Add riscv64 support

README.md

@@ -267,6 +267,7 @@ with
 
 - x86_64
 - aarch64
+- riscv64 (Only the trap mode and the seccomp mode are available)
 
 ## License
 

docs/architecture.md

@@ -174,6 +174,8 @@ host-kernel calls. `mmap` and `epoll_*` are deliberately excluded
 because they need W^X enforcement, shadow validation, or FD-table
 gating that the fast-path cannot perform.
 
+On **riscv64**, the rewrite mode is not available now.
+
 Each site is classified as WRAPPER (simple `syscall; ret` pattern,
 eligible for inline virtualized return: getpid=1, gettid=1, getppid=0)
 or COMPLEX (result consumed internally by helpers like `raise()` that

mk/toolchain.mk

@@ -29,6 +29,11 @@ CFLAGS  += -Wno-unused-parameter
 CFLAGS  += -Iinclude -Isrc
 LDFLAGS += -Wl,-z,noexecstack -Wl,-z,separate-code
 
+# Disable link relaxation of riscv64 architecture to prevent long link time
+ifeq ($(ARCH),riscv64)
+	LDFLAGS += -Wl,--no-relax
+endif
+
 # Build mode from Kconfig (fallback to BUILD= for unconfigured builds)
 ifeq ($(CONFIG_BUILD_RELEASE),y)
   CFLAGS  += -O2 -DNDEBUG

scripts/alpine-sha256.txt

@@ -1,2 +1,3 @@
 55ea3e5a7c2c35e6268c5dcbb8e45a9cd5b0e372e7b4e798499a526834f7ed90  alpine-minirootfs-3.21.0-x86_64.tar.gz
 f31202c4070c4ef7de9e157e1bd01cb4da3a2150035d74ea5372c5e86f1efac1  alpine-minirootfs-3.21.0-aarch64.tar.gz
+b2c5ed2be586aebd2da5dd13dbc96bc8cc41b72e517d0726dfbbb0a9810e66d6  alpine-minirootfs-3.21.0-riscv64.tar.gz

src/dispatch-misc.c

@@ -239,6 +239,8 @@ struct kbox_dispatch forward_uname(const struct kbox_syscall_request *req,
     snprintf(uts.machine, sizeof(uts.machine), "x86_64");
 #elif defined(__aarch64__)
     snprintf(uts.machine, sizeof(uts.machine), "aarch64");
+#elif (defined(__riscv) && __riscv_xlen == 64)
+    snprintf(uts.machine, sizeof(uts.machine), "riscv64");
 #else
     snprintf(uts.machine, sizeof(uts.machine), "unknown");
 #endif

src/elf.c

@@ -417,7 +417,7 @@ int kbox_build_elf_load_plan(const unsigned char *buf,
         p_memsz = read_le64(buf + off + P_MEMSZ_OFF);
         p_align = read_le64(buf + off + P_ALIGN_OFF);
 
-        if (p_filesz > p_memsz)
+        if (p_memsz && p_filesz > p_memsz)
             return -1;
 
         /* Validate that p_offset + p_filesz does not overflow.  We do

src/image.c

@@ -490,8 +490,8 @@ static const struct kbox_host_nrs *select_host_nrs(void)
 {
 #if defined(__x86_64__)
     return &HOST_NRS_X86_64;
-#elif defined(__aarch64__)
-    return &HOST_NRS_AARCH64;
+#elif defined(__aarch64__) || (defined(__riscv) && (__riscv_xlen == 64))
+    return &HOST_NRS_GENERIC;
 #else
     return NULL;
 #endif

src/loader-entry.c

@@ -17,6 +17,9 @@ static int machine_to_entry_arch(uint16_t machine,
     case 0xb7:
         *arch_out = KBOX_LOADER_ENTRY_ARCH_AARCH64;
         return 0;
+    case 0xf3:
+        *arch_out = KBOX_LOADER_ENTRY_ARCH_RISCV64;
+        return 0;
     default:
         return -1;
     }

src/loader-entry.h

@@ -9,6 +9,7 @@
 enum kbox_loader_entry_arch {
     KBOX_LOADER_ENTRY_ARCH_X86_64,
     KBOX_LOADER_ENTRY_ARCH_AARCH64,
+    KBOX_LOADER_ENTRY_ARCH_RISCV64
 };
 
 struct kbox_loader_entry_state {

src/loader-transfer.c

@@ -89,6 +89,24 @@ kbox_loader_transfer_to_guest(const struct kbox_loader_transfer_state *state)
         : "r"(sp), "r"(x0), "r"(x1), "r"(x2), "r"(x3), "r"(x4), "r"(x5),
           "r"(x16)
         : "memory");
+#elif defined(__riscv) && (__riscv_xlen == 64)
+    if (state->arch != KBOX_LOADER_ENTRY_ARCH_RISCV64)
+        __builtin_trap();
+    register uint64_t a0 __asm__("a0") = state->regs[0];
+    register uint64_t a1 __asm__("a1") = state->regs[1];
+    register uint64_t a2 __asm__("a2") = state->regs[2];
+    register uint64_t a3 __asm__("a3") = state->regs[3];
+    register uint64_t a4 __asm__("a4") = state->regs[4];
+    register uint64_t a5 __asm__("a5") = state->regs[5];
+    register uint64_t t0 __asm__("t0") = state->pc;
+    uint64_t sp = state->sp;
+
+    __asm__ volatile(
+        "mv sp, %0\n\t"
+        "jr t0\n\t"
+        :
+        : "r"(sp), "r"(a0), "r"(a1), "r"(a2), "r"(a3), "r"(a4), "r"(a5), "r"(t0)
+        : "memory");
 #else
     (void) state;
     __builtin_trap();

