From: Kees Cook <kees@kernel.org>
To: Qing Zhao <qing.zhao@oracle.com>
Cc: Kees Cook <kees@kernel.org>, Andrew Pinski <pinskia@gmail.com>,
Jakub Jelinek <jakub@redhat.com>,
Martin Uecker <uecker@tugraz.at>,
Richard Biener <rguenther@suse.de>,
Joseph Myers <josmyers@redhat.com>,
Peter Zijlstra <peterz@infradead.org>,
Jan Hubicka <hubicka@ucw.cz>,
Richard Earnshaw <richard.earnshaw@arm.com>,
Richard Sandiford <richard.sandiford@arm.com>,
Marcus Shawcroft <marcus.shawcroft@arm.com>,
Kyrylo Tkachov <kyrylo.tkachov@arm.com>,
Kito Cheng <kito.cheng@gmail.com>,
Palmer Dabbelt <palmer@dabbelt.com>,
Andrew Waterman <andrew@sifive.com>,
Jim Wilson <jim.wilson.gcc@gmail.com>,
Dan Li <ashimida.1990@gmail.com>,
Sami Tolvanen <samitolvanen@google.com>,
Ramon de C Valle <rcvalle@google.com>,
Joao Moreira <joao@overdrivepizza.com>,
Nathan Chancellor <nathan@kernel.org>,
Bill Wendling <morbo@google.com>,
gcc-patches@gcc.gnu.org, linux-hardening@vger.kernel.org
Subject: [PATCH v3 0/7] Introduce Kernel Control Flow Integrity ABI [PR107048]
Date: Sat, 13 Sep 2025 16:23:56 -0700 [thread overview]
Message-ID: <20250913231256.make.519-kees@kernel.org> (raw)
Hi!
Here is v3, which has continued to evolve a lot from v2[1].
This series implements[2][3] the Linux Kernel Control Flow Integrity
ABI, which provides a function prototype based forward edge control flow
integrity protection by instrumenting every indirect call to check for
a hash value before the target function address. If the hash at the call
site and the hash at the target do not match, execution will trap.
Changes since v2:
- Refactored mangling to provide actual builtins, making it SO much
easier to test. This is good not just for KCFI but also for coming
type-aware allocators that need to have a stable value (32-bit
hash) to represent C types.
- Consolidated DECL vs TYPE attributes for KCFI type_id, allowing
for the removal of all the GIMPLE type wrapping and the GIMPLE
passes entirely.
- Tightened testsuite to be much more target and option aware.
- Support nocf_check to disable preamble generation.
- Passes contrib/check_GNU_style.py (with some clear exceptions).
- Added more documentation.
- General cleanups and comment clarifications.
Thanks!
-Kees
[1] https://lore.kernel.org/linux-hardening/20250905001157.it.269-kees@kernel.org/
[2] https://gcc.gnu.org/bugzilla/show_bug.cgi?id=107048
[3] https://github.com/KSPP/linux/issues/369
Kees Cook (7):
typeinfo: Introduce KCFI typeinfo mangling API
kcfi: Add core Kernel Control Flow Integrity infrastructure
x86: Add x86_64 Kernel Control Flow Integrity implementation
aarch64: Add AArch64 Kernel Control Flow Integrity implementation
arm: Add ARM 32-bit Kernel Control Flow Integrity implementation
riscv: Add RISC-V Kernel Control Flow Integrity implementation
kcfi: Add regression test suite
gcc/kcfi.h | 52 ++
gcc/kcfi.cc | 601 ++++++++++++++++++
gcc/Makefile.in | 2 +
gcc/c-family/c-common.h | 1 +
gcc/config/aarch64/aarch64-protos.h | 5 +
gcc/config/arm/arm-protos.h | 4 +
gcc/config/i386/i386-protos.h | 1 +
gcc/config/i386/i386.h | 3 +-
