From: Kees Cook <kees@kernel.org>
To: Qing Zhao <qing.zhao@oracle.com>
Cc: Kees Cook <kees@kernel.org>, Andrew Pinski <pinskia@gmail.com>,
Jakub Jelinek <jakub@redhat.com>,
Martin Uecker <uecker@tugraz.at>,
Richard Biener <rguenther@suse.de>,
Joseph Myers <josmyers@redhat.com>,
Peter Zijlstra <peterz@infradead.org>,
Ard Biesheuvel <ardb@kernel.org>,
Jeff Law <jeffreyalaw@gmail.com>, Jan Hubicka <hubicka@ucw.cz>,
Richard Earnshaw <richard.earnshaw@arm.com>,
Richard Sandiford <richard.sandiford@arm.com>,
Marcus Shawcroft <marcus.shawcroft@arm.com>,
Kyrylo Tkachov <kyrylo.tkachov@arm.com>,
Kito Cheng <kito.cheng@gmail.com>,
Palmer Dabbelt <palmer@dabbelt.com>,
Andrew Waterman <andrew@sifive.com>,
Jim Wilson <jim.wilson.gcc@gmail.com>,
Dan Li <ashimida.1990@gmail.com>,
Sami Tolvanen <samitolvanen@google.com>,
Ramon de C Valle <rcvalle@google.com>,
Joao Moreira <joao@overdrivepizza.com>,
Nathan Chancellor <nathan@kernel.org>,
Bill Wendling <morbo@google.com>,
gcc-patches@gcc.gnu.org, linux-hardening@vger.kernel.org
Subject: [PATCH v4 0/7] Introduce Kernel Control Flow Integrity ABI [PR107048]
Date: Thu, 25 Sep 2025 20:02:42 -0700 [thread overview]
Message-ID: <20250926023737.it.616-kees@kernel.org> (raw)
Hi,
Here is v4! :)
This series implements[1][2] the Linux Kernel Control Flow Integrity
ABI, which provides a function prototype based forward edge control flow
integrity protection by instrumenting every indirect call to check for
a hash value before the target function address. If the hash at the call
site and the hash at the target do not match, execution will trap.
Changes since v3[3]:
- Clarified commit logs and kcfi.cc design docs further.
- Switched to KCFI-specific global label counter.
- Refactored patchable function entry and alignment padding calculations
and added extensive comments.
- Moved option validation into early option processing.
- Switched arm to using eor sequence suggested by Ard Biesheuvel.
- Switched arm scratch register to ip with r3 fallback.
- Removed redundant aarch64 clobbers.
- Added KCFI availability function for regression tests.
- Refactored regression tests to use check-function-bodies.
- Split arch-specific regresion test patterns into per-arch patches (I
don't like having fully separate test source files be per-arch since
the conditions being tested are usually arch-agnostic).
- Added more complete function interface comments.
- Added -ffixed-$reg option checking and associated tests.
- Various other small cleanups.
Thanks!
-Kees
[1] https://gcc.gnu.org/bugzilla/show_bug.cgi?id=107048
[2] https://github.com/KSPP/linux/issues/369
[3] https://lore.kernel.org/linux-hardening/20250913231256.make.519-kees@kernel.org/
Kees Cook (7):
typeinfo: Introduce KCFI typeinfo mangling API
kcfi: Add core Kernel Control Flow Integrity infrastructure
kcfi: Add regression test suite
x86: Add x86_64 Kernel Control Flow Integrity implementation
aarch64: Add AArch64 Kernel Control Flow Integrity implementation
arm: Add ARM 32-bit Kernel Control Flow Integrity implementation
riscv: Add RISC-V Kernel Control Flow Integrity implementation
gcc/kcfi.h | 55 ++
gcc/kcfi.cc | 670 ++++++++++++++++++
gcc/config/aarch64/aarch64-protos.h | 5 +
gcc/config/arm/arm-protos.h | 4 +
gcc/config/i386/i386-protos.h | 1 +
gcc/config/i386/i386.h | 3 +-
gcc/config/riscv/riscv-protos.h | 3 +
gcc/config/aarch64/aarch64.md | 64 +-
gcc/config/arm/arm.md | 62 ++
gcc/config/i386/i386.md | 62 +-
