[PATCH 0/5] kcfi: Prepare for GCC support

[PATCH 0/5] kcfi: Prepare for GCC support

[Kees Cook]

Hi,

With KCFI support in GCC coming[1], we need to make some (relatively
small) changes in the kernel to deal with it:

- move __nocfi out of compilers-clang.h (so GCC can see it too)
- add cfi=debug so future Kees can find breakage easier
- remove problematic __noinitretpoline usage
- rename CONFIG_CFI_CLANG to CONFIG_CFI (otherwise is it quite confusing)

Thanks!

-Kees

[1] https://lore.kernel.org/linux-hardening/20250821064202.work.893-kees@kernel.org/

Kees Cook (5):
  compiler_types.h: Move __nocfi out of compiler-specific header
  x86/traps: Clarify KCFI instruction layout
  x86/cfi: Add option for cfi=debug bootparam
  x86/cfi: Remove __noinitretpoline and __noretpoline
  kcfi: Rename CONFIG_CFI_CLANG to CONFIG_CFI

 arch/Kconfig                                  | 22 +++++-----
 arch/arm/Kconfig                              |  2 +-
 arch/arm64/Kconfig                            |  4 +-
 arch/riscv/Kconfig                            |  6 +--
 arch/x86/Kconfig                              | 12 +++---
 init/Kconfig                                  |  4 +-
 kernel/module/Kconfig                         |  2 +-
 lib/Kconfig.debug                             |  2 +-
 Makefile                                      |  2 +-
 arch/arm/mm/Makefile                          |  2 +-
 arch/riscv/kernel/Makefile                    |  2 +-
 arch/riscv/purgatory/Makefile                 |  2 +-
 arch/x86/kernel/Makefile                      |  2 +-
 arch/x86/purgatory/Makefile                   |  2 +-
 kernel/Makefile                               |  2 +-
 .../admin-guide/kernel-parameters.txt         | 18 ++++++++
 arch/riscv/include/asm/cfi.h                  |  4 +-
 arch/x86/include/asm/cfi.h                    |  4 +-
 include/asm-generic/vmlinux.lds.h             |  2 +-
 include/linux/cfi.h                           |  6 +--
 include/linux/cfi_types.h                     |  8 ++--
 include/linux/compiler-clang.h                |  5 ---
 include/linux/compiler-gcc.h                  |  4 --
 include/linux/compiler.h                      |  2 +-
 include/linux/compiler_types.h                |  4 +-
 include/linux/init.h                          |  8 ----
 tools/include/linux/cfi_types.h               |  6 +--
 tools/perf/util/include/linux/linkage.h       |  2 +-
 arch/arm/mm/cache-fa.S                        |  2 +-
 arch/arm/mm/cache-v4.S                        |  2 +-
 arch/arm/mm/cache-v4wb.S                      |  4 +-
 arch/arm/mm/cache-v4wt.S                      |  2 +-
 arch/arm/mm/cache-v6.S                        |  2 +-
 arch/arm/mm/cache-v7.S                        |  2 +-
 arch/arm/mm/cache-v7m.S                       |  2 +-
 arch/arm/mm/proc-arm1020.S                    |  2 +-
 arch/arm/mm/proc-arm1020e.S                   |  2 +-
 arch/arm/mm/proc-arm1022.S                    |  2 +-
 arch/arm/mm/proc-arm1026.S                    |  2 +-
 arch/arm/mm/proc-arm920.S                     |  2 +-
 arch/arm/mm/proc-arm922.S                     |  2 +-
 arch/arm/mm/proc-arm925.S                     |  2 +-
 arch/arm/mm/proc-arm926.S                     |  2 +-
 arch/arm/mm/proc-arm940.S                     |  2 +-
 arch/arm/mm/proc-arm946.S                     |  2 +-
 arch/arm/mm/proc-feroceon.S                   |  2 +-
 arch/arm/mm/proc-mohawk.S                     |  2 +-
 arch/arm/mm/proc-xsc3.S                       |  2 +-
 arch/arm/mm/tlb-v4.S                          |  2 +-
 arch/arm/kernel/hw_breakpoint.c               |  2 +-
 arch/arm64/kernel/debug-monitors.c            |  2 +-
 arch/arm64/kernel/traps.c                     |  4 +-
 arch/arm64/kvm/handle_exit.c                  |  2 +-
 arch/arm64/net/bpf_jit_comp.c                 |  2 +-
 arch/riscv/net/bpf_jit_comp64.c               |  4 +-
 arch/x86/kernel/alternative.c                 | 43 +++++++++++++++----
 arch/x86/kernel/cfi.c                         |  2 +-
 arch/x86/kernel/kprobes/core.c                |  2 +-
 drivers/misc/lkdtm/cfi.c                      |  2 +-
 kernel/module/tree_lookup.c                   |  2 +-
 kernel/configs/hardening.config               |  2 +-
 61 files changed, 141 insertions(+), 113 deletions(-)

-- 
2.34.1


_______________________________________________
linux-riscv mailing list
linux-riscv@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-riscv

[PATCH 1/5] compiler_types.h: Move __nocfi out of compiler-specific header

[Kees Cook]

From: Kees Cook <kees@outflux.net>

Prepare for GCC KCFI support and move the __nocfi attribute from
compiler-clang.h to compiler_types.h. This was already effectively gated
by CONFIG_CFI_CLANG, so this remains safe for non-KCFI GCC builds.

