case of a CFI violation, SIGSEGV is raised with code=SEGV_CPERR. SEGV_CPERR was introduced by the x86 shadow stack patches. To keep uprobes working, handle the uprobe event first before reporting the CFI violation in the software check exception handler. This is because, when the landing pad is activated, if the uprobe point is set at the lpad instruction at the beginning of a function, the system triggers a software check exception instead of an ebreak exception due to the exception priority. This would prevent uprobe from working. Reviewed-by: Zong Li <zong.li@sifive.com> Co-developed-by: Zong Li <zong.li@sifive.com> Signed-off-by: Zong Li <zong.li@sifive.com> Signed-off-by: Deepak Gupta <debug@rivosinc.com> Tested-by: Andreas Korb <andreas.korb@aisec.fraunhofer.de> # QEMU, custom CVA6 Tested-by: Valentin Haudiquet <valentin.haudiquet@canonical.com> Link: https://patch.msgid.link/20251112-v5_user_cfi_series-v23-15-b55691eacf4f@rivosinc.com [pjw@kernel.org: cleaned up the patch description] Signed-off-by: Paul Walmsley <pjw@kernel.org> Signed-off-by: Fangyu Yu <fangyu.yu@linux.alibaba.com> Signed-off-by: ZhenXing Zhu <zhenxing.zhu@linux.alibaba.com>
mainline inclusion from mainline-7.0 commit 66c9c71 ("riscv/signal: save and restore the shadow stack on a signal") category: feature Link: RVCK-Project#255 -------------------------------- Save the shadow stack pointer in the sigcontext structure when delivering a signal. Restore the shadow stack pointer from sigcontext on sigreturn. As part of the save operation, the kernel uses the 'ssamoswap' instruction to save a snapshot of the current shadow stack on the shadow stack itself (this can be called a "save token"). During restore on sigreturn, the kernel retrieves the save token from the top of the shadow stack and validates it. This ensures that user mode can't arbitrarily pivot to any shadow stack address without having a token and thus provides a strong security assurance during the window between signal delivery and sigreturn. Use an ABI-compatible way of saving/restoring the shadow stack pointer into the signal stack. This follows the vector extension, where extra registers are placed in a form of extension header + extension body in the stack. The extension header indicates the size of the extra architectural states plus the size of header itself, and a magic identifier for the extension. Then, the extension body contains the new architectural states in the form defined by uapi. Signed-off-by: Andy Chiu <andy.chiu@sifive.com> Signed-off-by: Deepak Gupta <debug@rivosinc.com> Tested-by: Andreas Korb <andreas.korb@aisec.fraunhofer.de> Tested-by: Valentin Haudiquet <valentin.haudiquet@canonical.com> Link: https://patch.msgid.link/20251112-v5_user_cfi_series-v23-17-b55691eacf4f@rivosinc.com [pjw@kernel.org: cleaned patch description, code comments; resolved checkpatch warning] Signed-off-by: Paul Walmsley <pjw@kernel.org> Signed-off-by: Fangyu Yu <fangyu.yu@linux.alibaba.com> Signed-off-by: ZhenXing Zhu <zhenxing.zhu@linux.alibaba.com>
mainline inclusion from mainline-7.0 commit 9d0e75e ("riscv/kernel: update __show_regs() to print shadow stack register") category: feature Link: RVCK-Project#255 -------------------------------- Update __show_regs() to print the captured shadow stack pointer. On tasks where shadow stack is disabled, simply print 0. Signed-off-by: Deepak Gupta <debug@rivosinc.com> Reviewed-by: Alexandre Ghiti <alexghiti@rivosinc.com> Tested-by: Andreas Korb <andreas.korb@aisec.fraunhofer.de> # QEMU, custom CVA6 Tested-by: Valentin Haudiquet <valentin.haudiquet@canonical.com> Link: https://patch.msgid.link/20251112-v5_user_cfi_series-v23-18-b55691eacf4f@rivosinc.com [pjw@kernel.org: cleaned up patch description] Signed-off-by: Paul Walmsley <pjw@kernel.org> Signed-off-by: Fangyu Yu <fangyu.yu@linux.alibaba.com> Signed-off-by: ZhenXing Zhu <zhenxing.zhu@linux.alibaba.com>