gcc/config/riscv/riscv.md | 76 +-
gcc/config/aarch64/aarch64.cc | 111 +++
gcc/config/arm/arm.cc | 170 +++++
gcc/config/i386/i386-expand.cc | 22 +-
gcc/config/i386/i386-options.cc | 11 +
gcc/config/i386/i386.cc | 128 ++++
gcc/config/riscv/riscv.cc | 169 +++++
gcc/doc/extend.texi | 132 ++++
gcc/doc/invoke.texi | 104 +++
gcc/doc/tm.texi | 31 +
gcc/testsuite/gcc.dg/kcfi/kcfi.exp | 42 ++
gcc/testsuite/lib/target-supports.exp | 14 +
.../gcc.dg/builtin-typeinfo-errors.c | 28 +
gcc/testsuite/gcc.dg/builtin-typeinfo.c | 350 +++++++++
.../gcc.dg/kcfi/kcfi-aarch64-fixed-x16.c | 17 +
.../gcc.dg/kcfi/kcfi-aarch64-fixed-x17.c | 17 +
gcc/testsuite/gcc.dg/kcfi/kcfi-adjacency.c | 114 +++
gcc/testsuite/gcc.dg/kcfi/kcfi-arm-fixed-ip.c | 15 +
.../gcc.dg/kcfi/kcfi-arm-fixed-r12.c | 15 +
gcc/testsuite/gcc.dg/kcfi/kcfi-basics.c | 149 ++++
gcc/testsuite/gcc.dg/kcfi/kcfi-call-sharing.c | 90 +++
.../gcc.dg/kcfi/kcfi-cold-partition.c | 126 ++++
.../gcc.dg/kcfi/kcfi-complex-addressing.c | 203 ++++++
.../gcc.dg/kcfi/kcfi-complex-addressing.s | 0
.../gcc.dg/kcfi/kcfi-ipa-robustness.c | 54 ++
.../gcc.dg/kcfi/kcfi-move-preservation.c | 118 +++
.../gcc.dg/kcfi/kcfi-no-sanitize-inline.c | 100 +++
gcc/testsuite/gcc.dg/kcfi/kcfi-no-sanitize.c | 39 +
.../gcc.dg/kcfi/kcfi-offset-validation.c | 38 +
.../gcc.dg/kcfi/kcfi-patchable-entry-only.c | 64 ++
.../gcc.dg/kcfi/kcfi-patchable-incompatible.c | 7 +
.../gcc.dg/kcfi/kcfi-patchable-large.c | 54 ++
.../gcc.dg/kcfi/kcfi-patchable-medium.c | 60 ++
.../gcc.dg/kcfi/kcfi-patchable-prefix-only.c | 61 ++
.../gcc.dg/kcfi/kcfi-riscv-fixed-t1.c | 17 +
.../gcc.dg/kcfi/kcfi-riscv-fixed-t2.c | 17 +
.../gcc.dg/kcfi/kcfi-riscv-fixed-t3.c | 17 +
gcc/testsuite/gcc.dg/kcfi/kcfi-runtime.c | 276 ++++++++
gcc/testsuite/gcc.dg/kcfi/kcfi-tail-calls.c | 140 ++++
.../gcc.dg/kcfi/kcfi-trap-encoding.c | 69 ++
gcc/testsuite/gcc.dg/kcfi/kcfi-trap-section.c | 29 +
.../gcc.dg/kcfi/kcfi-x86-fixed-r10.c | 17 +
.../gcc.dg/kcfi/kcfi-x86-fixed-r11.c | 17 +
.../gcc.dg/kcfi/kcfi-x86-retpoline-r11.c | 40 ++
gcc/Makefile.in | 2 +
gcc/c-family/c-common.h | 1 +
gcc/flag-types.h | 2 +
gcc/gimple.h | 22 +
gcc/kcfi-typeinfo.h | 32 +
gcc/tree-pass.h | 1 +
gcc/c-family/c-attribs.cc | 17 +-
gcc/c-family/c-common.cc | 2 +
gcc/c/c-parser.cc | 72 ++
gcc/df-scan.cc | 7 +
gcc/doc/tm.texi.in | 12 +
gcc/final.cc | 3 +
gcc/kcfi-typeinfo.cc | 472 ++++++++++++
gcc/opts.cc | 1 +
gcc/passes.cc | 1 +
gcc/passes.def | 1 +
gcc/rtl.def | 6 +
gcc/rtlanal.cc | 5 +
gcc/target.def | 38 +
gcc/toplev.cc | 10 +
gcc/tree-inline.cc | 10 +
gcc/varasm.cc | 37 +-
76 files changed, 5018 insertions(+), 33 deletions(-)
create mode 100644 gcc/kcfi.h
create mode 100644 gcc/kcfi.cc
create mode 100644 gcc/testsuite/gcc.dg/kcfi/kcfi.exp
create mode 100644 gcc/testsuite/gcc.dg/builtin-typeinfo-errors.c
create mode 100644 gcc/testsuite/gcc.dg/builtin-typeinfo.c
create mode 100644 gcc/testsuite/gcc.dg/kcfi/kcfi-aarch64-fixed-x16.c
create mode 100644 gcc/testsuite/gcc.dg/kcfi/kcfi-aarch64-fixed-x17.c
create mode 100644 gcc/testsuite/gcc.dg/kcfi/kcfi-adjacency.c
create mode 100644 gcc/testsuite/gcc.dg/kcfi/kcfi-arm-fixed-ip.c
create mode 100644 gcc/testsuite/gcc.dg/kcfi/kcfi-arm-fixed-r12.c
create mode 100644 gcc/testsuite/gcc.dg/kcfi/kcfi-basics.c
create mode 100644 gcc/testsuite/gcc.dg/kcfi/kcfi-call-sharing.c
create mode 100644 gcc/testsuite/gcc.dg/kcfi/kcfi-cold-partition.c
create mode 100644 gcc/testsuite/gcc.dg/kcfi/kcfi-complex-addressing.c
