From: Deepak Gupta <debug@rivosinc.com>
To: Florian Weimer <fweimer@redhat.com>
Cc: "Paul Walmsley" <pjw@kernel.org>,
"Thomas Gleixner" <tglx@linutronix.de>,
"Ingo Molnar" <mingo@redhat.com>,
"Borislav Petkov" <bp@alien8.de>,
"Dave Hansen" <dave.hansen@linux.intel.com>,
x86@kernel.org, "H. Peter Anvin" <hpa@zytor.com>,
"Andrew Morton" <akpm@linux-foundation.org>,
"Liam R. Howlett" <Liam.Howlett@oracle.com>,
"Vlastimil Babka" <vbabka@suse.cz>,
"Lorenzo Stoakes" <lorenzo.stoakes@oracle.com>,
"Paul Walmsley" <paul.walmsley@sifive.com>,
"Palmer Dabbelt" <palmer@dabbelt.com>,
"Albert Ou" <aou@eecs.berkeley.edu>,
"Conor Dooley" <conor@kernel.org>,
"Rob Herring" <robh@kernel.org>,
"Krzysztof Kozlowski" <krzk+dt@kernel.org>,
"Arnd Bergmann" <arnd@arndb.de>,
"Christian Brauner" <brauner@kernel.org>,
"Peter Zijlstra" <peterz@infradead.org>,
"Oleg Nesterov" <oleg@redhat.com>,
"Eric Biederman" <ebiederm@xmission.com>,
"Kees Cook" <kees@kernel.org>, "Jonathan Corbet" <corbet@lwn.net>,
"Shuah Khan" <shuah@kernel.org>, "Jann Horn" <jannh@google.com>,
"Conor Dooley" <conor+dt@kernel.org>,
"Miguel Ojeda" <ojeda@kernel.org>,
"Alex Gaynor" <alex.gaynor@gmail.com>,
"Boqun Feng" <boqun.feng@gmail.com>,
"Gary Guo" <gary@garyguo.net>,
"Björn Roy Baron" <bjorn3_gh@protonmail.com>,
"Andreas Hindborg" <a.hindborg@kernel.org>,
"Alice Ryhl" <aliceryhl@google.com>,
"Trevor Gross" <tmgross@umich.edu>,
"Benno Lossin" <lossin@kernel.org>,
linux-kernel@vger.kernel.org, linux-fsdevel@vger.kernel.org,
linux-mm@kvack.org, linux-riscv@lists.infradead.org,
devicetree@vger.kernel.org, linux-arch@vger.kernel.org,
linux-doc@vger.kernel.org, linux-kselftest@vger.kernel.org,
alistair.francis@wdc.com, richard.henderson@linaro.org,
jim.shu@sifive.com, "Andy Chiu" <andybnac@gmail.com>,
kito.cheng@sifive.com, charlie@rivosinc.com, atishp@rivosinc.com,
evan@rivosinc.com, cleger@rivosinc.com, alexghiti@rivosinc.com,
samitolvanen@google.com, broonie@kernel.org,
rick.p.edgecombe@intel.com, rust-for-linux@vger.kernel.org,
"Zong Li" <zong.li@sifive.com>,
"David Hildenbrand" <david@redhat.com>,
"Heinrich Schuchardt" <heinrich.schuchardt@canonical.com>,
bharrington@redhat.com, "Aurelien Jarno" <aurel32@debian.org>,
bergner@tenstorrent.com, jeffreyalaw@gmail.com
Subject: Re: [PATCH v19 00/27] riscv control-flow integrity for usermode
Date: Tue, 30 Sep 2025 17:13:21 -0700 [thread overview]
Message-ID: <aNxyIeVB8Rjsu6wW@debug.ba.rivosinc.com> (raw)
In-Reply-To: <lhuldlwgpij.fsf@oldenburg.str.redhat.com>
On Tue, Sep 30, 2025 at 01:15:32PM +0200, Florian Weimer wrote:
>* Deepak Gupta:
>
>> Any distro who is shipping userspace (which all of them are) along
>> with kernel will not be shipping two different userspaces (one with
>> shadow stack and one without them). If distro are shipping two
>> different userspaces, then they might as well ship two different
>> kernels. Tagging some distro folks here to get their take on shipping
>> different userspace depending on whether hardware is RVA23 or
>> not. @Heinrich, @Florian, @redbeard and @Aurelien.