gcc/config/riscv/riscv-protos.h | 3 +
gcc/flag-types.h | 2 +
gcc/gimple.h | 22 +
gcc/kcfi-typeinfo.h | 32 +
gcc/tree-pass.h | 1 +
.../gcc.dg/builtin-typeinfo-errors.c | 28 +
gcc/testsuite/gcc.dg/builtin-typeinfo.c | 350 ++++++++++
gcc/testsuite/gcc.dg/kcfi/kcfi-adjacency.c | 72 +++
gcc/testsuite/gcc.dg/kcfi/kcfi-basics.c | 108 ++++
gcc/testsuite/gcc.dg/kcfi/kcfi-call-sharing.c | 84 +++
.../gcc.dg/kcfi/kcfi-cold-partition.c | 136 ++++
.../gcc.dg/kcfi/kcfi-complex-addressing.c | 135 ++++
.../gcc.dg/kcfi/kcfi-ipa-robustness.c | 54 ++
.../gcc.dg/kcfi/kcfi-move-preservation.c | 55 ++
.../gcc.dg/kcfi/kcfi-no-sanitize-inline.c | 100 +++
gcc/testsuite/gcc.dg/kcfi/kcfi-no-sanitize.c | 39 ++
.../gcc.dg/kcfi/kcfi-offset-validation.c | 48 ++
.../gcc.dg/kcfi/kcfi-patchable-basic.c | 70 ++
.../gcc.dg/kcfi/kcfi-patchable-entry-only.c | 62 ++
.../gcc.dg/kcfi/kcfi-patchable-large.c | 51 ++
.../gcc.dg/kcfi/kcfi-patchable-medium.c | 60 ++
.../gcc.dg/kcfi/kcfi-patchable-prefix-only.c | 60 ++
.../gcc.dg/kcfi/kcfi-pic-addressing.c | 104 +++
.../gcc.dg/kcfi/kcfi-retpoline-r11.c | 50 ++
gcc/testsuite/gcc.dg/kcfi/kcfi-runtime.c | 151 +++++
gcc/testsuite/gcc.dg/kcfi/kcfi-tail-calls.c | 142 +++++
.../gcc.dg/kcfi/kcfi-trap-encoding.c | 54 ++
gcc/testsuite/gcc.dg/kcfi/kcfi-trap-section.c | 41 ++
gcc/c-family/c-attribs.cc | 17 +-
gcc/c-family/c-common.cc | 2 +
gcc/c/c-parser.cc | 72 +++
gcc/config/aarch64/aarch64.cc | 116 ++++
gcc/config/aarch64/aarch64.md | 64 +-
gcc/config/arm/arm.cc | 146 +++++
gcc/config/arm/arm.md | 62 ++
gcc/config/i386/i386-expand.cc | 22 +-
gcc/config/i386/i386.cc | 130 ++++
gcc/config/i386/i386.md | 62 +-
gcc/config/riscv/riscv.cc | 159 +++++
gcc/config/riscv/riscv.md | 76 ++-
gcc/df-scan.cc | 7 +
gcc/doc/extend.texi | 132 ++++
gcc/doc/invoke.texi | 100 +++
gcc/doc/tm.texi | 31 +
gcc/doc/tm.texi.in | 12 +
gcc/final.cc | 3 +
gcc/kcfi-typeinfo.cc | 475 ++++++++++++++
gcc/opts.cc | 1 +
gcc/passes.cc | 1 +
gcc/passes.def | 1 +
gcc/rtl.def | 6 +
gcc/rtlanal.cc | 5 +
gcc/target.def | 38 ++
gcc/testsuite/gcc.dg/kcfi/kcfi.exp | 64 ++
gcc/toplev.cc | 10 +
gcc/tree-inline.cc | 10 +
gcc/varasm.cc | 37 +-
65 files changed, 4611 insertions(+), 33 deletions(-)
create mode 100644 gcc/kcfi.h
create mode 100644 gcc/kcfi.cc
create mode 100644 gcc/kcfi-typeinfo.h
create mode 100644 gcc/testsuite/gcc.dg/builtin-typeinfo-errors.c
create mode 100644 gcc/testsuite/gcc.dg/builtin-typeinfo.c
create mode 100644 gcc/testsuite/gcc.dg/kcfi/kcfi-adjacency.c
create mode 100644 gcc/testsuite/gcc.dg/kcfi/kcfi-basics.c
create mode 100644 gcc/testsuite/gcc.dg/kcfi/kcfi-call-sharing.c
create mode 100644 gcc/testsuite/gcc.dg/kcfi/kcfi-cold-partition.c
create mode 100644 gcc/testsuite/gcc.dg/kcfi/kcfi-complex-addressing.c
create mode 100644 gcc/testsuite/gcc.dg/kcfi/kcfi-ipa-robustness.c
create mode 100644 gcc/testsuite/gcc.dg/kcfi/kcfi-move-preservation.c
create mode 100644 gcc/testsuite/gcc.dg/kcfi/kcfi-no-sanitize-inline.c
create mode 100644 gcc/testsuite/gcc.dg/kcfi/kcfi-no-sanitize.c
create mode 100644 gcc/testsuite/gcc.dg/kcfi/kcfi-offset-validation.c
