From: Sam James <sam@gentoo.org>
To: Kees Cook <kees@kernel.org>
Cc: Qing Zhao <qing.zhao@oracle.com>,
Uros Bizjak <ubizjak@gmail.com>,
Joseph Myers <josmyers@redhat.com>,
Richard Biener <rguenther@suse.de>,
Jeff Law <jeffreyalaw@gmail.com>,
Andrew Pinski <pinskia@gmail.com>,
Jakub Jelinek <jakub@redhat.com>,
Martin Uecker <uecker@tugraz.at>,
Peter Zijlstra <peterz@infradead.org>,
Ard Biesheuvel <ardb@kernel.org>, Jan Hubicka <hubicka@ucw.cz>,
Richard Earnshaw <richard.earnshaw@arm.com>,
Richard Sandiford <richard.sandiford@arm.com>,
Marcus Shawcroft <marcus.shawcroft@arm.com>,
Kyrylo Tkachov <kyrylo.tkachov@arm.com>,
Kito Cheng <kito.cheng@gmail.com>,
Palmer Dabbelt <palmer@dabbelt.com>,
Andrew Waterman <andrew@sifive.com>,
Jim Wilson <jim.wilson.gcc@gmail.com>,
Dan Li <ashimida.1990@gmail.com>,
Sami Tolvanen <samitolvanen@google.com>,
Ramon de C Valle <rcvalle@google.com>,
Joao Moreira <joao@overdrivepizza.com>,
Nathan Chancellor <nathan@kernel.org>,
Bill Wendling <morbo@google.com>,
"Osterlund, Sebastian" <sebastian.osterlund@intel.com>,
"Constable, Scott D" <scott.d.constable@intel.com>,
gcc-patches@gcc.gnu.org, linux-hardening@vger.kernel.org
Subject: Re: [PATCH v9 0/7] Introduce Kernel Control Flow Integrity ABI [PR107048]
Date: Wed, 10 Dec 2025 18:55:31 +0000 [thread overview]
Message-ID: <875xaei2u4.fsf@gentoo.org> (raw)
In-Reply-To: <20251210022025.harder.803-kees@kernel.org>
Kees Cook <kees@kernel.org> writes:
> Hi,
>
> This series implements[1][2] the Linux Kernel Control Flow Integrity
> ABI, which provides a function prototype based forward edge control flow
> integrity protection by instrumenting every indirect call to check for
> a hash value before the target function address. If the hash at the call
> site and the hash at the target do not match, execution will trap.
>
> I'm hoping we can land front- and middle-end and do architectures as
> they also pass review. What do folks think? I'd really like to get this
> in a position where more people can test with GCC snapshots, etc.
What's the status of this on the kernel side? Could you link me to
patches so I can have a play?
Thank you for working on this. We get a lot of requests for it and
pressure to build the kernel with Clang for this feature.
>
> Thanks!
>
> -Kees
>
> Changes since v8[3], addressing Andrew's feedback:
>
> - Split out aarch64 indirect branch logic into separate patch[4].
> - Simplify aarch64 asm output.
> - Clarify BTI interaction (it's safe) in commit log.
> - Move kcfi compatibility checking into hook logic instead of overrides
> in aarch64, i386, and riscv.