…e files mainline inclusion from mainline-7.0 commit 2af7c9c ("riscv/ptrace: expose riscv CFI status and state via ptrace and in core files") category: feature Link: RVCK-Project#255 -------------------------------- Expose a new register type NT_RISCV_USER_CFI for risc-v CFI status and state. Intentionally, both landing pad and shadow stack status and state are rolled into the CFI state. Creating two different NT_RISCV_USER_XXX would not be useful and would waste a note type. Enabling, disabling and locking the CFI feature is not allowed via ptrace set interface. However, setting 'elp' state or setting shadow stack pointer are allowed via the ptrace set interface. It is expected that 'gdb' might need to fixup 'elp' state or 'shadow stack' pointer. Signed-off-by: Deepak Gupta <debug@rivosinc.com> Tested-by: Andreas Korb <andreas.korb@aisec.fraunhofer.de> # QEMU, custom CVA6 Tested-by: Valentin Haudiquet <valentin.haudiquet@canonical.com> Link: https://patch.msgid.link/20251112-v5_user_cfi_series-v23-19-b55691eacf4f@rivosinc.com [pjw@kernel.org: updated to apply; cleaned patch description and comments; addressed checkpatch issues] Signed-off-by: Paul Walmsley <pjw@kernel.org> Signed-off-by: Fangyu Yu <fangyu.yu@linux.alibaba.com> Signed-off-by: ZhenXing Zhu <zhenxing.zhu@linux.alibaba.com>
mainline inclusion from mainline-7.0 commit 462a94f ("riscv: hwprobe: add support for RISCV_HWPROBE_KEY_IMA_EXT_1") category: feature Link: RVCK-Project#255 -------------------------------- We've run out of bits to describe RISC-V ISA extensions in our initial hwprobe key, RISCV_HWPROBE_KEY_IMA_EXT_0. So, let's add RISCV_HWPROBE_KEY_IMA_EXT_1, along with the framework to set the appropriate hwprobe tuple, and add testing for it. Based on a suggestion from Andrew Jones <andrew.jones@oss.qualcomm.com>, also fix the documentation for RISCV_HWPROBE_KEY_IMA_EXT_0. Reviewed-by: Andrew Jones <andrew.jones@oss.qualcomm.com> Signed-off-by: Paul Walmsley <pjw@kernel.org> Signed-off-by: Fangyu Yu <fangyu.yu@linux.alibaba.com> Signed-off-by: ZhenXing Zhu <zhenxing.zhu@linux.alibaba.com>
mainline inclusion from mainline-7.0 commit 30c3099 ("riscv/hwprobe: add zicfilp / zicfiss enumeration in hwprobe") category: feature Link: RVCK-Project#255 -------------------------------- Add enumeration of the zicfilp and zicfiss extensions in the hwprobe syscall. Reviewed-by: Zong Li <zong.li@sifive.com> Signed-off-by: Deepak Gupta <debug@rivosinc.com> Tested-by: Andreas Korb <andreas.korb@aisec.fraunhofer.de> # QEMU, custom CVA6 Tested-by: Valentin Haudiquet <valentin.haudiquet@canonical.com> Link: https://patch.msgid.link/20251112-v5_user_cfi_series-v23-20-b55691eacf4f@rivosinc.com [pjw@kernel.org: updated to apply; extend into RISCV_HWPROBE_KEY_IMA_EXT_1; clean patch description] Signed-off-by: Paul Walmsley <pjw@kernel.org> Signed-off-by: Fangyu Yu <fangyu.yu@linux.alibaba.com> Signed-off-by: ZhenXing Zhu <zhenxing.zhu@linux.alibaba.com>
mainline inclusion from mainline-7.0 commit c9b859c ("riscv: add kernel command line option to opt out of user CFI") category: feature Link: RVCK-Project#255 -------------------------------- Add a kernel command line option to disable part or all of user CFI. User backward CFI and forward CFI can be controlled independently. The kernel command line parameter "riscv_nousercfi" can take the following values: - "all" : Disable forward and backward cfi both - "bcfi" : Disable backward cfi - "fcfi" : Disable forward cfi Signed-off-by: Deepak Gupta <debug@rivosinc.com> Tested-by: Andreas Korb <andreas.korb@aisec.fraunhofer.de> # QEMU, custom CVA6 Tested-by: Valentin Haudiquet <valentin.haudiquet@canonical.com> Link: https://patch.msgid.link/20251112-v5_user_cfi_series-v23-21-b55691eacf4f@rivosinc.com [pjw@kernel.org: fixed warnings from checkpatch; cleaned up patch description, doc, printk text] Signed-off-by: Paul Walmsley <pjw@kernel.org> Signed-off-by: Fangyu Yu <fangyu.yu@linux.alibaba.com> Signed-off-by: ZhenXing Zhu <zhenxing.zhu@linux.alibaba.com>