Signed-off-by: Kees Cook <kees@outflux.net>
---
 include/linux/compiler-clang.h | 5 -----
 include/linux/compiler_types.h | 4 +++-
 2 files changed, 3 insertions(+), 6 deletions(-)

diff --git a/include/linux/compiler-clang.h b/include/linux/compiler-clang.h
index fa4ffe037bc7..7a4568e421dc 100644
--- a/include/linux/compiler-clang.h
+++ b/include/linux/compiler-clang.h
@@ -96,11 +96,6 @@
 # define __noscs	__attribute__((__no_sanitize__("shadow-call-stack")))
 #endif
 
-#if __has_feature(kcfi)
-/* Disable CFI checking inside a function. */
-#define __nocfi		__attribute__((__no_sanitize__("kcfi")))
-#endif
-
 /*
  * Turn individual warnings and errors on and off locally, depending
  * on version.
diff --git a/include/linux/compiler_types.h b/include/linux/compiler_types.h
index 16755431fc11..a910f9fa5341 100644
--- a/include/linux/compiler_types.h
+++ b/include/linux/compiler_types.h
@@ -432,7 +432,9 @@ struct ftrace_likely_data {
 # define __noscs
 #endif
 
-#ifndef __nocfi
+#if defined(CONFIG_CFI_CLANG)
+# define __nocfi		__attribute__((__no_sanitize__("kcfi")))
+#else
 # define __nocfi
 #endif
 
-- 
2.34.1


_______________________________________________
linux-riscv mailing list
linux-riscv@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-riscv

Re: [PATCH 1/5] compiler_types.h: Move __nocfi out of compiler-specific header

[Nathan Chancellor]

On Mon, Aug 25, 2025 at 07:25:48AM -0700, Kees Cook wrote:
> From: Kees Cook <kees@outflux.net>
> 
> Prepare for GCC KCFI support and move the __nocfi attribute from
> compiler-clang.h to compiler_types.h. This was already effectively gated
> by CONFIG_CFI_CLANG, so this remains safe for non-KCFI GCC builds.
> 
> Signed-off-by: Kees Cook <kees@outflux.net>

Reviewed-by: Nathan Chancellor <nathan@kernel.org>

> ---
>  include/linux/compiler-clang.h | 5 -----
>  include/linux/compiler_types.h | 4 +++-
>  2 files changed, 3 insertions(+), 6 deletions(-)
> 
> diff --git a/include/linux/compiler-clang.h b/include/linux/compiler-clang.h
> index fa4ffe037bc7..7a4568e421dc 100644
> --- a/include/linux/compiler-clang.h
> +++ b/include/linux/compiler-clang.h
> @@ -96,11 +96,6 @@
>  # define __noscs	__attribute__((__no_sanitize__("shadow-call-stack")))
>  #endif
>  
> -#if __has_feature(kcfi)
> -/* Disable CFI checking inside a function. */
> -#define __nocfi		__attribute__((__no_sanitize__("kcfi")))
> -#endif
> -
>  /*
>   * Turn individual warnings and errors on and off locally, depending
>   * on version.
> diff --git a/include/linux/compiler_types.h b/include/linux/compiler_types.h
> index 16755431fc11..a910f9fa5341 100644
> --- a/include/linux/compiler_types.h
> +++ b/include/linux/compiler_types.h
> @@ -432,7 +432,9 @@ struct ftrace_likely_data {
>  # define __noscs
>  #endif
>  
> -#ifndef __nocfi
> +#if defined(CONFIG_CFI_CLANG)

I tend to prefer '#ifdef' for single symbols.

> +# define __nocfi		__attribute__((__no_sanitize__("kcfi")))
> +#else
>  # define __nocfi
>  #endif
>  
> -- 
> 2.34.1
> 

_______________________________________________
linux-riscv mailing list
linux-riscv@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-riscv

[PATCH 2/5] x86/traps: Clarify KCFI instruction layout

[Kees Cook]

Just a nit-picky change to the KCFI indirect call check instruction
documentation. The addl offset isn't always -4 (it depends on patchable
function entry configuration).

Signed-off-by: Kees Cook <kees@kernel.org>
---
 arch/x86/kernel/cfi.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/arch/x86/kernel/cfi.c b/arch/x86/kernel/cfi.c
index 77086cf565ec..638eb5c933e0 100644
--- a/arch/x86/kernel/cfi.c
+++ b/arch/x86/kernel/cfi.c
@@ -27,7 +27,7 @@ static bool decode_cfi_insn(struct pt_regs *regs, unsigned long *target,
 	 * for indirect call checks:
 	 *
 	 *   movl    -<id>, %r10d       ; 6 bytes
-	 *   addl    -4(%reg), %r10d    ; 4 bytes
+	 *   addl    -<pos>(%reg), %r10d; 4 bytes
 	 *   je      .Ltmp1             ; 2 bytes
 	 *   ud2                        ; <- regs->ip
 	 *   .Ltmp1:
-- 
2.34.1


_______________________________________________
linux-riscv mailing list
linux-riscv@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-riscv

[PATCH 3/5] x86/cfi: Add option for cfi=debug bootparam

[Kees Cook]

From: Kees Cook <kees@outflux.net>

Add "debug" option for "cfi=" bootparam to get details on early CFI
initialization steps. Standardize CFI pr_info() lines to use "CFI:"
prefix. Standardize "CFI: Using ..." to always report which CFI mode is
being used, regardless of CONFIG_FINEIBT. Document all the "cfi=" options.

Signed-off-by: Kees Cook <kees@outflux.net>
---
 .../admin-guide/kernel-parameters.txt         | 18 +++++++++
 arch/x86/kernel/alternative.c                 | 39 +++++++++++++++----
 2 files changed, 50 insertions(+), 7 deletions(-)

diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt
index 747a55abf494..7b4bddb5a030 100644
--- a/Documentation/admin-guide/kernel-parameters.txt
+++ b/Documentation/admin-guide/kernel-parameters.txt
@@ -608,6 +608,24 @@
 	ccw_timeout_log	[S390]
 			See Documentation/arch/s390/common_io.rst for details.
 
+	cfi=		[X86-64] Set Control Flow Integrity checking features
+			when CONFIG_FINEIBT is enabled.
+			Format: feature[,feature...]
+			Default: auto
+
+			auto:	  Use FineIBT if IBT available, otherwise kCFI.
+				  Under FineIBT, enable "paranoid" mode when
+				  FRED is not available.
+			off:	  Turn off CFI checking.
+			kcfi:	  Use kCFI (disable FineIBT).
+			fineibt:  Use FineIBT (even if IBT not available).
+			norand:   Do not re-randomize CFI hashes.
+			paranoid: Add caller hash checking under FineIBT.
+			bhi:	  Enable register poisoning to stop speculation
+				  across FineIBT. (Disabled by default.)
+			warn:	  Do not enforce CFI checking: warn only.
+			debug:	  Report CFI initialization details.
+
 	cgroup_disable=	[KNL] Disable a particular controller or optional feature
 			Format: {name of the controller(s) or feature(s) to disable}
 			The effects of cgroup_disable=foo are:
diff --git a/arch/x86/kernel/alternative.c b/arch/x86/kernel/alternative.c
index 7bde68247b5f..5d80ae77c042 100644
--- a/arch/x86/kernel/alternative.c
+++ b/arch/x86/kernel/alternative.c
@@ -1225,6 +1225,7 @@ int cfi_get_func_arity(void *func)
 
 static bool cfi_rand __ro_after_init = true;
 static u32  cfi_seed __ro_after_init;
+static bool cfi_debug __ro_after_init;
 
