While many open-source enthusiasts like to flaunt RISC-V as not having the security challenges as x86_64 CPUs have seen over the past several years with various speculative execution / side-channel attacks and arguing for the benefits of an open-source ISA in stronger security, in practice it's not so clear-cut. Security researchers at Germany's CISPA Helmholtz Center for Information Security have found current RISC-V CPU implementations coming up short for their actual security.

Fabian Thomas and Lukas Gerlach of CISPA presented at FOSDEM 2026 this weekend in Brussels on RISC-V CPU security. They have been evaluating the security of RISC_V processor implementations in relation to the transient execution attacks and security problems that have given x86_64 CPUs much frustration in recent years. Unfortunately, the RISC-V situation isn't nearly as ideal and even with being a younger and cleaner ISA, there are vulnerabilities. There's also the matter of Linux kernel Spectre patches for RISC-V lagging behind and only working their way to mainline now, even though they are vulnerable too and years after Arm and x86 processors saw their Spectre mitigations land.

We’ve teamed up with the Linux Foundation to launch Porting Software to RISC-V (LFD114), a free, self-paced course for experienced engineers who need to move performance-critical software to RISC-V with confidence. Designed for professionals working close to the hardware, this advanced course focuses on real-world porting challenges across instruction sets, operating systems, and firmware.

RISC-V adoption is accelerating across artificial intelligence (AI) and machine learning (ML), embedded systems, data centers, automotive, high performance computing, and custom silicon. But organizations don’t start from scratch, they bring decades of existing platform software with them.

Similar to what has been available on Intel and AMD processors for users with the shadow stack for control-flow integrity, Linux on RISC-V is finally ready to roll-out its user-space control-flow integrity support.

After going through 23 rounds of patches, the Control Flow Integrity "CFI" for user-mode on RISC-V is approaching the mainline kernel. This security feature is for fending off ROP attacks manipulating the control flow of the user-space software to gain control. RISC-V uses the "zicfilp" instruction to enforce that all indirect calls land on a landing pad "lpad" instruction or will otherwise raise a software check exception. There are also RISC-V instructions introduced for helping ensure the return flow of software.

Keith Packard published Picolibc 1.8.11 on Monday as the newest release for his C library designed for embedded 32-bit and 64-bit platforms. Picolibc continues tacking on new CPU architecture support and other features for this project that started out as a conglomeration of the Newlib and AVR Libc C library codebases.

Picolibc 1.8.11 adds support for Qualcomm's Hexagon DSP architecture. Also on the CPU side are a number of RISC-V improvements like supporting the "-mlarge" model in Assembly code and improved RISC-V vector unit in the start-up code. Over on the ARM side is also improved ARM32 A-Profile operation in Thumb state.

SpacemiT K3 is an upcoming RVA23-compliant 64-bit RISC-V processor based on X100 cores clocked at up to 2.5 GHz. So far, we had limited information, but SpacemiT gave remote access to one SpacemiT K3-powered server to Sander, and he was kind enough to share some system information and early benchmarks.

GNU Guix 1.5 is out today as the latest major release for this platform built around its functional package manager. This is a big upgrade with it having been three years since the GNU Guix 1.4 release.

GNU Guix 1.5 brings the KDE Plasma 6.5 desktop as well as more than 12.5k new packages and 29.9k package updates. Those using GNOME on Guix will now find Wayland is used, GNU Shepherd 1.0 provides the init system, and a variety of other updates.

The first RISC-V Annual Report hit virtual shelves this week. Inside, it details a defining year for RISC-V, the open standard ISA I co-founded back in 2010. We share major technical milestones, accelerating industry adoption, global ecosystem growth, and how we’ve laid foundations for the next phase of commercial deployment.

You’ll find me on page 10 of the report, delivering the same consistent message to audiences at RISC-V Summits around the world: The State of the Union Is Strong.

By ‘union’, I refer to the RISC-V ecosystem: its contributors, users, and developers, from multi-national corporations to solo academics, working together under a shared banner to strengthen the standard and deliver real, functioning systems.

Xous is a message-passing microkernel implemented in pure Rust, targeting secure embedded applications. This talk covers three novel aspects of the OS: hardware MMU support (and why we had to make our own chip to get this feature), how and why we implemented the Rust standard library in Rust (instead of calling the C standard library, like most other Rust platforms), and how we combine the power of Rust semantics with virtual memory to create safe yet efficient asynchronous messaging primitives. We conclude with a short demo of the OS running on a new chip, the "Baochip-1x", which is an affordable, mostly-open RTL SoC built in 22nm TSMC, configured expressly for running Xous.

The world is full of small, Internet-of-Things (IoT) gadgets running embedded operating systems. These devices generally fall into two categories: larger devices running a full operating system using an MMU which generally means Linux, or smaller devices running without an MMU using operating systems like Zephyr, chibios, or rt-thread, or run with no operating system at all. The software that underpins these projects is written in C with coarse hardware memory protection at best. As a result, these embedded OSes lack the security guarantees and/or ergonomics offered by modern languages and best practices.