>
> [1] https://gcc.gnu.org/bugzilla/show_bug.cgi?id=107048
> [2] https://github.com/KSPP/linux/issues/369
> [3] https://lore.kernel.org/linux-hardening/20251120222105.us.687-kees@kernel.org/
> [4] https://gcc.gnu.org/git/?p=gcc.git;a=commitdiff;h=59a5fecfb260456dd60be687491717f3dbdb354f
>
> Kees Cook (7):
> typeinfo: Introduce KCFI typeinfo mangling API
> kcfi: Add core Kernel Control Flow Integrity infrastructure
> kcfi: Add regression test suite
> x86: Add x86_64 Kernel Control Flow Integrity implementation
> aarch64: Add AArch64 Kernel Control Flow Integrity implementation
> arm: Add ARM 32-bit Kernel Control Flow Integrity implementation
> riscv: Add RISC-V Kernel Control Flow Integrity implementation
>
> gcc/kcfi.h | 59 ++
> gcc/kcfi.cc | 696 ++++++++++++++++++
> gcc/config/aarch64/aarch64-protos.h | 4 +
> gcc/config/arm/arm-protos.h | 4 +
> gcc/config/i386/i386-protos.h | 2 +-
> gcc/config/i386/i386.h | 3 +-
> gcc/config/riscv/riscv-protos.h | 3 +
> gcc/config/aarch64/aarch64.md | 56 ++
> gcc/config/arm/arm.md | 62 ++
> gcc/config/i386/i386.md | 63 +-
> gcc/config/riscv/riscv.md | 76 +-
> gcc/config/aarch64/aarch64.cc | 93 +++
> gcc/config/arm/arm.cc | 170 +++++
> gcc/config/i386/i386-expand.cc | 22 +-
> gcc/config/i386/i386.cc | 210 +++++-
> gcc/config/riscv/riscv.cc | 180 +++++
> gcc/doc/extend.texi | 137 ++++
> gcc/doc/invoke.texi | 127 ++++
> gcc/doc/tm.texi | 32 +
> gcc/testsuite/gcc.dg/kcfi/kcfi.exp | 51 ++
> gcc/testsuite/lib/target-supports.exp | 14 +
> .../gcc.dg/builtin-typeinfo-errors.c | 28 +
> gcc/testsuite/gcc.dg/builtin-typeinfo.c | 350 +++++++++
> .../gcc.dg/kcfi/kcfi-aarch64-ilp32.c | 7 +
> gcc/testsuite/gcc.dg/kcfi/kcfi-adjacency.c | 114 +++
> gcc/testsuite/gcc.dg/kcfi/kcfi-arm-fixed-ip.c | 15 +
> .../gcc.dg/kcfi/kcfi-arm-fixed-r12.c | 15 +
> gcc/testsuite/gcc.dg/kcfi/kcfi-basics.c | 149 ++++
> gcc/testsuite/gcc.dg/kcfi/kcfi-call-sharing.c | 90 +++
> .../gcc.dg/kcfi/kcfi-cold-partition.c | 126 ++++
> .../gcc.dg/kcfi/kcfi-complex-addressing.c | 203 +++++
> .../gcc.dg/kcfi/kcfi-complex-addressing.s | 0
> .../gcc.dg/kcfi/kcfi-ipa-robustness.c | 54 ++
> .../gcc.dg/kcfi/kcfi-move-preservation.c | 118 +++
> .../gcc.dg/kcfi/kcfi-no-sanitize-inline.c | 100 +++
> gcc/testsuite/gcc.dg/kcfi/kcfi-no-sanitize.c | 39 +
> .../gcc.dg/kcfi/kcfi-offset-validation.c | 38 +
> .../gcc.dg/kcfi/kcfi-patchable-entry-only.c | 64 ++
> .../gcc.dg/kcfi/kcfi-patchable-incompatible.c | 7 +
> .../gcc.dg/kcfi/kcfi-patchable-large.c | 54 ++
> .../gcc.dg/kcfi/kcfi-patchable-medium.c | 60 ++
> .../gcc.dg/kcfi/kcfi-patchable-prefix-only.c | 61 ++
> gcc/testsuite/gcc.dg/kcfi/kcfi-riscv-32bit.c | 7 +
> .../gcc.dg/kcfi/kcfi-riscv-fixed-t1.c | 7 +
> .../gcc.dg/kcfi/kcfi-riscv-fixed-t2.c | 7 +
> .../gcc.dg/kcfi/kcfi-riscv-fixed-t3.c | 7 +
> gcc/testsuite/gcc.dg/kcfi/kcfi-runtime.c | 276 +++++++
> gcc/testsuite/gcc.dg/kcfi/kcfi-tail-calls.c | 140 ++++
> .../gcc.dg/kcfi/kcfi-trap-encoding.c | 69 ++