 /*
  * Re-hash the CFI hash with a boot-time seed while making sure the result is
@@ -1259,6 +1260,8 @@ static __init int cfi_parse_cmdline(char *str)
 		} else if (!strcmp(str, "off")) {
 			cfi_mode = CFI_OFF;
 			cfi_rand = false;
+		} else if (!strcmp(str, "debug")) {
+			cfi_debug = true;
 		} else if (!strcmp(str, "kcfi")) {
 			cfi_mode = CFI_KCFI;
 		} else if (!strcmp(str, "fineibt")) {
@@ -1266,26 +1269,26 @@ static __init int cfi_parse_cmdline(char *str)
 		} else if (!strcmp(str, "norand")) {
 			cfi_rand = false;
 		} else if (!strcmp(str, "warn")) {
-			pr_alert("CFI mismatch non-fatal!\n");
+			pr_alert("CFI: mismatch non-fatal!\n");
 			cfi_warn = true;
 		} else if (!strcmp(str, "paranoid")) {
 			if (cfi_mode == CFI_FINEIBT) {
 				cfi_paranoid = true;
 			} else {
-				pr_err("Ignoring paranoid; depends on fineibt.\n");
+				pr_err("CFI: ignoring paranoid; depends on fineibt.\n");
 			}
 		} else if (!strcmp(str, "bhi")) {
 #ifdef CONFIG_FINEIBT_BHI
 			if (cfi_mode == CFI_FINEIBT) {
 				cfi_bhi = true;
 			} else {
-				pr_err("Ignoring bhi; depends on fineibt.\n");
+				pr_err("CFI: ignoring bhi; depends on fineibt.\n");
 			}
 #else
-			pr_err("Ignoring bhi; depends on FINEIBT_BHI=y.\n");
+			pr_err("CFI: ignoring bhi; depends on FINEIBT_BHI=y.\n");
 #endif
 		} else {
-			pr_err("Ignoring unknown cfi option (%s).", str);
+			pr_err("CFI: Ignoring unknown option (%s).", str);
 		}
 
 		str = next;
@@ -1734,6 +1737,8 @@ static void __apply_fineibt(s32 *start_retpoline, s32 *end_retpoline,
 	 * rewrite them. This disables all CFI. If this succeeds but any of the
 	 * later stages fails, we're without CFI.
 	 */
+	if (builtin && cfi_debug)
+		pr_info("CFI: disabling all indirect call checking\n");
 	ret = cfi_disable_callers(start_retpoline, end_retpoline);
 	if (ret)
 		goto err;
@@ -1744,43 +1749,61 @@ static void __apply_fineibt(s32 *start_retpoline, s32 *end_retpoline,
 			cfi_bpf_hash = cfi_rehash(cfi_bpf_hash);
 			cfi_bpf_subprog_hash = cfi_rehash(cfi_bpf_subprog_hash);
 		}
+		if (builtin && cfi_debug)
+			pr_info("CFI: cfi_seed: 0x%08x\n", cfi_seed);
 
+		if (builtin && cfi_debug)
+			pr_info("CFI: rehashing all preambles\n");
 		ret = cfi_rand_preamble(start_cfi, end_cfi);
 		if (ret)
 			goto err;
 
+		if (builtin && cfi_debug)
+			pr_info("CFI: rehashing all indirect calls\n");
 		ret = cfi_rand_callers(start_retpoline, end_retpoline);
 		if (ret)
 			goto err;
+	} else {
+		if (builtin && cfi_debug)
+			pr_info("CFI: rehashing disabled\n");
 	}
 
 	switch (cfi_mode) {
 	case CFI_OFF:
 		if (builtin)
-			pr_info("Disabling CFI\n");
+			pr_info("CFI: disabled\n");
 		return;
 
 	case CFI_KCFI:
+		if (builtin && cfi_debug)
+			pr_info("CFI: enabling all indirect call checking\n");
 		ret = cfi_enable_callers(start_retpoline, end_retpoline);
 		if (ret)
 			goto err;
 
 		if (builtin)
-			pr_info("Using kCFI\n");
+			pr_info("CFI: Using %s kCFI\n",
+				cfi_rand ? "rehashed" : "retpoline");
 		return;
 
 	case CFI_FINEIBT:
+		if (builtin && cfi_debug)
+			pr_info("CFI: adding FineIBT to all preambles\n");
 		/* place the FineIBT preamble at func()-16 */
 		ret = cfi_rewrite_preamble(start_cfi, end_cfi);
 		if (ret)
 			goto err;
 
 		/* rewrite the callers to target func()-16 */
+		if (builtin && cfi_debug)
+			pr_info("CFI: rewriting indirect call sites to use FineIBT\n");
 		ret = cfi_rewrite_callers(start_retpoline, end_retpoline);
 		if (ret)
 			goto err;
 
 		/* now that nobody targets func()+0, remove ENDBR there */
+		if (builtin && cfi_debug)
+			pr_info("CFI: removing old endbr insns\n");
 		cfi_rewrite_endbr(start_cfi, end_cfi);
 
 		if (builtin) {
@@ -2005,6 +2028,8 @@ bool decode_fineibt_insn(struct pt_regs *regs, unsigned long *target, u32 *type)
 static void __apply_fineibt(s32 *start_retpoline, s32 *end_retpoline,
 			    s32 *start_cfi, s32 *end_cfi, bool builtin)
 {
+	if (builtin)
+		pr_info("CFI: Using standard kCFI\n");
 }
 
 #ifdef CONFIG_X86_KERNEL_IBT
-- 
2.34.1


_______________________________________________
linux-riscv mailing list
linux-riscv@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-riscv

Re: [PATCH 3/5] x86/cfi: Add option for cfi=debug bootparam

[Kees Cook]

On Mon, Aug 25, 2025 at 07:25:50AM -0700, Kees Cook wrote:
>  static void __apply_fineibt(s32 *start_retpoline, s32 *end_retpoline,
>  			    s32 *start_cfi, s32 *end_cfi, bool builtin)
>  {
> +	if (builtin)
> +		pr_info("CFI: Using standard kCFI\n");
>  }

Oops, this needs IS_ENABLED(CONFIG_CFI) && ...