create mode 100644 gcc/testsuite/gcc.dg/kcfi/kcfi-complex-addressing.s
create mode 100644 gcc/testsuite/gcc.dg/kcfi/kcfi-ipa-robustness.c
create mode 100644 gcc/testsuite/gcc.dg/kcfi/kcfi-move-preservation.c
create mode 100644 gcc/testsuite/gcc.dg/kcfi/kcfi-no-sanitize-inline.c
create mode 100644 gcc/testsuite/gcc.dg/kcfi/kcfi-no-sanitize.c
create mode 100644 gcc/testsuite/gcc.dg/kcfi/kcfi-offset-validation.c
create mode 100644 gcc/testsuite/gcc.dg/kcfi/kcfi-patchable-entry-only.c
create mode 100644 gcc/testsuite/gcc.dg/kcfi/kcfi-patchable-incompatible.c
create mode 100644 gcc/testsuite/gcc.dg/kcfi/kcfi-patchable-large.c
create mode 100644 gcc/testsuite/gcc.dg/kcfi/kcfi-patchable-medium.c
create mode 100644 gcc/testsuite/gcc.dg/kcfi/kcfi-patchable-prefix-only.c
create mode 100644 gcc/testsuite/gcc.dg/kcfi/kcfi-riscv-fixed-t1.c
create mode 100644 gcc/testsuite/gcc.dg/kcfi/kcfi-riscv-fixed-t2.c
create mode 100644 gcc/testsuite/gcc.dg/kcfi/kcfi-riscv-fixed-t3.c
create mode 100644 gcc/testsuite/gcc.dg/kcfi/kcfi-runtime.c
create mode 100644 gcc/testsuite/gcc.dg/kcfi/kcfi-tail-calls.c
create mode 100644 gcc/testsuite/gcc.dg/kcfi/kcfi-trap-encoding.c
create mode 100644 gcc/testsuite/gcc.dg/kcfi/kcfi-trap-section.c
create mode 100644 gcc/testsuite/gcc.dg/kcfi/kcfi-x86-fixed-r10.c
create mode 100644 gcc/testsuite/gcc.dg/kcfi/kcfi-x86-fixed-r11.c
create mode 100644 gcc/testsuite/gcc.dg/kcfi/kcfi-x86-retpoline-r11.c
create mode 100644 gcc/kcfi-typeinfo.h
create mode 100644 gcc/kcfi-typeinfo.cc
--
2.34.1
next reply other threads:[~2025-09-26 3:02 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-09-26 3:02 Kees Cook [this message]
2025-09-26 3:02 ` [PATCH v4 1/7] typeinfo: Introduce KCFI typeinfo mangling API Kees Cook
2025-09-29 10:34 ` Martin Uecker
2025-09-30 6:21 ` Kees Cook
2025-10-03 19:21 ` Qing Zhao
2025-10-14 23:32 ` Kees Cook
2025-09-26 3:02 ` [PATCH v4 2/7] kcfi: Add core Kernel Control Flow Integrity infrastructure Kees Cook
2025-10-02 14:56 ` Qing Zhao
2025-10-14 23:28 ` Kees Cook
2025-10-15 18:05 ` Qing Zhao
2025-09-26 3:02 ` [PATCH v4 3/7] kcfi: Add regression test suite Kees Cook
2025-09-26 3:02 ` [PATCH v4 4/7] x86: Add x86_64 Kernel Control Flow Integrity implementation Kees Cook
2025-09-26 3:02 ` [PATCH v4 5/7] aarch64: Add AArch64 " Kees Cook
2025-09-26 3:02 ` [PATCH v4 6/7] arm: Add ARM 32-bit " Kees Cook
2025-09-26 4:06 ` Kees Cook
2025-09-29 9:59 ` Ard Biesheuvel
2025-09-30 6:18 ` Kees Cook
2025-09-26 3:02 ` [PATCH v4 7/7] riscv: Add RISC-V " Kees Cook
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250926023737.it.616-kees@kernel.org \
--to=kees@kernel.org \
--cc=andrew@sifive.com \
--cc=ardb@kernel.org \
--cc=ashimida.1990@gmail.com \
--cc=gcc-patches@gcc.gnu.org \
--cc=hubicka@ucw.cz \
--cc=jakub@redhat.com \
--cc=jeffreyalaw@gmail.com \
--cc=jim.wilson.gcc@gmail.com \
--cc=joao@overdrivepizza.com \
--cc=josmyers@redhat.com \
--cc=kito.cheng@gmail.com \
--cc=kyrylo.tkachov@arm.com \
--cc=linux-hardening@vger.kernel.org \
--cc=marcus.shawcroft@arm.com \
--cc=morbo@google.com \
--cc=nathan@kernel.org \
--cc=palmer@dabbelt.com \
--cc=peterz@infradead.org \
--cc=pinskia@gmail.com \
--cc=qing.zhao@oracle.com \
--cc=rcvalle@google.com \
--cc=rguenther@suse.de \
--cc=richard.earnshaw@arm.com \
--cc=richard.sandiford@arm.com \
--cc=samitolvanen@google.com \
--cc=uecker@tugraz.at \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).