>>
>> Major distro's have already drawn a distinction here that they will drop
>> support for hardware which isn't RVA23 for the sake of keeping binary
>> distribution simple.
>
>The following are just my personal thoughts.
>
>For commercial distributions, I just don't see how things work out if
>you have hardware that costs less than (say) $30 over its lifetime, and
>you want LTS support for 10+ years. The existing distribution business
>models aren't really compatible with such low per-node costs. So it
>makes absolute sense for distributions to target more powerful cores,
>and therefore require RVA23. Nobody is suggesting that mainstream
>distributions should target soft-float, either.
>
>For community distributions, it is a much tougher call. Obsoleting
>virtually all existing hardware sends a terrible signal to early
>supporters of the architecture. But given how limited the RISC-V
>baseline ISA is, I'm not sure if there is much of a choice here. Maybe
>it's possible to soften the blow by committing to (say) two more years
>of baseline ISA support, and then making the switch, assuming that RVA23
>hardware for local installation is widely available by then.
Yes that's totally fine. Distro (community or commercial) get to decide.
They aren't forced to make a decision of RVA23 switch. Question is about
"Once they switch to RVA23 on say release `A`, will they build release `A`
for non-RVA23 as well".
Once they make a switch, I do not expect the userspace they're building
to be able to run on older hardware because it'll have zimop instruction
in them in epilogue and prologue.
Sure, they can keep supporting older releases, keep building userspace
without cfi/non-rva23 and thus they should be building kernel without
cfi config as well for those releases.
New release (RVA23) isn't expected to run on older hardware. If new userspace
is not going to be able to run on older hardware and new userspace isn't
making an effort to have runtime selection of binaries depending on which
hardware it is running, Is it worth the effort to have two vDSO in kernel
and expose the one depending on which hardware its running? It's just added
complexity for usecase which I don't really see a usecase.
Yes a savvy kernel hacker might have a need where they want to build a kernel
with RVA23 and transport it on all kind of hardware but that's a very corner
use-case.
At the very least this corner use case shouldn't block these patches from
being taken in 6.18. Current patches don't block such future capability (if any
one feels like this is really needed).
>
>However, my real worry is that in the not-too-distant future, another
>ISA transition will be required after RVA23. This is not entirely
>hypothetical because RVA23 is still an ISA designed mostly for C (at
>least in the scalar space, I don't know much about the vector side).
>Other architectures carry forward support for efficient overflow
>checking (as required by Ada and some other now less-popular languages,
>and as needed for efficiently implementing fixnums with arbitrary
>precision fallback). Considering current industry trends, it is not
>inconceivable that these ISA features become important again in the near
>term.
>
I can only be optimistic here and hope that enough ecosystem adoption would
prevent such breaks in transition.
>You can see the effect of native overflow checking support if you look
>at Ada code examples with integer arithmetic. For example, this:
>
>function Fib (N: Integer) return Integer is
>begin
> if N <= 1 then
> return N;
> else
> return Fib (N - 1) + Fib (N - 2);
> end if;
>end;
>
>produces about 370 RISC-V instructions with -gnato, compared to 218
>instructions with -gnato0 and overflow checking disabled (using GCC
>trunk). For GCC 15, the respective instruction counts are 301 and 258
>for x86-64, and 288 and 244 for AArch64. RVA23 reduces the instruction
>count with overflow checking to 353. A further reduction should be
>possible once GCC starts using xnor in its overflow checks, but I expect
>that the overhead from overflow checking will remain high.