-- 
Kees Cook

_______________________________________________
linux-riscv mailing list
linux-riscv@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-riscv

Re: [PATCH 3/5] x86/cfi: Add option for cfi=debug bootparam

[Peter Zijlstra]

On Mon, Aug 25, 2025 at 07:25:50AM -0700, Kees Cook wrote:


> +	if (builtin && cfi_debug)
> +		if (builtin && cfi_debug)
> +		if (builtin && cfi_debug)
> +		if (builtin && cfi_debug)
> +		if (builtin && cfi_debug)
> +		if (builtin && cfi_debug)
> +		if (builtin && cfi_debug)
> +		if (builtin && cfi_debug)
> +		if (builtin && cfi_debug)

You could just make that cfi_debug and add:

	if (builtin)
		cfi_debug = false;

at the very end of __apply_fineibt().

_______________________________________________
linux-riscv mailing list
linux-riscv@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-riscv

Re: [PATCH 3/5] x86/cfi: Add option for cfi=debug bootparam

[Kees Cook]

On Mon, Aug 25, 2025 at 05:59:23PM +0200, Peter Zijlstra wrote:
> On Mon, Aug 25, 2025 at 07:25:50AM -0700, Kees Cook wrote:
> 
> 
> > +	if (builtin && cfi_debug)
> > +		if (builtin && cfi_debug)
> > +		if (builtin && cfi_debug)
> > +		if (builtin && cfi_debug)
> > +		if (builtin && cfi_debug)
> > +		if (builtin && cfi_debug)
> > +		if (builtin && cfi_debug)
> > +		if (builtin && cfi_debug)
> > +		if (builtin && cfi_debug)
> 
> You could just make that cfi_debug and add:
> 
> 	if (builtin)
> 		cfi_debug = false;
> 
> at the very end of __apply_fineibt().

Oh sneaky! Yeah. Will do.

-- 
Kees Cook

_______________________________________________
linux-riscv mailing list
linux-riscv@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-riscv

Re: [PATCH 3/5] x86/cfi: Add option for cfi=debug bootparam

[Nathan Chancellor]

On Mon, Aug 25, 2025 at 07:25:50AM -0700, Kees Cook wrote:
> From: Kees Cook <kees@outflux.net>
> 
> Add "debug" option for "cfi=" bootparam to get details on early CFI
> initialization steps. Standardize CFI pr_info() lines to use "CFI:"
> prefix. Standardize "CFI: Using ..." to always report which CFI mode is
> being used, regardless of CONFIG_FINEIBT. Document all the "cfi=" options.
> 
> Signed-off-by: Kees Cook <kees@outflux.net>

I am not sure if the x86 maintainers are "patch count adverse" but it
feels like this would be a little easier to review as four separate
patches. Every sentence in the commit message is basically its own
change.

1. The initial documentation for cfi= and its current values.
2. Standardization of pr_info() calls to use "CFI:"
3. Adding "CFI: Using" to __apply_fineibt()
4. Adding cfi=debug

Patch four would become much simpler to understand, especially with
Peter's suggested change.

> ---
>  .../admin-guide/kernel-parameters.txt         | 18 +++++++++
>  arch/x86/kernel/alternative.c                 | 39 +++++++++++++++----
>  2 files changed, 50 insertions(+), 7 deletions(-)
> 
> diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt
> index 747a55abf494..7b4bddb5a030 100644
> --- a/Documentation/admin-guide/kernel-parameters.txt
> +++ b/Documentation/admin-guide/kernel-parameters.txt
> @@ -608,6 +608,24 @@
>  	ccw_timeout_log	[S390]
>  			See Documentation/arch/s390/common_io.rst for details.
>  
> +	cfi=		[X86-64] Set Control Flow Integrity checking features
> +			when CONFIG_FINEIBT is enabled.
> +			Format: feature[,feature...]
> +			Default: auto
> +
> +			auto:	  Use FineIBT if IBT available, otherwise kCFI.
> +				  Under FineIBT, enable "paranoid" mode when
> +				  FRED is not available.
> +			off:	  Turn off CFI checking.
> +			kcfi:	  Use kCFI (disable FineIBT).
> +			fineibt:  Use FineIBT (even if IBT not available).
> +			norand:   Do not re-randomize CFI hashes.
> +			paranoid: Add caller hash checking under FineIBT.
> +			bhi:	  Enable register poisoning to stop speculation
> +				  across FineIBT. (Disabled by default.)
> +			warn:	  Do not enforce CFI checking: warn only.
> +			debug:	  Report CFI initialization details.
> +
>  	cgroup_disable=	[KNL] Disable a particular controller or optional feature
>  			Format: {name of the controller(s) or feature(s) to disable}
>  			The effects of cgroup_disable=foo are:
> diff --git a/arch/x86/kernel/alternative.c b/arch/x86/kernel/alternative.c
> index 7bde68247b5f..5d80ae77c042 100644
> --- a/arch/x86/kernel/alternative.c
> +++ b/arch/x86/kernel/alternative.c
> @@ -1225,6 +1225,7 @@ int cfi_get_func_arity(void *func)
>  
>  static bool cfi_rand __ro_after_init = true;
>  static u32  cfi_seed __ro_after_init;
> +static bool cfi_debug __ro_after_init;
>  
>  /*
>   * Re-hash the CFI hash with a boot-time seed while making sure the result is
> @@ -1259,6 +1260,8 @@ static __init int cfi_parse_cmdline(char *str)
>  		} else if (!strcmp(str, "off")) {
>  			cfi_mode = CFI_OFF;
>  			cfi_rand = false;
> +		} else if (!strcmp(str, "debug")) {
> +			cfi_debug = true;
>  		} else if (!strcmp(str, "kcfi")) {
>  			cfi_mode = CFI_KCFI;
>  		} else if (!strcmp(str, "fineibt")) {
> @@ -1266,26 +1269,26 @@ static __init int cfi_parse_cmdline(char *str)
>  		} else if (!strcmp(str, "norand")) {
>  			cfi_rand = false;
>  		} else if (!strcmp(str, "warn")) {
> -			pr_alert("CFI mismatch non-fatal!\n");
> +			pr_alert("CFI: mismatch non-fatal!\n");
>  			cfi_warn = true;
>  		} else if (!strcmp(str, "paranoid")) {
>  			if (cfi_mode == CFI_FINEIBT) {
>  				cfi_paranoid = true;
>  			} else {
> -				pr_err("Ignoring paranoid; depends on fineibt.\n");
> +				pr_err("CFI: ignoring paranoid; depends on fineibt.\n");
>  			}
>  		} else if (!strcmp(str, "bhi")) {
>  #ifdef CONFIG_FINEIBT_BHI
>  			if (cfi_mode == CFI_FINEIBT) {
>  				cfi_bhi = true;
>  			} else {
> -				pr_err("Ignoring bhi; depends on fineibt.\n");
> +				pr_err("CFI: ignoring bhi; depends on fineibt.\n");
>  			}
>  #else
> -			pr_err("Ignoring bhi; depends on FINEIBT_BHI=y.\n");
> +			pr_err("CFI: ignoring bhi; depends on FINEIBT_BHI=y.\n");
>  #endif
>  		} else {
> -			pr_err("Ignoring unknown cfi option (%s).", str);
> +			pr_err("CFI: Ignoring unknown option (%s).", str);