mainline inclusion from mainline-7.0 commit 41213bf ("riscv: enable kernel access to shadow stack memory via the FWFT SBI call") category: feature Link: RVCK-Project#255 -------------------------------- The kernel has to perform shadow stack operations on the user shadow stack. During signal delivery and sigreturn, the shadow stack token must be created and validated respectively. Thus shadow stack access for the kernel must be enabled. In the future, when kernel shadow stacks are enabled, they must be enabled as early as possible for better coverage and to prevent any imbalance between the regular stack and the shadow stack. After 'relocate_enable_mmu' has completed, this is the earliest that it can be enabled. Reviewed-by: Zong Li <zong.li@sifive.com> Signed-off-by: Deepak Gupta <debug@rivosinc.com> Tested-by: Andreas Korb <andreas.korb@aisec.fraunhofer.de> # QEMU, custom CVA6 Tested-by: Valentin Haudiquet <valentin.haudiquet@canonical.com> Link: https://patch.msgid.link/20251112-v5_user_cfi_series-v23-22-b55691eacf4f@rivosinc.com [pjw@kernel.org: updated to apply; cleaned up commit message] Signed-off-by: Paul Walmsley <pjw@kernel.org> Signed-off-by: Fangyu Yu <fangyu.yu@linux.alibaba.com> Signed-off-by: ZhenXing Zhu <zhenxing.zhu@linux.alibaba.com>
mainline inclusion from mainline-7.0 commit c6898d6 ("riscv: Check that vdso does not contain any dynamic relocations") category: feature Link: RVCK-Project#255 -------------------------------- Like other architectures, use the common cmd_vdso_check to make sure of that. Reviewed-by: Björn Töpel <bjorn@rivosinc.com> Tested-by: Vladimir Isaev <vladimir.isaev@syntacore.com> Signed-off-by: Alexandre Ghiti <alexghiti@rivosinc.com> Reviewed-by: Guo Ren <guoren@kernel.org> Link: https://lore.kernel.org/r/20241016083625.136311-3-alexghiti@rivosinc.com Signed-off-by: Palmer Dabbelt <palmer@rivosinc.com> Signed-off-by: Fangyu Yu <fangyu.yu@linux.alibaba.com> Signed-off-by: ZhenXing Zhu <zhenxing.zhu@linux.alibaba.com>
mainline inclusion from mainline-7.0 commit 37f57bd ("arch/riscv: compile vdso with landing pad and shadow stack note") category: feature Link: RVCK-Project#255 -------------------------------- User mode tasks compiled with Zicfilp may call indirectly into the vdso (like hwprobe indirect calls). Add support for compiling landing pads into the vdso. Landing pad instructions in the vdso will be no-ops for tasks which have not enabled landing pads. Furthermore, add support for the C sources of the vdso to be compiled with shadow stack and landing pads enabled as well. Landing pad and shadow stack instructions are emitted only when the VDSO_CFI cflags option is defined during compile. Signed-off-by: Jim Shu <jim.shu@sifive.com> Reviewed-by: Zong Li <zong.li@sifive.com> Signed-off-by: Deepak Gupta <debug@rivosinc.com> Tested-by: Andreas Korb <andreas.korb@aisec.fraunhofer.de> # QEMU, custom CVA6 Tested-by: Valentin Haudiquet <valentin.haudiquet@canonical.com> Link: https://patch.msgid.link/20251112-v5_user_cfi_series-v23-23-b55691eacf4f@rivosinc.com [pjw@kernel.org: cleaned up patch description, issues reported by checkpatch] Signed-off-by: Paul Walmsley <pjw@kernel.org> Signed-off-by: Fangyu Yu <fangyu.yu@linux.alibaba.com> Signed-off-by: ZhenXing Zhu <zhenxing.zhu@linux.alibaba.com>
