From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-alma10-1.taild15c8.ts.net [100.103.45.18]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id DB70C18872A for ; Thu, 18 Jun 2026 20:45:39 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=100.103.45.18 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1781815541; cv=none; b=Yf5FRagNeUZVdrp+0K+Xb2tZdTu6WrUh4zN+5lZ1BBjVjevAu4OmDI8fED29JYYv5cQgZ6MyuCI1qOrywiJxO/TTSZkkBlwRR0d7soZOm9k/M1u7I7qUZpfHQpucFQoZrrT/lL68PmDM8Dz+eEdUAVW3unuQZ4VRUO+HU7o3tZY= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1781815541; c=relaxed/simple; bh=3k7r6ddmEYvYPJpFG+5YJGZsv4+TK2anL/IwKKSBNQc=; h=From:To:Cc:Subject:Date:Message-Id:MIME-Version; b=QCrFIDy9AGTJAhI/iqJIKfGN0mnn2mIKDGKzS5aDZH9pL4dlCIXmo8CjTvsLC36vgWQboAplIdWBEjVMuen72zGzrcni0yuqQmZdYhgscMK2QpQcN03b43pf9T6uEAszyividbFd1hVgRJAOcvOzxNT+j/xda/DUI+LzTBE+KdY= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=WFfN/pfR; arc=none smtp.client-ip=100.103.45.18 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="WFfN/pfR" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 915421F00A3A; Thu, 18 Jun 2026 20:45:39 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kernel.org; s=k20260515; t=1781815539; bh=qB0HrHxc0OKV6Dy+rMRQiTVCQd6OuaIVxJdV+up0z2s=; h=From:To:Cc:Subject:Date; b=WFfN/pfRfmJjWyggRDs3NR1l/nU7HCW4fw8S0H2oHG6IbONgA1fSJ26NrWm5jx36U 9BrfMRG0U/DkeWFWQQ16GXJjyah2nDMnlMPhtzz/qT+s90w9VH24K3g5rVJpAysVUX Lkg7OvUVzbR0DUPVaxWcSBnq5uREloX+Slx09uP/HpDsQBOnKj93ZXrkSP0y+92CKM H9PAaaPQSAYuTbmWvlTnJ3POSVtIIVv+Y3N3yONaHU3uuRsNxiFre5tsB9Wjr1tNnC TPOzTPBeQHCIybNymOoN73VE9tDKW8IEuljmCpKQzzrO1cK3Q78CPMsatIp5qDzYan HpSlNMyK7dfHQ== From: Kees Cook To: Jeffrey Law Cc: Kees Cook , Andrew Pinski , Joseph Myers , Richard Biener , Jeff Law , Andrew Pinski , Jakub Jelinek , Martin Uecker , Peter Zijlstra , Ard Biesheuvel , Jan Hubicka , Richard Earnshaw , Richard Sandiford , Marcus Shawcroft , Kyrylo Tkachov , Kito Cheng , Palmer Dabbelt , Andrew Waterman , Jim Wilson , Dan Li , Sami Tolvanen , Ramon de C Valle , Joao Moreira , Nathan Chancellor , Bill Wendling , "Osterlund, Sebastian" , "Constable, Scott D" , gcc-patches@gcc.gnu.org, linux-hardening@vger.kernel.org Subject: [PATCH v13 0/7] Introduce Kernel Control Flow Integrity ABI [PR107048] Date: Thu, 18 Jun 2026 13:45:30 -0700 Message-Id: <20260618204530.work.910-kees@kernel.org> X-Mailer: git-send-email 2.34.1 Precedence: bulk X-Mailing-List: linux-hardening@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=9908; i=kees@kernel.org; h=from:subject:message-id; bh=3k7r6ddmEYvYPJpFG+5YJGZsv4+TK2anL/IwKKSBNQc=; b=owGbwMvMwCVmps19z/KJym7G02pJDFkmEe9yjF+7TEzl3za3qZ+jLz0+cW5dg/X2ZGeHe3tKp h6Yqbijo5SFQYyLQVZMkSXIzj3OxeNte7j7XEWYOaxMIEMYuDgFYCIzHjAyHFv2q+FVmWZF7pT2 