You lowercase "Ignoring" earlier but not here, intentional? There are a
couple of other messages that have a capital first letter but not
others.

>  		}
>  
>  		str = next;
> @@ -1734,6 +1737,8 @@ static void __apply_fineibt(s32 *start_retpoline, s32 *end_retpoline,
>  	 * rewrite them. This disables all CFI. If this succeeds but any of the
>  	 * later stages fails, we're without CFI.
>  	 */
> +	if (builtin && cfi_debug)
> +		pr_info("CFI: disabling all indirect call checking\n");
>  	ret = cfi_disable_callers(start_retpoline, end_retpoline);
>  	if (ret)
>  		goto err;
> @@ -1744,43 +1749,61 @@ static void __apply_fineibt(s32 *start_retpoline, s32 *end_retpoline,
>  			cfi_bpf_hash = cfi_rehash(cfi_bpf_hash);
>  			cfi_bpf_subprog_hash = cfi_rehash(cfi_bpf_subprog_hash);
>  		}
> +		if (builtin && cfi_debug)
> +			pr_info("CFI: cfi_seed: 0x%08x\n", cfi_seed);
>  
> +		if (builtin && cfi_debug)
> +			pr_info("CFI: rehashing all preambles\n");
>  		ret = cfi_rand_preamble(start_cfi, end_cfi);
>  		if (ret)
>  			goto err;
>  
> +		if (builtin && cfi_debug)
> +			pr_info("CFI: rehashing all indirect calls\n");
>  		ret = cfi_rand_callers(start_retpoline, end_retpoline);
>  		if (ret)
>  			goto err;
> +	} else {
> +		if (builtin && cfi_debug)
> +			pr_info("CFI: rehashing disabled\n");
>  	}
>  
>  	switch (cfi_mode) {
>  	case CFI_OFF:
>  		if (builtin)
> -			pr_info("Disabling CFI\n");
> +			pr_info("CFI: disabled\n");
>  		return;
>  
>  	case CFI_KCFI:
> +		if (builtin && cfi_debug)
> +			pr_info("CFI: enabling all indirect call checking\n");
>  		ret = cfi_enable_callers(start_retpoline, end_retpoline);
>  		if (ret)
>  			goto err;
>  
>  		if (builtin)
> -			pr_info("Using kCFI\n");
> +			pr_info("CFI: Using %s kCFI\n",
> +				cfi_rand ? "rehashed" : "retpoline");
>  		return;
>  
>  	case CFI_FINEIBT:
> +		if (builtin && cfi_debug)
> +			pr_info("CFI: adding FineIBT to all preambles\n");
>  		/* place the FineIBT preamble at func()-16 */
>  		ret = cfi_rewrite_preamble(start_cfi, end_cfi);
>  		if (ret)
>  			goto err;
>  
>  		/* rewrite the callers to target func()-16 */
> +		if (builtin && cfi_debug)
> +			pr_info("CFI: rewriting indirect call sites to use FineIBT\n");
>  		ret = cfi_rewrite_callers(start_retpoline, end_retpoline);
>  		if (ret)
>  			goto err;
>  
>  		/* now that nobody targets func()+0, remove ENDBR there */
> +		if (builtin && cfi_debug)
> +			pr_info("CFI: removing old endbr insns\n");
>  		cfi_rewrite_endbr(start_cfi, end_cfi);
>  
>  		if (builtin) {
> @@ -2005,6 +2028,8 @@ bool decode_fineibt_insn(struct pt_regs *regs, unsigned long *target, u32 *type)
>  static void __apply_fineibt(s32 *start_retpoline, s32 *end_retpoline,
>  			    s32 *start_cfi, s32 *end_cfi, bool builtin)
>  {
> +	if (builtin)
> +		pr_info("CFI: Using standard kCFI\n");
>  }
>  
>  #ifdef CONFIG_X86_KERNEL_IBT
> -- 
> 2.34.1
> 

_______________________________________________
linux-riscv mailing list
linux-riscv@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-riscv

Re: [PATCH 3/5] x86/cfi: Add option for cfi=debug bootparam

[Kees Cook]

On Wed, Aug 27, 2025 at 12:57:53PM -0700, Nathan Chancellor wrote:
> On Mon, Aug 25, 2025 at 07:25:50AM -0700, Kees Cook wrote:
> > From: Kees Cook <kees@outflux.net>
> > 
> > Add "debug" option for "cfi=" bootparam to get details on early CFI
> > initialization steps. Standardize CFI pr_info() lines to use "CFI:"
> > prefix. Standardize "CFI: Using ..." to always report which CFI mode is
> > being used, regardless of CONFIG_FINEIBT. Document all the "cfi=" options.
> > 
> > Signed-off-by: Kees Cook <kees@outflux.net>
> 
> I am not sure if the x86 maintainers are "patch count adverse" but it
> feels like this would be a little easier to review as four separate
> patches. Every sentence in the commit message is basically its own
> change.
> 
> 1. The initial documentation for cfi= and its current values.
> 2. Standardization of pr_info() calls to use "CFI:"
> 3. Adding "CFI: Using" to __apply_fineibt()
> 4. Adding cfi=debug
> 
> Patch four would become much simpler to understand, especially with
> Peter's suggested change.