>
>Thanks,
>Florian
>
next prev parent reply other threads:[~2025-10-01 0:13 UTC|newest]
Thread overview: 50+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-07-31 23:19 [PATCH v19 00/27] riscv control-flow integrity for usermode Deepak Gupta
2025-07-31 23:19 ` [PATCH v19 01/27] mm: VM_SHADOW_STACK definition for riscv Deepak Gupta
2025-07-31 23:19 ` [PATCH v19 02/27] dt-bindings: riscv: zicfilp and zicfiss in dt-bindings (extensions.yaml) Deepak Gupta
2025-07-31 23:19 ` [PATCH v19 03/27] riscv: zicfiss / zicfilp enumeration Deepak Gupta
2025-07-31 23:19 ` [PATCH v19 04/27] riscv: zicfiss / zicfilp extension csr and bit definitions Deepak Gupta
2025-07-31 23:19 ` [PATCH v19 05/27] riscv: usercfi state for task and save/restore of CSR_SSP on trap entry/exit Deepak Gupta
2025-07-31 23:19 ` [PATCH v19 06/27] riscv/mm : ensure PROT_WRITE leads to VM_READ | VM_WRITE Deepak Gupta
2025-07-31 23:19 ` [PATCH v19 07/27] riscv/mm: manufacture shadow stack pte Deepak Gupta
2025-07-31 23:19 ` [PATCH v19 08/27] riscv/mm: teach pte_mkwrite to manufacture shadow stack PTEs Deepak Gupta
2025-07-31 23:19 ` [PATCH v19 09/27] riscv/mm: write protect and shadow stack Deepak Gupta
2025-07-31 23:19 ` [PATCH v19 10/27] riscv/mm: Implement map_shadow_stack() syscall Deepak Gupta
2025-07-31 23:19 ` [PATCH v19 11/27] riscv/shstk: If needed allocate a new shadow stack on clone Deepak Gupta
2025-07-31 23:19 ` [PATCH v19 12/27] riscv: Implements arch agnostic shadow stack prctls Deepak Gupta
2025-07-31 23:19 ` [PATCH v19 13/27] prctl: arch-agnostic prctl for indirect branch tracking Deepak Gupta
2025-07-31 23:19 ` [PATCH v19 14/27] riscv: Implements arch agnostic indirect branch tracking prctls Deepak Gupta
2025-07-31 23:19 ` [PATCH v19 15/27] riscv/traps: Introduce software check exception and uprobe handling Deepak Gupta
2025-07-31 23:19 ` [PATCH v19 16/27] riscv: signal: abstract header saving for setup_sigcontext Deepak Gupta
2025-07-31 23:19 ` [PATCH v19 17/27] riscv/signal: save and restore of shadow stack for signal Deepak Gupta
2025-07-31 23:19 ` [PATCH v19 18/27] riscv/kernel: update __show_regs to print shadow stack register Deepak Gupta
2025-07-31 23:19 ` [PATCH v19 19/27] riscv/ptrace: riscv cfi status and state via ptrace and in core files Deepak Gupta
2025-07-31 23:19 ` [PATCH v19 20/27] riscv/hwprobe: zicfilp / zicfiss enumeration in hwprobe Deepak Gupta
2025-07-31 23:19 ` [PATCH v19 21/27] riscv: kernel command line option to opt out of user cfi Deepak Gupta
2025-07-31 23:19 ` [PATCH v19 22/27] riscv: enable kernel access to shadow stack memory via FWFT sbi call Deepak Gupta
2025-07-31 23:19 ` [PATCH v19 23/27] arch/riscv: compile vdso with landing pad and shadow stack note Deepak Gupta
2025-07-31 23:19 ` [PATCH v19 24/27] riscv: create a config for shadow stack and landing pad instr support Deepak Gupta
2025-07-31 23:19 ` [PATCH v19 25/27] riscv: Documentation for landing pad / indirect branch tracking Deepak Gupta