> gcc/testsuite/gcc.dg/kcfi/kcfi-trap-section.c | 29 +
> gcc/testsuite/gcc.dg/kcfi/kcfi-x86-32bit.c | 7 +
> gcc/testsuite/gcc.dg/kcfi/kcfi-x86-arity.c | 93 +++
> .../gcc.dg/kcfi/kcfi-x86-fixed-r10.c | 7 +
> .../gcc.dg/kcfi/kcfi-x86-fixed-r11.c | 7 +
> .../gcc.dg/kcfi/kcfi-x86-retpoline-r11.c | 40 +
> gcc/Makefile.in | 2 +
> gcc/c-family/c-common.h | 1 +
> gcc/flag-types.h | 2 +
> gcc/gimple.h | 22 +
> gcc/kcfi-typeinfo.h | 32 +
> gcc/tree-pass.h | 1 +
> gcc/c-family/c-attribs.cc | 17 +-
> gcc/c-family/c-common.cc | 2 +
> gcc/c/c-parser.cc | 72 ++
> gcc/common.opt | 8 +
> gcc/df-scan.cc | 7 +
> gcc/doc/tm.texi.in | 12 +
> gcc/final.cc | 3 +
> gcc/kcfi-typeinfo.cc | 516 +++++++++++++
> gcc/opts.cc | 2 +
> gcc/passes.cc | 1 +
> gcc/passes.def | 1 +
> gcc/rtl.def | 6 +
> gcc/rtlanal.cc | 5 +
> gcc/target.def | 39 +
> gcc/toplev.cc | 12 +
> gcc/tree-inline.cc | 10 +
> gcc/varasm.cc | 37 +-
> 78 files changed, 5218 insertions(+), 44 deletions(-)
> create mode 100644 gcc/kcfi.h
> create mode 100644 gcc/kcfi.cc
> create mode 100644 gcc/testsuite/gcc.dg/kcfi/kcfi.exp
> create mode 100644 gcc/testsuite/gcc.dg/builtin-typeinfo-errors.c
> create mode 100644 gcc/testsuite/gcc.dg/builtin-typeinfo.c
> create mode 100644 gcc/testsuite/gcc.dg/kcfi/kcfi-aarch64-ilp32.c
> create mode 100644 gcc/testsuite/gcc.dg/kcfi/kcfi-adjacency.c
> create mode 100644 gcc/testsuite/gcc.dg/kcfi/kcfi-arm-fixed-ip.c
> create mode 100644 gcc/testsuite/gcc.dg/kcfi/kcfi-arm-fixed-r12.c
> create mode 100644 gcc/testsuite/gcc.dg/kcfi/kcfi-basics.c
> create mode 100644 gcc/testsuite/gcc.dg/kcfi/kcfi-call-sharing.c
> create mode 100644 gcc/testsuite/gcc.dg/kcfi/kcfi-cold-partition.c
> create mode 100644 gcc/testsuite/gcc.dg/kcfi/kcfi-complex-addressing.c
> create mode 100644 gcc/testsuite/gcc.dg/kcfi/kcfi-complex-addressing.s
> create mode 100644 gcc/testsuite/gcc.dg/kcfi/kcfi-ipa-robustness.c
> create mode 100644 gcc/testsuite/gcc.dg/kcfi/kcfi-move-preservation.c
> create mode 100644 gcc/testsuite/gcc.dg/kcfi/kcfi-no-sanitize-inline.c
> create mode 100644 gcc/testsuite/gcc.dg/kcfi/kcfi-no-sanitize.c
> create mode 100644 gcc/testsuite/gcc.dg/kcfi/kcfi-offset-validation.c
> create mode 100644 gcc/testsuite/gcc.dg/kcfi/kcfi-patchable-entry-only.c
> create mode 100644 gcc/testsuite/gcc.dg/kcfi/kcfi-patchable-incompatible.c
> create mode 100644 gcc/testsuite/gcc.dg/kcfi/kcfi-patchable-large.c
> create mode 100644 gcc/testsuite/gcc.dg/kcfi/kcfi-patchable-medium.c
> create mode 100644 gcc/testsuite/gcc.dg/kcfi/kcfi-patchable-prefix-only.c
> create mode 100644 gcc/testsuite/gcc.dg/kcfi/kcfi-riscv-32bit.c
> create mode 100644 gcc/testsuite/gcc.dg/kcfi/kcfi-riscv-fixed-t1.c
> create mode 100644 gcc/testsuite/gcc.dg/kcfi/kcfi-riscv-fixed-t2.c
> create mode 100644 gcc/testsuite/gcc.dg/kcfi/kcfi-riscv-fixed-t3.c
> create mode 100644 gcc/testsuite/gcc.dg/kcfi/kcfi-runtime.c
> create mode 100644 gcc/testsuite/gcc.dg/kcfi/kcfi-tail-calls.c