Yeah, that's entirely fair. :) I will split this up.

-- 
Kees Cook

_______________________________________________
linux-riscv mailing list
linux-riscv@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-riscv

[PATCH 4/5] x86/cfi: Remove __noinitretpoline and __noretpoline

[Kees Cook]

From: Kees Cook <kees@outflux.net>

Commit 66f793099a63 ("x86/retpoline: Avoid retpolines for built-in __init
functions") disabled retpolines in __init sections (__noinitretpoline)
as a precaution against potential issues with retpolines in early boot,
but it has not been a problem in practice (i.e. see Clang below).

Commit 87358710c1fb ("x86/retpoline: Support retpoline builds with Clang")
narrowed this to only GCC, as Clang doesn't have per-function control
over retpoline emission. As such, Clang has been booting with retpolines
in __init since retpoline support was introduced.

Clang KCFI has been instrumenting __init since CFI was introduced.

With the introduction of KCFI for GCC, KCFI instrumentation with
retpolines disabled means that objtool does not construct .retpoline_sites
section entries for the non-retpoline KCFI calls. At boot, the KCFI
rehashing code, via __apply_fineibt(), misses all __init KCFI calls
(since they are not retpolines), resulting in immediate hash mismatches:
all preambles are rehashed (via .cfi_sites) and none of the __init call
sites are rehashed.

Remove __noinitretpoline since it provides no meaningful utility and
creates problems with CFI. Additionally remove __noretpoline since it
is now unused.

Alternatively, cfi_rand_callers() could walk the .kcfi_traps section which
is exactly the list of KCFI instrumentation sites. But it seems better to
have as few differences in common instruction sequences between compilers
as possible, so better to remove the special handling of retpolines in
__init for GCC.

Signed-off-by: Kees Cook <kees@outflux.net>
---
Cc: David Woodhouse <dwmw2@infradead.org>
---
 include/linux/compiler-gcc.h | 4 ----
 include/linux/init.h         | 8 --------
 2 files changed, 12 deletions(-)

diff --git a/include/linux/compiler-gcc.h b/include/linux/compiler-gcc.h
index 5d07c469b571..5de824a0b3d7 100644
--- a/include/linux/compiler-gcc.h
+++ b/include/linux/compiler-gcc.h
@@ -35,10 +35,6 @@
 	(typeof(ptr)) (__ptr + (off));					\
 })
 
-#ifdef CONFIG_MITIGATION_RETPOLINE
-#define __noretpoline __attribute__((__indirect_branch__("keep")))
-#endif
-
 #if defined(LATENT_ENTROPY_PLUGIN) && !defined(__CHECKER__)
 #define __latent_entropy __attribute__((latent_entropy))
 #endif
diff --git a/include/linux/init.h b/include/linux/init.h
index a60d32d227ee..17c1bc712e23 100644
--- a/include/linux/init.h
+++ b/include/linux/init.h
@@ -7,13 +7,6 @@
 #include <linux/stringify.h>
 #include <linux/types.h>
 
-/* Built-in __init functions needn't be compiled with retpoline */
-#if defined(__noretpoline) && !defined(MODULE)
-#define __noinitretpoline __noretpoline
-#else
-#define __noinitretpoline
-#endif
-
 /* These macros are used to mark some functions or 
  * initialized data (doesn't apply to uninitialized data)
  * as `initialization' functions. The kernel can take this
@@ -50,7 +43,6 @@
 /* These are for everybody (although not all archs will actually
    discard it in modules) */
 #define __init		__section(".init.text") __cold __latent_entropy	\
-						__noinitretpoline	\
 						__no_kstack_erase
 #define __initdata	__section(".init.data")
 #define __initconst	__section(".init.rodata")
-- 
2.34.1


_______________________________________________
linux-riscv mailing list
linux-riscv@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-riscv

[PATCH 5/5] kcfi: Rename CONFIG_CFI_CLANG to CONFIG_CFI

[Kees Cook]

From: Kees Cook <kees@outflux.net>

The kernel's CFI implementation uses the KCFI ABI specifically, and is
not strictly tied to a particular compiler. In preparation for GCC
supporting KCFI[1], rename CONFIG_CFI_CLANG to CONFIG_CFI (along with
associated options).