create mode 100644 gcc/testsuite/gcc.dg/kcfi/kcfi-patchable-basic.c
create mode 100644 gcc/testsuite/gcc.dg/kcfi/kcfi-patchable-entry-only.c
create mode 100644 gcc/testsuite/gcc.dg/kcfi/kcfi-patchable-large.c
create mode 100644 gcc/testsuite/gcc.dg/kcfi/kcfi-patchable-medium.c
create mode 100644 gcc/testsuite/gcc.dg/kcfi/kcfi-patchable-prefix-only.c
create mode 100644 gcc/testsuite/gcc.dg/kcfi/kcfi-pic-addressing.c
create mode 100644 gcc/testsuite/gcc.dg/kcfi/kcfi-retpoline-r11.c
create mode 100644 gcc/testsuite/gcc.dg/kcfi/kcfi-runtime.c
create mode 100644 gcc/testsuite/gcc.dg/kcfi/kcfi-tail-calls.c
create mode 100644 gcc/testsuite/gcc.dg/kcfi/kcfi-trap-encoding.c
create mode 100644 gcc/testsuite/gcc.dg/kcfi/kcfi-trap-section.c
create mode 100644 gcc/kcfi-typeinfo.cc
create mode 100644 gcc/testsuite/gcc.dg/kcfi/kcfi.exp
--
2.34.1
next reply other threads:[~2025-09-13 23:24 UTC|newest]
Thread overview: 28+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-09-13 23:23 Kees Cook [this message]
2025-09-13 23:23 ` [PATCH v3 1/7] typeinfo: Introduce KCFI typeinfo mangling API Kees Cook
2025-09-17 17:56 ` Qing Zhao
2025-09-17 21:20 ` Kees Cook
2025-09-18 7:20 ` Martin Uecker
2025-09-18 18:09 ` Kees Cook
2025-09-18 18:40 ` Martin Uecker
2025-09-13 23:23 ` [PATCH v3 2/7] kcfi: Add core Kernel Control Flow Integrity infrastructure Kees Cook
2025-09-17 13:42 ` Qing Zhao
2025-09-17 21:09 ` Kees Cook
2025-09-18 16:59 ` Qing Zhao
2025-09-18 18:20 ` Kees Cook
2025-09-18 18:48 ` Qing Zhao
2025-09-18 19:20 ` Kees Cook
2025-09-18 19:39 ` Kees Cook
2025-09-18 20:14 ` Qing Zhao
2025-09-13 23:23 ` [PATCH v3 3/7] x86: Add x86_64 Kernel Control Flow Integrity implementation Kees Cook
2025-09-13 23:24 ` [PATCH v3 4/7] aarch64: Add AArch64 " Kees Cook
2025-09-13 23:43 ` Andrew Pinski
2025-09-14 19:45 ` Kees Cook
2025-09-14 19:52 ` Andrew Pinski
2025-09-17 20:01 ` Kees Cook
2025-09-13 23:24 ` [PATCH v3 5/7] arm: Add ARM 32-bit " Kees Cook
2025-09-13 23:24 ` [PATCH v3 6/7] riscv: Add RISC-V " Kees Cook
2025-09-13 23:24 ` [PATCH v3 7/7] kcfi: Add regression test suite Kees Cook
2025-09-13 23:51 ` Andrew Pinski
2025-09-17 19:51 ` Kees Cook
2025-09-13 23:58 ` Andrew Pinski
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250913231256.make.519-kees@kernel.org \
--to=kees@kernel.org \
--cc=andrew@sifive.com \
--cc=ashimida.1990@gmail.com \
--cc=gcc-patches@gcc.gnu.org \
--cc=hubicka@ucw.cz \
--cc=jakub@redhat.com \
--cc=jim.wilson.gcc@gmail.com \
--cc=joao@overdrivepizza.com \
--cc=josmyers@redhat.com \
--cc=kito.cheng@gmail.com \
--cc=kyrylo.tkachov@arm.com \
--cc=linux-hardening@vger.kernel.org \
--cc=marcus.shawcroft@arm.com \
--cc=morbo@google.com \
--cc=nathan@kernel.org \
--cc=palmer@dabbelt.com \
--cc=peterz@infradead.org \
--cc=pinskia@gmail.com \
--cc=qing.zhao@oracle.com \
--cc=rcvalle@google.com \
--cc=rguenther@suse.de \
--cc=richard.earnshaw@arm.com \
--cc=richard.sandiford@arm.com \
--cc=samitolvanen@google.com \
--cc=uecker@tugraz.at \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).