src/rewrite.c

@@ -608,10 +608,10 @@ static int encode_aarch64_virtual_procinfo_patch(
     if (aarch64_prev_insn_syscall_nr(image, image_len, site_off, &nr) < 0)
         return -1;
 
-    if (nr == (uint32_t) HOST_NRS_AARCH64.getpid ||
-        nr == (uint32_t) HOST_NRS_AARCH64.gettid) {
+    if (nr == (uint32_t) HOST_NRS_GENERIC.getpid ||
+        nr == (uint32_t) HOST_NRS_GENERIC.gettid) {
         value = 1;
-    } else if (nr == (uint32_t) HOST_NRS_AARCH64.getppid) {
+    } else if (nr == (uint32_t) HOST_NRS_GENERIC.getppid) {
         value = 0;
     } else {
         return -1;

src/seccomp-bpf.c

@@ -142,7 +142,7 @@ static const int deny_nrs[] = {
     153, /* vhangup */
 };
 
-#elif defined(__aarch64__)
+#elif defined(__aarch64__) || (defined(__riscv) && __riscv_xlen == 64)
 static const int deny_nrs[] = {
     /* Seccomp manipulation */
     277, /* seccomp */

src/seccomp-defs.h

@@ -34,6 +34,8 @@
 #define KBOX_AUDIT_ARCH_CURRENT 0xc000003eU
 #elif defined(__aarch64__)
 #define KBOX_AUDIT_ARCH_CURRENT 0xc00000b7U
+#elif defined(__riscv) && __riscv_xlen == 64
+#define KBOX_AUDIT_ARCH_CURRENT 0xc00000f3U
 #else
 #error "unsupported architecture"
 #endif

src/seccomp-dispatch.c

@@ -33,28 +33,28 @@
 #ifndef __NR_pidfd_open
 #if defined(__x86_64__)
 #define __NR_pidfd_open 434
-#elif defined(__aarch64__)
+#elif defined(__aarch64__) || (defined(__riscv) && (__riscv_xlen == 64))
 #define __NR_pidfd_open 434
 #endif
 #endif
 #ifndef __NR_pidfd_getfd
 #if defined(__x86_64__)
 #define __NR_pidfd_getfd 438
-#elif defined(__aarch64__)
+#elif defined(__aarch64__) || (defined(__riscv) && (__riscv_xlen == 64))
 #define __NR_pidfd_getfd 438
 #endif
 #endif
 #ifndef __NR_faccessat2
 #if defined(__x86_64__)
 #define __NR_faccessat2 439
-#elif defined(__aarch64__)
+#elif defined(__aarch64__) || (defined(__riscv) && (__riscv_xlen == 64))
 #define __NR_faccessat2 439
 #endif
 #endif
 #ifndef __NR_statx
 #if defined(__x86_64__)
 #define __NR_statx 332
-#elif defined(__aarch64__)
+#elif defined(__aarch64__) || (defined(__riscv) && (__riscv_xlen == 64))
 #define __NR_statx 291
 #endif
 #endif

src/seccomp-supervisor.c

@@ -482,8 +482,8 @@ int kbox_run_supervisor(const struct kbox_sysnrs *sysnrs,
     /* Architecture-specific host syscall numbers for the BPF filter. */
 #if defined(__x86_64__)
     const struct kbox_host_nrs *host_nrs = &HOST_NRS_X86_64;
-#elif defined(__aarch64__)
-    const struct kbox_host_nrs *host_nrs = &HOST_NRS_AARCH64;
+#elif defined(__aarch64__) || (defined(__riscv) && __riscv_xlen == 64)
+    const struct kbox_host_nrs *host_nrs = &HOST_NRS_GENERIC;
 #else
 #error "Unsupported architecture"
 #endif

src/syscall-nr.c

@@ -353,7 +353,7 @@ const struct kbox_host_nrs HOST_NRS_X86_64 = {
     .readlink = 89,
 };
 
-const struct kbox_host_nrs HOST_NRS_AARCH64 = {
+const struct kbox_host_nrs HOST_NRS_GENERIC = {
     .openat = 56,
     .openat2 = 437,
     .open = -1,

src/syscall-nr.h

@@ -220,7 +220,7 @@ struct kbox_host_nrs {
 };
 
 extern const struct kbox_host_nrs HOST_NRS_X86_64;
-extern const struct kbox_host_nrs HOST_NRS_AARCH64;
+extern const struct kbox_host_nrs HOST_NRS_GENERIC;
 
 const struct kbox_sysnrs *detect_sysnrs(void);
 const char *syscall_name_from_nr(const struct kbox_host_nrs *h, int nr);