mainline inclusion from mainline-7.0 commit ccad8c1 ("arch/riscv: add dual vdso creation logic and select vdso based on hw") category: feature Link: RVCK-Project#255 -------------------------------- Shadow stack instructions are taken from the Zimop ISA extension, which is mandated on RVA23. Any userspace with shadow stack instructions in it will fault on hardware that doesn't have support for Zimop. Thus, a shadow stack-enabled userspace can't be run on hardware that doesn't support Zimop. It's not known how Linux userspace providers will respond to this kind of binary fragmentation. In order to keep kernel portable across different hardware, 'arch/riscv/kernel/vdso_cfi' is created which has Makefile logic to compile 'arch/riscv/kernel/vdso' sources with CFI flags, and 'arch/riscv/kernel/vdso.c' is modified to select the appropriate vdso depending on whether the underlying CPU implements the Zimop extension. Since the offset of vdso symbols will change due to having two different vdso binaries, there is added logic to include a new generated vdso offset header and dynamically select the offset (like for rt_sigreturn). Signed-off-by: Deepak Gupta <debug@rivosinc.com> Acked-by: Charles Mirabile <cmirabil@redhat.com> Tested-by: Andreas Korb <andreas.korb@aisec.fraunhofer.de> # QEMU, custom CVA6 Tested-by: Valentin Haudiquet <valentin.haudiquet@canonical.com> Link: https://patch.msgid.link/20251112-v5_user_cfi_series-v23-24-b55691eacf4f@rivosinc.com [pjw@kernel.org: cleaned up patch description] Signed-off-by: Paul Walmsley <pjw@kernel.org> Signed-off-by: Fangyu Yu <fangyu.yu@linux.alibaba.com> Signed-off-by: ZhenXing Zhu <zhenxing.zhu@linux.alibaba.com>
…port mainline inclusion from mainline-7.0 commit 22c1e26 ("riscv: create a Kconfig fragment for shadow stack and landing pad support") category: feature Link: RVCK-Project#255 -------------------------------- This patch creates a Kconfig fragment for shadow stack support and landing pad instruction support. Shadow stack support and landing pad instruction support can be enabled by selecting 'CONFIG_RISCV_USER_CFI'. Selecting 'CONFIG_RISCV_USER_CFI' wires up the path to enumerate CPU support. If support exists, the kernel will support CPU-assisted user mode CFI. If CONFIG_RISCV_USER_CFI is selected, select 'ARCH_USES_HIGH_VMA_FLAGS', 'ARCH_HAS_USER_SHADOW_STACK' and 'DYNAMIC_SIGFRAME' for riscv. Reviewed-by: Zong Li <zong.li@sifive.com> Signed-off-by: Deepak Gupta <debug@rivosinc.com> Tested-by: Andreas Korb <andreas.korb@aisec.fraunhofer.de> # QEMU, custom CVA6 Tested-by: Valentin Haudiquet <valentin.haudiquet@canonical.com> Link: https://patch.msgid.link/20251112-v5_user_cfi_series-v23-25-b55691eacf4f@rivosinc.com [pjw@kernel.org: cleaned up patch description, Kconfig text; added CONFIG_MMU exclusion] Signed-off-by: Paul Walmsley <pjw@kernel.org> Signed-off-by: Fangyu Yu <fangyu.yu@linux.alibaba.com> Signed-off-by: ZhenXing Zhu <zhenxing.zhu@linux.alibaba.com>
mainline inclusion from mainline-7.0 commit f6eeb67 ("riscv: add documentation for landing pad / indirect branch tracking") category: feature Link: RVCK-Project#255 -------------------------------- Add documentation on landing pad aka indirect branch tracking on riscv and the kernel interfaces exposed for user tasks to enable it. Reviewed-by: Zong Li <zong.li@sifive.com> Signed-off-by: Deepak Gupta <debug@rivosinc.com> Link: https://patch.msgid.link/20251112-v5_user_cfi_series-v23-26-b55691eacf4f@rivosinc.com [pjw@kernel.org: cleaned up the documentation] Signed-off-by: Paul Walmsley <pjw@kernel.org> Signed-off-by: Fangyu Yu <fangyu.yu@linux.alibaba.com> Signed-off-by: ZhenXing Zhu <zhenxing.zhu@linux.alibaba.com>
mainline inclusion from mainline-7.0 commit c8350aa ("riscv: add documentation for shadow stack") category: feature Link: RVCK-Project#255 -------------------------------- Add documentation on shadow stack for user mode on riscv and the kernel interfaces exposed for user tasks to enable it. Reviewed-by: Zong Li <zong.li@sifive.com> Signed-off-by: Deepak Gupta <debug@rivosinc.com> Link: https://patch.msgid.link/20251112-v5_user_cfi_series-v23-27-b55691eacf4f@rivosinc.com [pjw@kernel.org: cleaned up the documentation, patch description] Signed-off-by: Paul Walmsley <pjw@kernel.org> Signed-off-by: Fangyu Yu <fangyu.yu@linux.alibaba.com> Signed-off-by: ZhenXing Zhu <zhenxing.zhu@linux.alibaba.com>
