Similar to what has been available on Intel and AMD processors for users with the [1]shadow stack for [2]control-flow integrity , Linux on RISC-V is finally ready to roll-out its user-space control-flow integrity support.

After going through [3]23 rounds of patches , the Control Flow Integrity "CFI" for user-mode on RISC-V is approaching the mainline kernel. This security feature is for fending off ROP attacks manipulating the control flow of the user-space software to gain control. RISC-V uses the "zicfilp" instruction to enforce that all indirect calls land on a landing pad "lpad" instruction or will otherwise raise a software check exception. There are also RISC-V instructions introduced for helping ensure the return flow of software.

x86_64 and AArch64 already support user-space control-flow integrity for Linux with capable CPUs while RISC-V is joining the party now that these patches are finally baked. Those patches have made it into [4]risv/linux.git's "for-next" Git branch . With these RISC-V user-mode CFI patches now in their "for-next" queue, they should be submitted as part of the upcoming Linux 7.0 merge window in February.

The patches add a new RISCV_USER_CFI Kconfig kernel option at build-time for enabling RISC-V user-space control flow integrity, assuming the RISC-V processors being used support the necessary instructions. For enabled kernels and where having the necessary RISC-V hardware support, the patches also add a new riscv_nousercfi= command line boot option for the kernel with a value of all possible to disable the user control-flow integrity, bcfi to disable user-backward CFI ABI, or fcfi to disable the user-forward CFI ABI.



[1] https://www.phoronix.com/search/shadow+stack

[2] https://www.phoronix.com/search/control-flow+integrity

[3] https://lore.kernel.org/all/20251112-v5_user_cfi_series-v23-0-b55691eacf4f@rivosinc.com/

[4] https://git.kernel.org/pub/scm/linux/kernel/git/riscv/linux.git/log/?h=for-next