From: Deepak Gupta <debug@rivosinc.com>
To: Peter Zijlstra <peterz@infradead.org>
Cc: "Edgecombe, Rick P" <rick.p.edgecombe@intel.com>,
"torvalds@linux-foundation.org" <torvalds@linux-foundation.org>,
"Yu, Yu-cheng" <yu-cheng.yu@intel.com>,
"linux-riscv@lists.infradead.org"
<linux-riscv@lists.infradead.org>,
"broonie@kernel.org" <broonie@kernel.org>,
"pjw@kernel.org" <pjw@kernel.org>,
"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
"tglx@linutronix.de" <tglx@linutronix.de>,
"zong.li@sifive.com" <zong.li@sifive.com>
Subject: Re: [GIT PULL] RISC-V updates for v7.0
Date: Thu, 26 Feb 2026 13:04:19 -0800 [thread overview]
Message-ID: <aaC1UwUpGebEL5Rt@debug.ba.rivosinc.com> (raw)
In-Reply-To: <20260226132342.GC606826@noisy.programming.kicks-ass.net>
Hi Peter,
Responses inline.
On Thu, Feb 26, 2026 at 02:23:42PM +0100, Peter Zijlstra wrote:
>On Wed, Feb 18, 2026 at 05:57:45PM -0800, Deepak Gupta wrote:
>
>> x86 doesn't have any equivalent BTI bit in PTEs to mark code pages. IIRC, it
>> does have mechanism where a bitmap has to be prepared and each entry in bitmap
>> encodes whether a page is legacy code page (without `endbr64`) or a modern code
>> page (with `endbr64`). And CPU will consult this bitmap to suppress the fault.
>
>So; all of this is only ever relevant for programs that are mixing CFI
>and !CFI code. If a program has no CFI, all good. If a program is all
>CFI enabled, also all good.
>
>If it starts mixing things, then you get to be 'creative'.
>
>Now the thing is, if you start to do that you need to deal with both
>forward CFI (BTI) and backward CFI (shadow-stack) #CF exceptions. That
>bitmap, that can only deal with BTI, but doesn't help with shadow
>stack, so its useless.
>
>My proposal was to ignore that whole bitmap; that's dead hardware, never
>used. Instead use a software PTE bit, like ARM has, and simply eat the
>#CF look at PTE and figure out what to do.
IIRC, arm has hardware PTE bit saying this is a guarded page. That can be kept
in ITLB as part of virt addr translation during instruction fetch. So whenever
indir_call --> target happens, if target translation was already in ITLB, CPU
already knows whether to suppress the fault or not, without going to kernel.
In x86 case, using a software PTE bit would be different. There will be a fault
always and kernel won't be able to make a decision on what to do. It'll need
some delegating authority to make that decision. That delegating authority can
be a signal handler in userspace which may need a bitmap/auxilliary data
structure of sort to make that decision whether target address is a taken target
or should not be taken.
So decision point is either
- do a software bitmap or
- hardware bitmap (legacy interworking bitmap)
(both will be slow).
OR
Just don't allow/support that configuration to enable CFI. And put onus on
workload owner to do the work to enable the feature.
Sidenote: I wish we were able to convince someone certain in Redmond to give a
sw bit back and this all would have been nicer. Given there wasn't a lot of
traction from open source for this feature, it was mostly a redmond driven
feature.
>
>Yes, this is 'slow', but my claim is that this doesn't matter. There are
>2 ways out of this slow-ness:
>
> - fully disable CFI for your program (probably not the thing you want,
> but a quick fix, and not really less secure than partial CFI anyway).
>
> - fully enable CFI for your program (might be a bit of work).
>
>The whole mixed thing is a transition state where userspace doesn't have
>its ducks in a row. It will go away.
I have spent 8 years defining features to kill class of low-level exploits back
at Intel. And then next 6 years in places where software is deployed on these
CPUs.
I am a security engineer and would have loved to get these features enabled.
But in all honesty, I am yet to see anyone at these places (hyperscalars)
willing to give up an ounce of perf budget (1-2% demands discussion and strong
justification) for enabling just the shadow stack feature.
So my advise would be not to care about enabling path where there is a perf hit.
Keep it simple
- Enable when all binaries have feature awareness.
- Disable when there is one binary with no feature awareness.
>
>
_______________________________________________
linux-riscv mailing list
linux-riscv@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-riscv
WARNING: multiple messages have this Message-ID (diff)
From: Deepak Gupta <debug@rivosinc.com>
To: Peter Zijlstra <peterz@infradead.org>
Cc: "Edgecombe, Rick P" <rick.p.edgecombe@intel.com>,
"torvalds@linux-foundation.org" <torvalds@linux-foundation.org>,
"Yu, Yu-cheng" <yu-cheng.yu@intel.com>,
"linux-riscv@lists.infradead.org"
<linux-riscv@lists.infradead.org>,
"broonie@kernel.org" <broonie@kernel.org>,
"pjw@kernel.org" <pjw@kernel.org>,
"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
"tglx@linutronix.de" <tglx@linutronix.de>,
"zong.li@sifive.com" <zong.li@sifive.com>
Subject: Re: [GIT PULL] RISC-V updates for v7.0
Date: Thu, 26 Feb 2026 13:04:19 -0800 [thread overview]
Message-ID: <aaC1UwUpGebEL5Rt@debug.ba.rivosinc.com> (raw)
In-Reply-To: <20260226132342.GC606826@noisy.programming.kicks-ass.net>
Hi Peter,
Responses inline.