> create mode 100644 gcc/testsuite/gcc.dg/kcfi/kcfi-trap-encoding.c
> create mode 100644 gcc/testsuite/gcc.dg/kcfi/kcfi-trap-section.c
> create mode 100644 gcc/testsuite/gcc.dg/kcfi/kcfi-x86-32bit.c
> create mode 100644 gcc/testsuite/gcc.dg/kcfi/kcfi-x86-arity.c
> create mode 100644 gcc/testsuite/gcc.dg/kcfi/kcfi-x86-fixed-r10.c
> create mode 100644 gcc/testsuite/gcc.dg/kcfi/kcfi-x86-fixed-r11.c
> create mode 100644 gcc/testsuite/gcc.dg/kcfi/kcfi-x86-retpoline-r11.c
> create mode 100644 gcc/kcfi-typeinfo.h
> create mode 100644 gcc/kcfi-typeinfo.cc
next prev parent reply other threads:[~2025-12-10 18:55 UTC|newest]
Thread overview: 24+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-12-10 2:20 [PATCH v9 0/7] Introduce Kernel Control Flow Integrity ABI [PR107048] Kees Cook
2025-12-10 2:20 ` [PATCH v9 1/7] typeinfo: Introduce KCFI typeinfo mangling API Kees Cook
2025-12-12 23:07 ` Andrew Pinski
2025-12-13 1:24 ` Kees Cook
2025-12-13 1:29 ` Andrew Pinski
2025-12-13 1:43 ` Kees Cook
2025-12-10 2:20 ` [PATCH v9 2/7] kcfi: Add core Kernel Control Flow Integrity infrastructure Kees Cook
2025-12-10 4:00 ` Andrew Pinski
2025-12-13 2:30 ` Kees Cook
2025-12-10 2:20 ` [PATCH v9 3/7] kcfi: Add regression test suite Kees Cook
2025-12-10 2:20 ` [PATCH v9 4/7] x86: Add x86_64 Kernel Control Flow Integrity implementation Kees Cook
2025-12-10 2:20 ` [PATCH v9 5/7] aarch64: Add AArch64 " Kees Cook
2025-12-10 3:48 ` Andrew Pinski
2025-12-12 22:47 ` Andrew Pinski
2025-12-13 1:40 ` Kees Cook
2025-12-10 2:20 ` [PATCH v9 6/7] arm: Add ARM 32-bit " Kees Cook
2025-12-10 2:20 ` [PATCH v9 7/7] riscv: Add RISC-V " Kees Cook
2025-12-10 18:55 ` Sam James [this message]
2025-12-11 0:07 ` [PATCH v9 0/7] Introduce Kernel Control Flow Integrity ABI [PR107048] Kees Cook
2026-01-01 22:42 ` Andrew Pinski
2026-01-02 3:42 ` Kees Cook
2026-01-09 5:48 ` Andrew Pinski
2026-01-09 18:22 ` Kees Cook
2026-01-09 18:43 ` Jeffrey Law
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=875xaei2u4.fsf@gentoo.org \
--to=sam@gentoo.org \
--cc=andrew@sifive.com \
--cc=ardb@kernel.org \
--cc=ashimida.1990@gmail.com \
--cc=gcc-patches@gcc.gnu.org \
--cc=hubicka@ucw.cz \
--cc=jakub@redhat.com \
--cc=jeffreyalaw@gmail.com \
--cc=jim.wilson.gcc@gmail.com \
--cc=joao@overdrivepizza.com \
--cc=josmyers@redhat.com \
--cc=kees@kernel.org \
--cc=kito.cheng@gmail.com \
--cc=kyrylo.tkachov@arm.com \
--cc=linux-hardening@vger.kernel.org \
--cc=marcus.shawcroft@arm.com \
--cc=morbo@google.com \
--cc=nathan@kernel.org \
--cc=palmer@dabbelt.com \
--cc=peterz@infradead.org \
--cc=pinskia@gmail.com \
--cc=qing.zhao@oracle.com \
--cc=rcvalle@google.com \
--cc=rguenther@suse.de \
--cc=richard.earnshaw@arm.com \
--cc=richard.sandiford@arm.com \
--cc=samitolvanen@google.com \
--cc=scott.d.constable@intel.com \
--cc=sebastian.osterlund@intel.com \
--cc=ubizjak@gmail.com \
--cc=uecker@tugraz.at \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.