The Xous microkernel borrows concepts from heavier operating systems to modernize the embedded space. The open source OS is written in pure Rust with minimal dependencies and an emphasis on modularity and simplicity, such that a technically-savvy individual can audit the code base in a reasonable period of time. This talk covers three novel aspects of the OS: its incorporation of hardware memory virtualization, its pure-Rust standard library, and its message passing architecture.

Desktop OSes such as Linux require a hardware MMU to virtualize memory. We explain how ARM has tricked us into accepting that MMUs are hardware-intensive features only to be found on more expensive “application” CPUs, thus creating a vicious cycle where cheaper devices are forced to be less safe. Thanks to the open nature of RISC-V, we are able to break ARM’s yoke and incorporate well-established MMU-based memory protection into embedded hardware, giving us security-first features such as process isolation and encrypted swap memory. In order to make Xous on real hardware more accessible, we introduce the Baochip-1x, an affordable, mostly-open RTL 22nm SoC configured expressly for the purpose of running Xous. The Baochip-1x features a Vexriscv CPU running at 400MHz, 2MiB of SRAM, 4MiB of nonvolatile RRAM, and a quad-core RV32E-derivative I/O accelerator called the “BIO”, based on the PicoRV clocked at 800MHz.

Most Rust targets delegate crucial tasks such as memory allocation, networking, and threading to the underlying operating system’s C standard library. We want strong memory safety guarantees all the way down to the memory allocator and task scheduler, so for Xous we implemented our standard library in pure Rust. Adhering to pure Rust also makes cross-compilation and cross-platform development a breeze, since there are no special compiler or linker concerns. We will show you how to raise the standard for “Pure Rust” by implementing a custom libstd.

Xous combines the power of page-based virtual memory and Rust’s strong borrow-checker semantics to create a safe and efficient method for asynchronous message passing between processes. This inter-process communication model allows for easy separation of different tasks while keeping the core kernel small. This process maps well onto the Rust "Borrow / Mutable Borrow / Move" concept and treats object passing as an IPC primitive. We will demonstrate how this works natively and give examples of how to map common programming algorithms to shuttle data safely between processes, as well as give examples of how we implement features such as scheduling and synchronization primitive entirely in user space.

We conclude with a short demo of Xous running on the Baochip-1x, bringing Xous from the realm of emulation and FPGAs into everyday-user accessible physical silicon.

I've been out of the loop on RISC-V for a little bit. Are there any interesting chips or boards that are releasing this year? I know the Milk-V titan is releasing soon, but it's not RVA23 which is what I am interested in seeing.

Increasingly complex RISC-V cores aren't magically immune to the speculative execution / side-channel vulnerabilities that have rattled the x86_64 and ARM64 landscape for years. Following recent work on Spectre V1 handling for RISC-V in the Linux kernel, merged this weekend for Linux 6.19-rc5 is another RISC-V attack vector safeguard.

A patch was merged on Saturday in time for today's Linux 6.19-rc5 release as another security improvement for RISC-V. The RISC-V architecture code in the Linux kernel is now sanitizing the system call table indexing under speculation, similar to how the code is already handled in the x86 and ARM space. Due to the system call number being a user-controlled value for indexing into the syscall table, special handling is needed to prevent speculative out-of-bounds access and possible data leakage via cache side channels.

Box64 is a x86 emulator that supports RiSC-V. With this, its possible to run steam, wine/proton, many games, and a lot of software on a RiSC-V computer!

The Gentoo Linux project published their 2025 retrospective this week with their many accomplishments, including the recruitment of four more developers and now being up to 31,663 ebuilds and a total of 89GB worth of x86_64 binary packages on mirrors.

Gentoo in 2025 moved away from GitHub to the Forgejo-based Codeberg in order to avoid Microsoft Copilot usage of their repositories. On the financial front, Gentoo moved their financial structure over to Software in the Public Interface (SPI).

The developers behind the Debian-based ParrotOS ethical hacking and penetration testing distribution announced today the general availability of Parrot 7.0 (codename Echo) as a major update with a new base and new features.

Based on the latest Debian 13 “Trixie” operating system series and powered by Linux kernel 6.12 LTS, the Parrot 7.0 release ships with KDE Plasma as the default desktop environment on Wayland, which was tweaked to make it as lightweight as possible, along with a classic terminal green style across the entire system.

New hacking tools have been included in this release, such as ConvoC2, a Red Teamer’s tool to exploit MS Teams, goshs, a SimpleHTTPServer written in Go, evil-winrm-py, a Python-based tool for executing commands on remote Windows machines, and AutoRecon, a multi-threaded network reconnaissance tool.