Link: https://lore.kernel.org/linux-hardening/20250821064202.work.893-kees@kernel.org [1]
Signed-off-by: Kees Cook <kees@outflux.net>
---
Cc: Sami Tolvanen <samitolvanen@google.com>
Cc: Linus Walleij <linus.walleij@linaro.org>
Cc: Mark Rutland <mark.rutland@arm.com>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Puranjay Mohan <puranjay@kernel.org>
---
 arch/Kconfig                            | 22 +++++++++++-----------
 arch/arm/Kconfig                        |  2 +-
 arch/arm64/Kconfig                      |  4 ++--
 arch/riscv/Kconfig                      |  6 +++---
 arch/x86/Kconfig                        | 12 ++++++------
 init/Kconfig                            |  4 ++--
 kernel/module/Kconfig                   |  2 +-
 lib/Kconfig.debug                       |  2 +-
 Makefile                                |  2 +-
 arch/arm/mm/Makefile                    |  2 +-
 arch/riscv/kernel/Makefile              |  2 +-
 arch/riscv/purgatory/Makefile           |  2 +-
 arch/x86/kernel/Makefile                |  2 +-
 arch/x86/purgatory/Makefile             |  2 +-
 kernel/Makefile                         |  2 +-
 arch/riscv/include/asm/cfi.h            |  4 ++--
 arch/x86/include/asm/cfi.h              |  4 ++--
 include/asm-generic/vmlinux.lds.h       |  2 +-
 include/linux/cfi.h                     |  6 +++---
 include/linux/cfi_types.h               |  8 ++++----
 include/linux/compiler.h                |  2 +-
 include/linux/compiler_types.h          |  2 +-
 tools/include/linux/cfi_types.h         |  6 +++---
 tools/perf/util/include/linux/linkage.h |  2 +-
 arch/arm/mm/cache-fa.S                  |  2 +-
 arch/arm/mm/cache-v4.S                  |  2 +-
 arch/arm/mm/cache-v4wb.S                |  4 ++--
 arch/arm/mm/cache-v4wt.S                |  2 +-
 arch/arm/mm/cache-v6.S                  |  2 +-
 arch/arm/mm/cache-v7.S                  |  2 +-
 arch/arm/mm/cache-v7m.S                 |  2 +-
 arch/arm/mm/proc-arm1020.S              |  2 +-
 arch/arm/mm/proc-arm1020e.S             |  2 +-
 arch/arm/mm/proc-arm1022.S              |  2 +-
 arch/arm/mm/proc-arm1026.S              |  2 +-
 arch/arm/mm/proc-arm920.S               |  2 +-
 arch/arm/mm/proc-arm922.S               |  2 +-
 arch/arm/mm/proc-arm925.S               |  2 +-
 arch/arm/mm/proc-arm926.S               |  2 +-
 arch/arm/mm/proc-arm940.S               |  2 +-
 arch/arm/mm/proc-arm946.S               |  2 +-
 arch/arm/mm/proc-feroceon.S             |  2 +-
 arch/arm/mm/proc-mohawk.S               |  2 +-
 arch/arm/mm/proc-xsc3.S                 |  2 +-
 arch/arm/mm/tlb-v4.S                    |  2 +-
 arch/arm/kernel/hw_breakpoint.c         |  2 +-
 arch/arm64/kernel/debug-monitors.c      |  2 +-
 arch/arm64/kernel/traps.c               |  4 ++--
 arch/arm64/kvm/handle_exit.c            |  2 +-
 arch/arm64/net/bpf_jit_comp.c           |  2 +-
 arch/riscv/net/bpf_jit_comp64.c         |  4 ++--
 arch/x86/kernel/alternative.c           |  4 ++--
 arch/x86/kernel/kprobes/core.c          |  2 +-
 drivers/misc/lkdtm/cfi.c                |  2 +-
 kernel/module/tree_lookup.c             |  2 +-
 kernel/configs/hardening.config         |  2 +-
 56 files changed, 88 insertions(+), 88 deletions(-)

diff --git a/arch/Kconfig b/arch/Kconfig
index d1b4ffd6e085..c25a45d9aa96 100644
--- a/arch/Kconfig
+++ b/arch/Kconfig
@@ -867,7 +867,7 @@ config PROPELLER_CLANG
 
 	  If unsure, say N.
 
-config ARCH_SUPPORTS_CFI_CLANG
+config ARCH_SUPPORTS_CFI
 	bool
 	help
 	  An architecture should select this option if it can support Clang's
@@ -876,13 +876,13 @@ config ARCH_SUPPORTS_CFI_CLANG
 config ARCH_USES_CFI_TRAPS
 	bool
 
-config CFI_CLANG
-	bool "Use Clang's Control Flow Integrity (CFI)"
-	depends on ARCH_SUPPORTS_CFI_CLANG
+config CFI
+	bool "Use Kernel Control Flow Integrity (kCFI)"
+	depends on ARCH_SUPPORTS_CFI
 	depends on $(cc-option,-fsanitize=kcfi)
 	help
-	  This option enables Clang's forward-edge Control Flow Integrity
-	  (CFI) checking, where the compiler injects a runtime check to each
+	  This option enables forward-edge Control Flow Integrity (CFI)
+	  checking, where the compiler injects a runtime check to each
 	  indirect function call to ensure the target is a valid function with
 	  the correct static type. This restricts possible call targets and
 	  makes it more difficult for an attacker to exploit bugs that allow
@@ -893,8 +893,8 @@ config CFI_CLANG
 
 config CFI_ICALL_NORMALIZE_INTEGERS
 	bool "Normalize CFI tags for integers"
-	depends on CFI_CLANG
-	depends on HAVE_CFI_ICALL_NORMALIZE_INTEGERS_CLANG
+	depends on CFI
+	depends on HAVE_CFI_ICALL_NORMALIZE_INTEGERS
 	help
 	  This option normalizes the CFI tags for integer types so that all
 	  integer types of the same size and signedness receive the same CFI
@@ -907,7 +907,7 @@ config CFI_ICALL_NORMALIZE_INTEGERS
 
 	  This option is necessary for using CFI with Rust. If unsure, say N.
 
-config HAVE_CFI_ICALL_NORMALIZE_INTEGERS_CLANG
+config HAVE_CFI_ICALL_NORMALIZE_INTEGERS
 	def_bool y
 	depends on $(cc-option,-fsanitize=kcfi -fsanitize-cfi-icall-experimental-normalize-integers)
 	# With GCOV/KASAN we need this fix: https://github.com/llvm/llvm-project/pull/104826
@@ -915,7 +915,7 @@ config HAVE_CFI_ICALL_NORMALIZE_INTEGERS_CLANG
 
 config HAVE_CFI_ICALL_NORMALIZE_INTEGERS_RUSTC
 	def_bool y
-	depends on HAVE_CFI_ICALL_NORMALIZE_INTEGERS_CLANG
+	depends on HAVE_CFI_ICALL_NORMALIZE_INTEGERS
 	depends on RUSTC_VERSION >= 107900
 	# With GCOV/KASAN we need this fix: https://github.com/rust-lang/rust/pull/129373
 	depends on (RUSTC_LLVM_VERSION >= 190103 && RUSTC_VERSION >= 108200) || \
@@ -923,7 +923,7 @@ config HAVE_CFI_ICALL_NORMALIZE_INTEGERS_RUSTC
 