mainline inclusion from mainline-7.0 commit d30c168 ("kselftest/riscv: add kselftest for user mode CFI") category: feature Link: RVCK-Project#255 -------------------------------- Add a kselftest for RISC-V control flow integrity implementation for user mode. There is not a lot going on in the kernel to enable landing pad for user mode. CFI selftests are intended to be compiled with a zicfilp and zicfiss enabled compiler. This kselftest simply checks if landing pads and shadow stacks for the process are enabled or not and executes ptrace selftests on CFI. The selftest then registers a SIGSEGV signal handler. Any control flow violations are reported as SIGSEGV with si_code = SEGV_CPERR. The test will fail on receiving any SEGV_CPERR. The shadow stack part has more changes in the kernel, and thus there are separate tests for that. - Exercise 'map_shadow_stack' syscall - 'fork' test to make sure COW works for shadow stack pages - gup tests Kernel uses FOLL_FORCE when access happens to memory via /proc/<pid>/mem. Not breaking that for shadow stack. - signal test. Make sure signal delivery results in token creation on shadow stack and consumes (and verifies) token on sigreturn - shadow stack protection test. attempts to write using regular store instruction on shadow stack memory must result in access faults - ptrace test: adds landing pad violation, clears ELP and continues In case the toolchain doesn't support the CFI extension, the CFI kselftest won't be built. Test output =========== """ TAP version 13 1..5 This is to ensure shadow stack is indeed enabled and working This is to ensure shadow stack is indeed enabled and working ok 1 shstk fork test ok 2 map shadow stack syscall ok 3 shadow stack gup tests ok 4 shadow stack signal tests ok 5 memory protections of shadow stack memory """ Suggested-by: Charlie Jenkins <charlie@rivosinc.com> Signed-off-by: Charlie Jenkins <charlie@rivosinc.com> Signed-off-by: Deepak Gupta <debug@rivosinc.com> Tested-by: Andreas Korb <andreas.korb@aisec.fraunhofer.de> # QEMU, custom CVA6 Tested-by: Valentin Haudiquet <valentin.haudiquet@canonical.com> Link: https://patch.msgid.link/20251112-v5_user_cfi_series-v23-28-b55691eacf4f@rivosinc.com [pjw@kernel.org: updated to apply; cleaned up patch description, code comments] Signed-off-by: Paul Walmsley <pjw@kernel.org> Signed-off-by: Fangyu Yu <fangyu.yu@linux.alibaba.com> Signed-off-by: ZhenXing Zhu <zhenxing.zhu@linux.alibaba.com>
zhuzhenxxx-collab
force-pushed
the
feat/cfi
branch
from
925b5ad to
15c9dc0
Compare
|
开始测试 log: https://github.com/RVCK-Project/rvck/actions/runs/26792771946 参数解析结果
测试完成 详细结果:
Kunit Test Result[01:35:55] Testing complete. Ran 482 tests: passed: 466, skipped: 16
Kernel Build Result
Check Patch Result
|
zhuzhenxxx-collab
force-pushed
the
feat/cfi
branch
from
15c9dc0 to
190f1a9
Compare
|
开始测试 log: https://github.com/RVCK-Project/rvck/actions/runs/26809468720 参数解析结果
测试完成 详细结果:
Kunit Test Result[09:02:28] Testing complete. Ran 482 tests: passed: 466, skipped: 16
Kernel Build Result
Check Patch Result
|
Contributor
|
补丁有在正常审阅。我们在排查lavaci大面积不过的原因,通过ci后会合并。 |
|
开始测试 log: https://github.com/RVCK-Project/rvck/actions/runs/26809468720 参数解析结果
测试完成 详细结果:
Kunit Test Result[02:36:33] Testing complete. Ran 482 tests: passed: 466, skipped: 16
Kernel Build Result
Check Patch Result
LAVA Check (qemu)
result: Lava check done!
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
12 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Add user-space Control Flow Integrity support for RISC-V, based on the Zicfilp (Landing Pad) and Zicfiss (Shadow Stack) ISA extensions.
What's included
This PR contains 47 patches in total:
The CFI series adds Zicfilp/Zicfiss support, shadow stack, landing pad / indirect branch tracking, CFI-related prctl/ptrace support, CFI vDSO handling, documentation, and kselftests.
How to enable
Related issue
#255