From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 3CE204C6EED for ; Fri, 15 May 2026 16:16:03 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1778861763; cv=none; b=s5xEb5pM1uWtykcPlXRT7Qb/OwhfFhbw1jJpZZDJxmg4+CV/OHdJEWHzZ3FTotGyw6JSyiPdwcdBulogAyebbQlqWkeJeYO1VPoWIcM6at7pUtJBjqSVGia3N2cu6rOFhTCiRYkPtqD41nRWrNaQkNJduR5FZxidHRtG2/lrWqU= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1778861763; c=relaxed/simple; bh=543NBwHj1ZRLWIUSfGeF0BXkp4qdeQ7AjjWKYbDYPlY=; h=From:To:Cc:Subject:Date:Message-Id:MIME-Version; b=c3LY4UPEMi0u3V0lwN5yxNfB6ypHyrw/m7r2rUtmTp737oHnt9Z708RIg2pmoY8zvu8122Y7NLKxXni54o9YWT3O7uFJzXttv/V3S85zVsNM1g5/mTYGNMG9xVWvCOL/Mtcpk4sNzwg/xgdWVHCW4YCWl/Tfepi6VZSHu5CQoFQ= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=mKRDvpK2; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="mKRDvpK2" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 0459DC2BCC7; Fri, 15 May 2026 16:16:03 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1778861763; bh=543NBwHj1ZRLWIUSfGeF0BXkp4qdeQ7AjjWKYbDYPlY=; h=From:To:Cc:Subject:Date:From; b=mKRDvpK26ubqBWnRtIE07wEEIecP79YCljjM1Y0IMBk+ufDJYNGaIQ44ahXKrxtiR 8gqWsNUbLDkiE8IOSoZP/x/q50dF6CEQHFIcB99ZjFxRMsW2jj1J3ccVGi9028HE1x w72wt+eTY/z854yTJE3ekncifvmQsHU3cz1wjYLNQYMp6E6/wNP8B8KAa8P1mbYuC5 ttmG2Y7L3vOgJSxK8E6JKRfJNY3MUeb1OgQE9tUNrDhM8ne5+NlbHwsPH24qkhfZP+ +f8hbkBRGR+gxPQeMrDYL8YGyOSYC1ipaDgX3496w9SE7jHSU2Di1j0mXKtaEysNlz jnd7w7tecIpvQ== From: Kees Cook To: Andrew Pinski Cc: Kees Cook , Joseph Myers , Richard Biener , Jeff Law , Andrew Pinski , Jakub Jelinek , Martin Uecker , Peter Zijlstra , Ard Biesheuvel , Jan Hubicka , Richard Earnshaw , Richard Sandiford , Marcus Shawcroft , Kyrylo Tkachov , Kito Cheng , Palmer Dabbelt , Andrew Waterman , Jim Wilson , Dan Li , Sami Tolvanen , Ramon de C Valle , Joao Moreira , Nathan Chancellor , Bill Wendling , "Osterlund, Sebastian" , "Constable, Scott D" , gcc-patches@gcc.gnu.org, linux-hardening@vger.kernel.org Subject: [PATCH v12 0/7] Introduce Kernel Control Flow Integrity ABI [PR107048] Date: Fri, 15 May 2026 09:15:53 -0700 Message-Id: <20260515161551.stronger.641-kees@kernel.org> X-Mailer: git-send-email 2.34.1 Precedence: bulk X-Mailing-List: linux-hardening@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=8621; i=kees@kernel.org; h=from:subject:message-id; bh=543NBwHj1ZRLWIUSfGeF0BXkp4qdeQ7AjjWKYbDYPlY=; b=owGbwMvMwCVmps19z/KJym7G02pJDFnsbntW5G8OfJ538rE66/Ofy5eL/53yssBR96b/cctzW pK/79l97ShlYRDjYpAVU2QJsnOPc/F42x7uPlcRZg4rE8gQBi5OAZhIwwFGhm0Kp2cvuLl+C0/3 jBPsdTJ/ZZeu3vby6ybfw3vOlp+61hfI8D/iV9O219tORYZs/LXl3l23z5Z2Bzo/JzYuvidTeDZ RyoEVAA== X-Developer-Key: i=kees@kernel.org; a=openpgp; fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026 Content-Transfer-Encoding: 8bit Hi, This series implements[1][2] the Linux Kernel Control Flow Integrity ABI, which provides a function prototype based forward edge control flow integrity protection by instrumenting every indirect call to check for a hash value before the target function address. If the hash at the call site and the hash at the target do not match, execution will trap. I was asked to wait to resend this series until gcc 16 released, which it has now. I'm hoping we can land the