2025-07-31 23:19 ` [PATCH v19 26/27] riscv: Documentation for shadow stack on riscv Deepak Gupta
2025-07-31 23:19 ` [PATCH v19 27/27] kselftest/riscv: kselftest for user mode cfi Deepak Gupta
2025-08-01 1:09 ` [PATCH v19 00/27] riscv control-flow integrity for usermode Benjamin LaHaise
2025-08-06 17:15 ` patchwork-bot+linux-riscv
2025-08-07 12:28 ` Mark Brown
2025-08-08 8:23 ` Deepak Gupta
2025-08-08 11:48 ` Mark Brown
2025-08-08 17:20 ` Deepak Gupta
2025-09-24 14:36 ` Paul Walmsley
2025-09-24 18:40 ` Deepak Gupta
2025-09-25 12:30 ` Andy Chiu
2025-09-25 14:30 ` Deepak Gupta
2025-09-30 11:15 ` Florian Weimer
2025-10-01 0:13 ` Deepak Gupta [this message]
2025-09-26 19:29 ` Charles Mirabile
2025-09-26 19:52 ` Charles Mirabile
2025-09-26 20:03 ` Deepak Gupta
2025-09-26 19:57 ` Deepak Gupta
2025-09-26 20:28 ` Charles Mirabile
2025-09-26 21:07 ` Deepak Gupta
2025-09-30 9:20 ` Florian Weimer
2025-09-30 23:48 ` Deepak Gupta
2025-10-02 11:45 ` Florian Weimer
2025-10-02 16:45 ` Deepak Gupta
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=aNxyIeVB8Rjsu6wW@debug.ba.rivosinc.com \
--to=debug@rivosinc.com \
--cc=Liam.Howlett@oracle.com \
--cc=a.hindborg@kernel.org \
--cc=akpm@linux-foundation.org \
--cc=alex.gaynor@gmail.com \
--cc=alexghiti@rivosinc.com \
--cc=aliceryhl@google.com \
--cc=alistair.francis@wdc.com \
--cc=andybnac@gmail.com \
--cc=aou@eecs.berkeley.edu \
--cc=arnd@arndb.de \
--cc=atishp@rivosinc.com \
--cc=aurel32@debian.org \
--cc=bergner@tenstorrent.com \
--cc=bharrington@redhat.com \
--cc=bjorn3_gh@protonmail.com \
--cc=boqun.feng@gmail.com \
--cc=bp@alien8.de \
--cc=brauner@kernel.org \
--cc=broonie@kernel.org \
--cc=charlie@rivosinc.com \
--cc=cleger@rivosinc.com \
--cc=conor+dt@kernel.org \
--cc=conor@kernel.org \
--cc=corbet@lwn.net \
--cc=dave.hansen@linux.intel.com \
--cc=david@redhat.com \
--cc=devicetree@vger.kernel.org \
--cc=ebiederm@xmission.com \
--cc=evan@rivosinc.com \
--cc=fweimer@redhat.com \
--cc=gary@garyguo.net \
--cc=heinrich.schuchardt@canonical.com \
--cc=hpa@zytor.com \
--cc=jannh@google.com \
--cc=jeffreyalaw@gmail.com \
--cc=jim.shu@sifive.com \
--cc=kees@kernel.org \
--cc=kito.cheng@sifive.com \
--cc=krzk+dt@kernel.org \
--cc=linux-arch@vger.kernel.org \
--cc=linux-doc@vger.kernel.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-kselftest@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=linux-riscv@lists.infradead.org \
--cc=lorenzo.stoakes@oracle.com \
--cc=lossin@kernel.org \
--cc=mingo@redhat.com \
--cc=ojeda@kernel.org \
--cc=oleg@redhat.com \
--cc=palmer@dabbelt.com \
--cc=paul.walmsley@sifive.com \
--cc=peterz@infradead.org \
--cc=pjw@kernel.org \
--cc=richard.henderson@linaro.org \
--cc=rick.p.edgecombe@intel.com \
--cc=robh@kernel.org \
--cc=rust-for-linux@vger.kernel.org \
--cc=samitolvanen@google.com \
--cc=shuah@kernel.org \
--cc=tglx@linutronix.de \
--cc=tmgross@umich.edu \
--cc=vbabka@suse.cz \
--cc=x86@kernel.org \
--cc=zong.li@sifive.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).