Support RISC-V Control Flow Integrity Extensions #3
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
kito-cheng
reviewed
May 28, 2025
Member
kito-cheng
left a comment
kito-cheng
left a comment
There was a problem hiding this comment.
could you rename most variable about lp to lp_unlabeled since we will have lp_func_sig in future.
jaidTw
force-pushed
the
enable-cfi
branch
4 times, most recently
from
25abf21 to
78c1733
Compare
jaidTw
force-pushed
the
enable-cfi
branch
2 times, most recently
from
7fae5b2 to
b752f71
Compare
kito-cheng
reviewed
Jun 16, 2025
| This tunable is specific to aarch64. | ||
| @end deftp | ||
|
|
||
| @deftp Tunable glibc.cpu.riscv_cfi_lp |
Member
There was a problem hiding this comment.
Suggested change
| @deftp Tunable glibc.cpu.riscv_cfi_lp | |
| @deftp Tunable glibc.cpu.riscv_cfi_unlabeled_lp |
|
|
||
| struct dl_riscv_feature_control | ||
| { | ||
| enum dl_riscv_cfi_control lp : 2; |
Member
There was a problem hiding this comment.
Suggested change
| enum dl_riscv_cfi_control lp : 2; | |
| enum dl_riscv_cfi_control unlabeled_lp : 2; |
jaidTw
force-pushed
the
enable-cfi
branch
3 times, most recently
from
6cb15b3 to
fbbc3b0
Compare
jaidTw
force-pushed
the
enable-cfi
branch
2 times, most recently
from
33dc279 to
337c0b3
Compare
jaidTw
force-pushed
the
enable-cfi
branch
3 times, most recently
from
0a049e1 to
6d561c5
Compare
Co-authored-by: Hau Hsu <[email protected]>
Add GNU properties used by RISC-V CFI extensions (zicfilp/zicfiss)
Landing pads, instructions for setting the label value as well as alignment directives are inserted at where they should be. Frame offsets for floating point registers in _dl_runtime_resolve are also adjusted because now t2 has to be saved onto the stack. Co-authored-by: Hau Hsu <[email protected]> Co-authored-by: Kito Cheng <[email protected]>
Member l_riscv_feature_1_and is added to struct link_map, which stores the feature_1_and property information for each object. New global _dl_riscv_feature_1 will be used to store what features are finally enabled for this process.
These operations are for setting/retrieving/locking the status of the landing pad and the shadow stack extensions.
For static binaries, CFI are enabled inside ARCH_SETUP_TLS, with a macro to enable the shadow stack to prevent underflowing the shadow stack on return, and with a function _dl_cfi_setup_features to enable landing pad. It scans backward of the program header to find the PT_GNU_PROPERTY note first, then enable CFI features corresponding to the feature bits. Co-authored-by: Deepak Gupta <[email protected]>
For dynamic binaries, CFI features are parsed from GNU properties, store in to GLRO(dl_riscv_feature_1) and later enabled in RTLD_START. Co-authored-by: Deepak Gupta <[email protected]>
dl_riscv_feature_control is a structure with each member represents a feature configuration. At this time it's only used by CFI features. Each cfi feature is a 2-bit enum, which could be [on|off|permissive], these values decide whether a new legacy object should be blocked while loaded dynamically, and could be controled by glibc tunables.
Since longjmp to a previous setjmp'ed state could change the stack frame and involves stack frame unwinding, shadow stacks is also required to be unwinded. The unwinding is implemented according to the zicfiss spec by increasing the ssp by a page size (4K) at most, to prevent from accidentally point to another legal shadow stack page after the adjustment.
Switching between different ucontexts involves two cases, one is both sharing a same shadow stack, which requires a unwinding, and the other is both using a different shadow stack, which require a stack switch using shadow stack restore token. By storing shadow stack in ucontext_t and TLS, we can tell the difference and perform the following action.
This patch adds support for shadow stack and landing pad to the ucontext library, shadow stack switches are protected by a shadow stack restore token which will be validated during the switch. Co-authored-by: Nia Su <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
No description provided.