front-, middle-, and back-ends for aarch64 and x86_64. I'd really like to get this in a position where more people can test with GCC snapshots, etc. Since I don't have commit access, who is the right person to commit this? Thanks! -Kees Changes since v11[3]: - Rename new typeinfo helpers with "linux_abi_kcfi" prefix (Andrew) [1] https://gcc.gnu.org/bugzilla/show_bug.cgi?id=107048 [2] https://github.com/KSPP/linux/issues/369 [3] https://lore.kernel.org/linux-hardening/20260511194847.faster.180-kees@kernel.org/ Kees Cook (7): kcfi: Introduce KCFI typeinfo mangling API kcfi: Add core Kernel Control Flow Integrity infrastructure kcfi: Add regression test suite x86: Add x86_64 Kernel Control Flow Integrity implementation aarch64: Add AArch64 Kernel Control Flow Integrity implementation arm: Add ARM 32-bit Kernel Control Flow Integrity implementation riscv: Add RISC-V Kernel Control Flow Integrity implementation gcc/kcfi.h | 59 ++ gcc/kcfi.cc | 696 ++++++++++++++ gcc/config/aarch64/aarch64-protos.h | 4 + gcc/config/arm/arm-protos.h | 4 + gcc/config/i386/i386-protos.h | 2 +- gcc/config/i386/i386.h | 3 +- gcc/config/riscv/riscv-protos.h | 3 + gcc/config/aarch64/aarch64.md | 56 ++ gcc/config/arm/arm.md | 62 ++ gcc/config/i386/i386.md | 63 +- gcc/config/riscv/riscv.md | 76 +- gcc/config/aarch64/aarch64.cc | 93 ++ gcc/config/arm/arm.cc | 170 ++++ gcc/config/i386/i386-expand.cc | 22 +- gcc/config/i386/i386.cc | 210 ++++- gcc/config/riscv/riscv.cc | 180 ++++ gcc/doc/extend.texi | 137 +++ gcc/doc/invoke.texi | 127 +++ gcc/doc/tm.texi | 32 + gcc/testsuite/gcc.dg/kcfi/kcfi.exp | 51 ++ gcc/testsuite/lib/target-supports.exp | 14 + .../gcc.dg/builtin-typeinfo-errors.c | 28 + gcc/testsuite/gcc.dg/builtin-typeinfo.c | 350 +++++++ .../gcc.dg/kcfi/kcfi-aarch64-ilp32.c | 7 + gcc/testsuite/gcc.dg/kcfi/kcfi-adjacency.c | 114 +++ gcc/testsuite/gcc.dg/kcfi/kcfi-arm-fixed-ip.c | 15 + .../gcc.dg/kcfi/kcfi-arm-fixed-r12.c | 15 + gcc/testsuite/gcc.dg/kcfi/kcfi-basics.c | 149 +++ gcc/testsuite/gcc.dg/kcfi/kcfi-call-sharing.c | 90 ++ .../gcc.dg/kcfi/kcfi-cold-partition.c | 126 +++ .../gcc.dg/kcfi/kcfi-complex-addressing.c | 203 ++++ .../gcc.dg/kcfi/kcfi-complex-addressing.s | 0 .../gcc.dg/kcfi/kcfi-ipa-robustness.c | 54 ++ .../gcc.dg/kcfi/kcfi-move-preservation.c | 118 +++ .../gcc.dg/kcfi/kcfi-no-sanitize-inline.c | 100 ++ gcc/testsuite/gcc.dg/kcfi/kcfi-no-sanitize.c | 39 + .../gcc.dg/kcfi/kcfi-offset-validation.c | 38 + .../gcc.dg/kcfi/kcfi-patchable-entry-only.c | 64 ++ .../gcc.dg/kcfi/kcfi-patchable-incompatible.c | 7 + .../gcc.dg/kcfi/kcfi-patchable-large.c | 54 ++ .../gcc.dg/kcfi/kcfi-patchable-medium.c | 60 ++ .../gcc.dg/kcfi/kcfi-patchable-prefix-only.c | 61 ++ gcc/testsuite/gcc.dg/kcfi/kcfi-riscv-32bit.c | 7 + .../gcc.dg/kcfi/kcfi-riscv-fixed-t1.c | 7 + .../gcc.dg/kcfi/kcfi-riscv-fixed-t2.c | 7 + .../gcc.dg/kcfi/kcfi-riscv-fixed-t3.c | 7 + gcc/testsuite/gcc.dg/kcfi/kcfi-runtime.c | 276 ++++++ gcc/testsuite/gcc.dg/kcfi/kcfi-tail-calls.c | 140 +++ .../gcc.dg/kcfi/kcfi-trap-encoding.c | 70 ++ gcc/testsuite/gcc.dg/kcfi/kcfi-trap-section.c | 29 + gcc/testsuite/gcc.dg/kcfi/kcfi-x86-32bit.c | 7 + gcc/testsuite/gcc.dg/kcfi/kcfi-x86-arity.c | 93 ++ .../gcc.dg/kcfi/kcfi-x86-fixed-r10.c | 7 + .../gcc.dg/kcfi/kcfi-x86-fixed-r11.c | 7 + .../gcc.dg/kcfi/kcfi-x86-retpoline-r11.c | 40 + gcc/Makefile.in | 2 + gcc/c-family/c-common.h | 1 + gcc/flag-types.h | 2 + gcc/gimple.h | 22 + gcc/kcfi-typeinfo.h | 32 + gcc/selftest.h | 1 + gcc/tree-pass.h | 1 + gcc/c-family/c-attribs.cc | 17 +- gcc/c-family/c-common.cc | 2 + gcc/c/c-parser.cc | 72 ++ gcc/common.opt | 8 + gcc/df-scan.cc | 7 + gcc/doc/tm.texi.in | 12 + gcc/final.cc | 3 + gcc/kcfi-typeinfo.cc | 866 ++++++++++++++++++ gcc/opts.cc | 2 + gcc/passes.cc | 1 + gcc/passes.def | 1 + gcc/rtl.def | 6 + gcc/rtlanal.cc | 5 + gcc/selftest-run-tests.cc | 1 + gcc/target.def | 39 + gcc/toplev.cc | 12 + gcc/tree-inline.cc | 10 + gcc/varasm.cc | 37 +- 80 files changed, 5571 insertions(+), 44 deletions(-) create mode 100644 gcc/kcfi.h create mode 100644 gcc/kcfi.cc create mode 100644 gcc/testsuite/gcc.dg/kcfi/kcfi.exp create mode 100644 gcc/testsuite/gcc.dg/builtin-typeinfo-errors.c create mode 100644 gcc/testsuite/gcc.dg/builtin-typeinfo.c create mode 100644 gcc/testsuite/gcc.dg/kcfi/kcfi-aarch64-ilp32.c create mode 100644 gcc/testsuite/gcc.dg/kcfi/kcfi-adjacency.c create mode 100644 gcc/testsuite/gcc.dg/kcfi/kcfi-arm-fixed-ip.c create mode 100644 gcc/testsuite/gcc.dg/kcfi/kcfi-arm-fixed-r12.c create mode 100644 gcc/testsuite/gcc.dg/kcfi/kcfi-basics.c create mode 100644 gcc/testsuite/gcc.dg/kcfi/kcfi-call-sharing.c create mode 100644 gcc/testsuite/gcc.dg/kcfi/kcfi-cold-partition.c create mode 100644 gcc/testsuite/gcc.dg/kcfi/kcfi-complex-addressing.c create mode 100644 gcc/testsuite/gcc.dg/kcfi/kcfi-complex-addressing.s create mode 100644 gcc/testsuite/gcc.dg/kcfi/kcfi-ipa-robustness.c create mode 100644 gcc/testsuite/gcc.dg/kcfi/kcfi-move-preservation.c create mode 100644 gcc/testsuite/gcc.dg/kcfi/kcfi-no-sanitize-inline.c create mode 100644 gcc/testsuite/gcc.dg/kcfi/kcfi-no-sanitize.c create mode 100644 gcc/testsuite/gcc.dg/kcfi/kcfi-offset-validation.c create mode 100644 gcc/testsuite/gcc.dg/kcfi/kcfi-patchable-entry-only.c create mode 100644 gcc/testsuite/gcc.dg/kcfi/kcfi-patchable-incompatible.c create mode 100644 gcc/testsuite/gcc.dg/kcfi/kcfi-patchable-large.c create mode 100644 gcc/testsuite/gcc.dg/kcfi/kcfi-patchable-medium.c create mode 100644 gcc/testsuite/gcc.dg/kcfi/kcfi-patchable-prefix-only.c create mode 100644 gcc/testsuite/gcc.dg/kcfi/kcfi-riscv-32bit.c create mode 100644 gcc/testsuite/gcc.dg/kcfi/kcfi-riscv-fixed-t1.c create mode 100644 gcc/testsuite/gcc.dg/kcfi/kcfi-riscv-fixed-t2.c create mode 100644 gcc/testsuite/gcc.dg/kcfi/kcfi-riscv-fixed-t3.c create mode 100644 gcc/testsuite/gcc.dg/kcfi/kcfi-runtime.c create mode 100644 gcc/testsuite/gcc.dg/kcfi/kcfi-tail-calls.c create mode 100644 gcc/testsuite/gcc.dg/kcfi/kcfi-trap-encoding.c create mode 100644 gcc/testsuite/gcc.dg/kcfi/kcfi-trap-section.c create mode 100644 gcc/testsuite/gcc.dg/kcfi/kcfi-x86-32bit.c create mode 100644 gcc/testsuite/gcc.dg/kcfi/kcfi-x86-arity.c create mode 100644 gcc/testsuite/gcc.dg/kcfi/kcfi-x86-fixed-r10.c create mode 100644 gcc/testsuite/gcc.dg/kcfi/kcfi-x86-fixed-r11.c create mode 100644 gcc/testsuite/gcc.dg/kcfi/kcfi-x86-retpoline-r11.c create mode 100644 gcc/kcfi-typeinfo.h create mode 100644 gcc/kcfi-typeinfo.cc -- 2.34.1