In VU/VS mode, accessing $ssp CSR will trigger the virtual instruction
exception instead of illegal instruction exception if SSE is disabled
via xenvcfg CSRs.

This is from RISC-V CFI v1.0 spec ch2.2.4. Shadow Stack Pointer

Signed-off-by: Jim Shu <jim.shu@sifive.com>
---
 target/riscv/csr.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/target/riscv/csr.c b/target/riscv/csr.c
index 8842e07a73..0299a214ef 100644
--- a/target/riscv/csr.c
+++ b/target/riscv/csr.c
@@ -204,6 +204,8 @@ static RISCVException cfi_ss(CPURISCVState *env, int csrno)
 #if !defined(CONFIG_USER_ONLY)
         if (env->debugger) {
             return RISCV_EXCP_NONE;
+        } else if (env->virt_enabled) {
+            return RISCV_EXCP_VIRT_INSTRUCTION_FAULT;
         }
 #endif
         return RISCV_EXCP_ILLEGAL_INST;
-- 
2.43.0

On Wed, Sep 24, 2025 at 5:49 PM Jim Shu <jim.shu@sifive.com> wrote:
>
> In VU/VS mode, accessing $ssp CSR will trigger the virtual instruction
> exception instead of illegal instruction exception if SSE is disabled
> via xenvcfg CSRs.
>
> This is from RISC-V CFI v1.0 spec ch2.2.4. Shadow Stack Pointer
>
> Signed-off-by: Jim Shu <jim.shu@sifive.com>

Reviewed-by: Alistair Francis <alistair.francis@wdc.com>

Alistair

> ---
>  target/riscv/csr.c | 2 ++
>  1 file changed, 2 insertions(+)
>
> diff --git a/target/riscv/csr.c b/target/riscv/csr.c
> index 8842e07a73..0299a214ef 100644
> --- a/target/riscv/csr.c
> +++ b/target/riscv/csr.c
> @@ -204,6 +204,8 @@ static RISCVException cfi_ss(CPURISCVState *env, int csrno)
>  #if !defined(CONFIG_USER_ONLY)
>          if (env->debugger) {
>              return RISCV_EXCP_NONE;
> +        } else if (env->virt_enabled) {
> +            return RISCV_EXCP_VIRT_INSTRUCTION_FAULT;
>          }
>  #endif
>          return RISCV_EXCP_ILLEGAL_INST;
> --
> 2.43.0
>
>