x106zmrX/ZnVeMTON/UZCPBNivi6g5Hh13r7MxteHkpWux2WHCAXz6P2cfL3/RdcNPqNF96wmf2 UAwA= X-Developer-Key: i=kees@kernel.org; a=openpgp; fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026 Content-Transfer-Encoding: 8bit Hi, This series implements[1][2] the Linux Kernel Control Flow Integrity ABI, which provides a function prototype based forward edge control flow integrity protection by instrumenting every indirect call to check for a hash value before the target function address. If the hash at the call site and the hash at the target do not match, execution will trap. I'm hoping we can make some progress landing at least portions of this series, though I think everything (even all the back ends) have had review. I'd really like to be in a position where more people can test with GCC snapshots, etc, and there can be some follow-up patches if people find issues. Since I don't have commit access, who is the right person to commit this? Jeff, I think you had maybe hinted you might consider it? Thanks! -Kees Changes since v12[3]: - rebased to latest, with full regression test across all KCFI archs in GCC and their corresponding Linux kernel builds and testing. - all archs: detect direct calls via !REG_P instead of SYMBOL_REF_P. - riscv: drop :DI pinning on the *kcfi_* call patterns. - riscv: wrap the KCFI sequence in .option norelax/norvc to block linker relaxation and RVC compression. - riscv: commit-log fixes: t3 is x28 (not x8); state the rv64-only addiw directly; "register" -> "registers" typo. - arm: update for Thumb-2 support (strip Thumb bit, reject Thumb-1). - arm: fix indirect tail-call miscompile where r3 (sibcall target) was stolen as stack-alignment padding. - aarch64: fix indirect tail-call miscompile: scratch register no longer collides with the call target; emit 32-bit (%w) register names. - common: exclude KCFI from -fsanitize-recover=all (trap-only); fixes the armv8l CI regression in sanitize-recover-3.c. - tests: add kcfi-direct-call-shapes.c (direct/indirect call types). - tests: and kcfi-arm-sibcall-r3.c. - tests: remove a stray empty kcfi-complex-addressing.s. [1] https://gcc.gnu.org/bugzilla/show_bug.cgi?id=107048 [2] https://github.com/KSPP/linux/issues/369 [3] https://lore.kernel.org/all/20260515161551.stronger.641-kees@kernel.org/ Kees Cook (7): kcfi: Introduce KCFI typeinfo mangling API kcfi: Add core Kernel Control Flow Integrity infrastructure kcfi: Add regression test suite x86: Add x86_64 Kernel Control Flow Integrity implementation aarch64: Add AArch64 Kernel Control Flow Integrity implementation arm: Add ARM 32-bit Kernel Control Flow Integrity implementation riscv: Add RISC-V Kernel Control Flow Integrity implementation gcc/kcfi.h | 59 ++ gcc/kcfi.cc | 696 ++++++++++++++ gcc/config/aarch64/aarch64-protos.h | 4 + gcc/config/arm/arm-protos.h | 4 + gcc/config/i386/i386-protos.h | 2 +- gcc/config/i386/i386.h | 3 +- gcc/config/riscv/riscv-protos.h | 3 + gcc/config/aarch64/aarch64.md | 56 ++ gcc/config/arm/arm.md | 62 ++ gcc/config/i386/i386.md | 63 +- gcc/config/riscv/riscv.md | 76 +- gcc/config/aarch64/aarch64.cc | 127 +++ gcc/config/arm/arm.cc | 217 ++++- gcc/config/i386/i386-expand.cc | 28 +- gcc/config/i386/i386.cc | 210 ++++- gcc/config/riscv/riscv.cc | 199 ++++ gcc/doc/extend.texi | 137 +++ gcc/doc/invoke.texi | 127 +++ gcc/doc/tm.texi | 32 + gcc/testsuite/gcc.dg/kcfi/kcfi.exp | 51 ++ gcc/testsuite/lib/target-supports.exp | 14 + .../gcc.dg/builtin-typeinfo-errors.c | 28 + gcc/testsuite/gcc.dg/builtin-typeinfo.c | 350 +++++++ .../gcc.dg/kcfi/kcfi-aarch64-ilp32.c | 7 + gcc/testsuite/gcc.dg/kcfi/kcfi-adjacency.c | 142 +++ gcc/testsuite/gcc.dg/kcfi/kcfi-arm-fixed-ip.c | 15 + .../gcc.dg/kcfi/kcfi-arm-fixed-r12.c | 15 + .../gcc.dg/kcfi/kcfi-arm-sibcall-r3.c | 50 + gcc/testsuite/gcc.dg/kcfi/kcfi-basics.c | 168 ++++ gcc/testsuite/gcc.dg/kcfi/kcfi-call-sharing.c | 92 ++ .../gcc.dg/kcfi/kcfi-cold-partition.c | 126 +++ .../gcc.dg/kcfi/kcfi-complex-addressing.c | 206 +++++ .../gcc.dg/kcfi/kcfi-direct-call-shapes.c | 36 + .../gcc.dg/kcfi/kcfi-ipa-robustness.c | 54 ++ .../gcc.dg/kcfi/kcfi-move-preservation.c | 138 +++ .../gcc.dg/kcfi/kcfi-no-sanitize-inline.c | 100 ++ gcc/testsuite/gcc.dg/kcfi/kcfi-no-sanitize.c | 41 + .../gcc.dg/kcfi/kcfi-offset-validation.c | 40 + .../gcc.dg/kcfi/kcfi-patchable-entry-only.c | 64 ++ .../gcc.dg/kcfi/kcfi-patchable-incompatible.c | 7 + .../gcc.dg/kcfi/kcfi-patchable-large.c | 57 ++ .../gcc.dg/kcfi/kcfi-patchable-medium.c | 63 ++ .../gcc.dg/kcfi/kcfi-patchable-prefix-only.c | 64 ++ gcc/testsuite/gcc.dg/kcfi/kcfi-riscv-32bit.c | 7 + .../gcc.dg/kcfi/kcfi-riscv-fixed-t1.c | 7 + .../gcc.dg/kcfi/kcfi-riscv-fixed-t2.c | 7 + .../gcc.dg/kcfi/kcfi-riscv-fixed-t3.c | 7 + gcc/testsuite/gcc.dg/kcfi/kcfi-runtime.c | 276 ++++++ gcc/testsuite/gcc.dg/kcfi/kcfi-tail-calls.c | 144 +++ .../gcc.dg/kcfi/kcfi-trap-encoding.c | 88 ++ gcc/testsuite/gcc.dg/kcfi/kcfi-trap-section.c | 29 + gcc/testsuite/gcc.dg/kcfi/kcfi-x86-32bit.c | 7 + gcc/testsuite/gcc.dg/kcfi/kcfi-x86-arity.c | 93 ++ .../gcc.dg/kcfi/kcfi-x86-fixed-r10.c | 7 + .../gcc.dg/kcfi/kcfi-x86-fixed-r11.c | 7 + .../gcc.dg/kcfi/kcfi-x86-retpoline-r11.c | 40 + gcc/Makefile.in | 2 + gcc/c-family/c-common.h | 1 + gcc/flag-types.h | 2 + gcc/gimple.h | 22 + gcc/kcfi-typeinfo.h | 32 + gcc/selftest.h | 1 + gcc/tree-pass.h | 1 + gcc/c-family/c-attribs.cc | 17 +- gcc/c-family/c-common.cc | 2 + gcc/c/c-parser.cc | 72 ++ gcc/common.opt | 8 + gcc/df-scan.cc | 7 + gcc/doc/tm.texi.in | 12 + gcc/final.cc | 3 + gcc/kcfi-typeinfo.cc | 866 ++++++++++++++++++ gcc/opts.cc | 5 +- gcc/passes.cc | 1 + gcc/passes.def | 1 + gcc/rtl.def | 6 + gcc/rtlanal.cc | 5 + gcc/selftest-run-tests.cc | 1 + gcc/target.def | 39 + gcc/toplev.cc | 12 + gcc/tree-inline.cc | 10 + gcc/varasm.cc | 37 +- 81 files changed, 5861 insertions(+), 56 deletions(-) create mode 100644 gcc/kcfi.h create mode 100644 gcc/kcfi.cc create mode 100644 gcc/testsuite/gcc.dg/kcfi/kcfi.exp create mode 100644 gcc/testsuite/gcc.dg/builtin-typeinfo-errors.c create mode 100644 gcc/testsuite/gcc.dg/builtin-typeinfo.c create mode 100644 gcc/testsuite/gcc.dg/kcfi/kcfi-aarch64-ilp32.c create mode 100644 gcc/testsuite/gcc.dg/kcfi/kcfi-adjacency.c create mode 100644 gcc/testsuite/gcc.dg/kcfi/kcfi-arm-fixed-ip.c create mode 100644 gcc/testsuite/gcc.dg/kcfi/kcfi-arm-fixed-r12.c create mode 100644 gcc/testsuite/gcc.dg/kcfi/kcfi-arm-sibcall-r3.c create mode 100644 gcc/testsuite/gcc.dg/kcfi/kcfi-basics.c create mode 100644 gcc/testsuite/gcc.dg/kcfi/kcfi-call-sharing.c create mode 100644 gcc/testsuite/gcc.dg/kcfi/kcfi-cold-partition.c create mode 100644 gcc/testsuite/gcc.dg/kcfi/kcfi-complex-addressing.c create mode 100644 gcc/testsuite/gcc.dg/kcfi/kcfi-direct-call-shapes.c create mode 100644 gcc/testsuite/gcc.dg/kcfi/kcfi-ipa-robustness.c create mode 100644 gcc/testsuite/gcc.dg/kcfi/kcfi-move-preservation.c create mode 100644 gcc/testsuite/gcc.dg/kcfi/kcfi-no-sanitize-inline.c create mode 100644 gcc/testsuite/gcc.dg/kcfi/kcfi-no-sanitize.c create mode 100644 gcc/testsuite/gcc.dg/kcfi/kcfi-offset-validation.c create mode 100644 gcc/testsuite/gcc.dg/kcfi/kcfi-patchable-entry-only.c create mode 100644 gcc/testsuite/gcc.dg/kcfi/kcfi-patchable-incompatible.c create mode 100644 gcc/testsuite/gcc.dg/kcfi/kcfi-patchable-large.c create mode 100644 gcc/testsuite/gcc.dg/kcfi/kcfi-patchable-medium.c create mode 100644 gcc/testsuite/gcc.dg/kcfi/kcfi-patchable-prefix-only.c create mode 100644 gcc/testsuite/gcc.dg/kcfi/kcfi-riscv-32bit.c create mode 100644 gcc/testsuite/gcc.dg/kcfi/kcfi-riscv-fixed-t1.c create mode 100644 gcc/testsuite/gcc.dg/kcfi/kcfi-riscv-fixed-t2.c create mode 100644 gcc/testsuite/gcc.dg/kcfi/kcfi-riscv-fixed-t3.c create mode 100644 gcc/testsuite/gcc.dg/kcfi/kcfi-runtime.c create mode 100644 gcc/testsuite/gcc.dg/kcfi/kcfi-tail-calls.c create mode 100644 gcc/testsuite/gcc.dg/kcfi/kcfi-trap-encoding.c create mode 100644 gcc/testsuite/gcc.dg/kcfi/kcfi-trap-section.c create mode 100644 gcc/testsuite/gcc.dg/kcfi/kcfi-x86-32bit.c create mode 100644 gcc/testsuite/gcc.dg/kcfi/kcfi-x86-arity.c create mode 100644 gcc/testsuite/gcc.dg/kcfi/kcfi-x86-fixed-r10.c create mode 100644 gcc/testsuite/gcc.dg/kcfi/kcfi-x86-fixed-r11.c create mode 100644 gcc/testsuite/gcc.dg/kcfi/kcfi-x86-retpoline-r11.c create mode 100644 gcc/kcfi-typeinfo.h create mode 100644 gcc/kcfi-typeinfo.cc -- 2.34.1