On Thu, 23 Oct 2025, Deepak Gupta via B4 Relay wrote:
From: Deepak Gupta debug@rivosinc.com
Save shadow stack pointer in sigcontext structure while delivering signal. Restore shadow stack pointer from sigcontext on sigreturn.
As part of save operation, kernel uses `ssamoswap` to save snapshot of current shadow stack on shadow stack itself (can be called as a save token). During restore on sigreturn, kernel retrieves token from top of shadow stack and validates it. This allows that user mode can't arbitrary pivot to any shadow stack address without having a token and thus provide strong security assurance between signaly delivery and sigreturn window.
Use ABI compatible way of saving/restoring shadow stack pointer into signal stack. This follows what Vector extension, where extra registers are placed in a form of extension header + extension body in the stack. The extension header indicates the size of the extra architectural states plus the size of header itself, and a magic identifier of the extension. Then, the extensions body contains the new architectural states in the form defined by uapi.
Signed-off-by: Andy Chiu andy.chiu@sifive.com Signed-off-by: Deepak Gupta debug@rivosinc.com
This patch causes some 'checkpatch.pl --strict' messages:
CHECK: Comparison to NULL could be written "!saved_shstk_ptr" #271: FILE: arch/riscv/kernel/usercfi.c:186: + if (saved_shstk_ptr == NULL)
CHECK: Lines should not end with a '(' #300: FILE: arch/riscv/kernel/usercfi.c:215: + pr_info_ratelimited(
I've fixed them up here in the event that v22 goes in, but please do the same on your side in case a new version is needed.
- Paul