On Thu, Feb 26, 2026 at 02:23:42PM +0100, Peter Zijlstra wrote:
>On Wed, Feb 18, 2026 at 05:57:45PM -0800, Deepak Gupta wrote:
>
>> x86 doesn't have any equivalent BTI bit in PTEs to mark code pages. IIRC, it
>> does have mechanism where a bitmap has to be prepared and each entry in bitmap
>> encodes whether a page is legacy code page (without `endbr64`) or a modern code
>> page (with `endbr64`). And CPU will consult this bitmap to suppress the fault.
>
>So; all of this is only ever relevant for programs that are mixing CFI
>and !CFI code. If a program has no CFI, all good. If a program is all
>CFI enabled, also all good.
>
>If it starts mixing things, then you get to be 'creative'.
>
>Now the thing is, if you start to do that you need to deal with both
>forward CFI (BTI) and backward CFI (shadow-stack) #CF exceptions. That
>bitmap, that can only deal with BTI, but doesn't help with shadow
>stack, so its useless.
>
>My proposal was to ignore that whole bitmap; that's dead hardware, never
>used. Instead use a software PTE bit, like ARM has, and simply eat the
>#CF look at PTE and figure out what to do.
IIRC, arm has hardware PTE bit saying this is a guarded page. That can be kept
in ITLB as part of virt addr translation during instruction fetch. So whenever
indir_call --> target happens, if target translation was already in ITLB, CPU
already knows whether to suppress the fault or not, without going to kernel.
In x86 case, using a software PTE bit would be different. There will be a fault
always and kernel won't be able to make a decision on what to do. It'll need
some delegating authority to make that decision. That delegating authority can
be a signal handler in userspace which may need a bitmap/auxilliary data
structure of sort to make that decision whether target address is a taken target
or should not be taken.
So decision point is either
- do a software bitmap or
- hardware bitmap (legacy interworking bitmap)
(both will be slow).
OR
Just don't allow/support that configuration to enable CFI. And put onus on
workload owner to do the work to enable the feature.
Sidenote: I wish we were able to convince someone certain in Redmond to give a
sw bit back and this all would have been nicer. Given there wasn't a lot of
traction from open source for this feature, it was mostly a redmond driven
feature.
>
>Yes, this is 'slow', but my claim is that this doesn't matter. There are
>2 ways out of this slow-ness:
>
> - fully disable CFI for your program (probably not the thing you want,
> but a quick fix, and not really less secure than partial CFI anyway).
>
> - fully enable CFI for your program (might be a bit of work).
>
>The whole mixed thing is a transition state where userspace doesn't have
>its ducks in a row. It will go away.
I have spent 8 years defining features to kill class of low-level exploits back
at Intel. And then next 6 years in places where software is deployed on these
CPUs.
I am a security engineer and would have loved to get these features enabled.
But in all honesty, I am yet to see anyone at these places (hyperscalars)
willing to give up an ounce of perf budget (1-2% demands discussion and strong
justification) for enabling just the shadow stack feature.
So my advise would be not to care about enabling path where there is a perf hit.
Keep it simple
- Enable when all binaries have feature awareness.
- Disable when there is one binary with no feature awareness.
>
>
next prev parent reply other threads:[~2026-02-26 21:04 UTC|newest]
Thread overview: 34+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-02-12 23:39 [GIT PULL] RISC-V updates for v7.0 Paul Walmsley
2026-02-12 23:39 ` Paul Walmsley
2026-02-13 3:35 ` Linus Torvalds
2026-02-13 3:35 ` Linus Torvalds
2026-02-14 0:23 ` Paul Walmsley
2026-02-14 0:23 ` Paul Walmsley
2026-02-14 4:14 ` Linus Torvalds
2026-02-14 4:14 ` Linus Torvalds
2026-02-16 21:54 ` Linus Walleij
2026-02-16 21:54 ` Linus Walleij
2026-02-16 14:20 ` Mark Brown
2026-02-16 14:20 ` Mark Brown
2026-02-16 21:55 ` Linus Torvalds
2026-02-16 21:55 ` Linus Torvalds
2026-02-18 19:57 ` Deepak Gupta
2026-02-18 19:57 ` Deepak Gupta
2026-02-18 21:58 ` Edgecombe, Rick P
2026-02-18 21:58 ` Edgecombe, Rick P
2026-02-19 0:01 ` Mark Brown
2026-02-19 0:01 ` Mark Brown
2026-02-19 1:28 ` Deepak Gupta
2026-02-19 1:28 ` Deepak Gupta
2026-02-19 1:57 ` Deepak Gupta
2026-02-19 1:57 ` Deepak Gupta
2026-02-19 17:40 ` Edgecombe, Rick P
2026-02-19 17:40 ` Edgecombe, Rick P
2026-02-26 13:23 ` Peter Zijlstra
2026-02-26 13:23 ` Peter Zijlstra
2026-02-26 21:04 ` Deepak Gupta [this message]
2026-02-26 21:04 ` Deepak Gupta
2026-02-13 3:37 ` pr-tracker-bot
2026-02-13 3:37 ` pr-tracker-bot
2026-02-20 4:11 ` patchwork-bot+linux-riscv
2026-02-20 4:11 ` patchwork-bot+linux-riscv
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=aaC1UwUpGebEL5Rt@debug.ba.rivosinc.com \
--to=debug@rivosinc.com \
--cc=broonie@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-riscv@lists.infradead.org \
--cc=peterz@infradead.org \
--cc=pjw@kernel.org \
--cc=rick.p.edgecombe@intel.com \
--cc=tglx@linutronix.de \
--cc=torvalds@linux-foundation.org \
--cc=yu-cheng.yu@intel.com \
--cc=zong.li@sifive.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.