 config CFI_PERMISSIVE
 	bool "Use CFI in permissive mode"
-	depends on CFI_CLANG
+	depends on CFI
 	help
 	  When selected, Control Flow Integrity (CFI) violations result in a
 	  warning instead of a kernel panic. This option should only be used
diff --git a/arch/arm/Kconfig b/arch/arm/Kconfig
index b1f3df39ed40..36ab8625be72 100644
--- a/arch/arm/Kconfig
+++ b/arch/arm/Kconfig
@@ -38,7 +38,7 @@ config ARM
 	select ARCH_OPTIONAL_KERNEL_RWX_DEFAULT if CPU_V7
 	select ARCH_NEED_CMPXCHG_1_EMU if CPU_V6
 	select ARCH_SUPPORTS_ATOMIC_RMW
-	select ARCH_SUPPORTS_CFI_CLANG
+	select ARCH_SUPPORTS_CFI
 	select ARCH_SUPPORTS_HUGETLBFS if ARM_LPAE
 	select ARCH_SUPPORTS_PER_VMA_LOCK
 	select ARCH_USE_BUILTIN_BSWAP
diff --git a/arch/arm64/Kconfig b/arch/arm64/Kconfig
index e9bbfacc35a6..1e38b8885a46 100644
--- a/arch/arm64/Kconfig
+++ b/arch/arm64/Kconfig
@@ -100,7 +100,7 @@ config ARM64
 	select ARCH_SUPPORTS_SHADOW_CALL_STACK if CC_HAVE_SHADOW_CALL_STACK
 	select ARCH_SUPPORTS_LTO_CLANG if CPU_LITTLE_ENDIAN
 	select ARCH_SUPPORTS_LTO_CLANG_THIN
-	select ARCH_SUPPORTS_CFI_CLANG
+	select ARCH_SUPPORTS_CFI
 	select ARCH_SUPPORTS_ATOMIC_RMW
 	select ARCH_SUPPORTS_INT128 if CC_HAS_INT128
 	select ARCH_SUPPORTS_NUMA_BALANCING
@@ -212,7 +212,7 @@ config ARM64
 	select HAVE_DYNAMIC_FTRACE_WITH_DIRECT_CALLS \
 		if DYNAMIC_FTRACE_WITH_ARGS && DYNAMIC_FTRACE_WITH_CALL_OPS
 	select HAVE_DYNAMIC_FTRACE_WITH_CALL_OPS \
-		if (DYNAMIC_FTRACE_WITH_ARGS && !CFI_CLANG && \
+		if (DYNAMIC_FTRACE_WITH_ARGS && !CFI && \
 		    (CC_IS_CLANG || !CC_OPTIMIZE_FOR_SIZE))
 	select FTRACE_MCOUNT_USE_PATCHABLE_FUNCTION_ENTRY \
 		if DYNAMIC_FTRACE_WITH_ARGS
diff --git a/arch/riscv/Kconfig b/arch/riscv/Kconfig
index a4b233a0659e..6043ad82b73c 100644
--- a/arch/riscv/Kconfig
+++ b/arch/riscv/Kconfig
@@ -60,7 +60,7 @@ config RISCV
 	select ARCH_STACKWALK
 	select ARCH_SUPPORTS_ATOMIC_RMW
 	# clang >= 17: https://github.com/llvm/llvm-project/commit/62fa708ceb027713b386c7e0efda994f8bdc27e2
-	select ARCH_SUPPORTS_CFI_CLANG if CLANG_VERSION >= 170000
+	select ARCH_SUPPORTS_CFI if (!CC_IS_CLANG || CLANG_VERSION >= 170000)
 	select ARCH_SUPPORTS_DEBUG_PAGEALLOC if MMU
 	select ARCH_SUPPORTS_HUGE_PFNMAP if TRANSPARENT_HUGEPAGE
 	select ARCH_SUPPORTS_HUGETLBFS if MMU
@@ -76,7 +76,7 @@ config RISCV
 	select ARCH_USE_MEMTEST
 	select ARCH_USE_QUEUED_RWLOCKS
 	select ARCH_USE_SYM_ANNOTATIONS
-	select ARCH_USES_CFI_TRAPS if CFI_CLANG
+	select ARCH_USES_CFI_TRAPS if CFI
 	select ARCH_WANT_BATCHED_UNMAP_TLB_FLUSH if MMU
 	select ARCH_WANT_DEFAULT_TOPDOWN_MMAP_LAYOUT if MMU
 	select ARCH_WANT_FRAME_POINTERS
@@ -154,7 +154,7 @@ config RISCV
 	select HAVE_DYNAMIC_FTRACE if !XIP_KERNEL && MMU && (CLANG_SUPPORTS_DYNAMIC_FTRACE || GCC_SUPPORTS_DYNAMIC_FTRACE)
 	select FUNCTION_ALIGNMENT_4B if HAVE_DYNAMIC_FTRACE && RISCV_ISA_C
 	select HAVE_DYNAMIC_FTRACE_WITH_DIRECT_CALLS if HAVE_DYNAMIC_FTRACE_WITH_CALL_OPS
-	select HAVE_DYNAMIC_FTRACE_WITH_CALL_OPS if (DYNAMIC_FTRACE_WITH_ARGS && !CFI_CLANG)
+	select HAVE_DYNAMIC_FTRACE_WITH_CALL_OPS if (DYNAMIC_FTRACE_WITH_ARGS && !CFI)
 	select HAVE_DYNAMIC_FTRACE_WITH_ARGS if HAVE_DYNAMIC_FTRACE
 	select HAVE_FTRACE_GRAPH_FUNC
 	select HAVE_FUNCTION_GRAPH_TRACER if HAVE_DYNAMIC_FTRACE_WITH_ARGS
diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig
index 58d890fe2100..b6da2d37cfd1 100644
--- a/arch/x86/Kconfig
+++ b/arch/x86/Kconfig
@@ -127,8 +127,8 @@ config X86
 	select ARCH_SUPPORTS_PAGE_TABLE_CHECK	if X86_64
 	select ARCH_SUPPORTS_NUMA_BALANCING	if X86_64
 	select ARCH_SUPPORTS_KMAP_LOCAL_FORCE_MAP	if NR_CPUS <= 4096
-	select ARCH_SUPPORTS_CFI_CLANG		if X86_64
-	select ARCH_USES_CFI_TRAPS		if X86_64 && CFI_CLANG
+	select ARCH_SUPPORTS_CFI		if X86_64
+	select ARCH_USES_CFI_TRAPS		if X86_64 && CFI
 	select ARCH_SUPPORTS_LTO_CLANG
 	select ARCH_SUPPORTS_LTO_CLANG_THIN
 	select ARCH_SUPPORTS_RT
@@ -2396,11 +2396,11 @@ config FUNCTION_PADDING_CFI
 	default  3 if FUNCTION_ALIGNMENT_8B
 	default  0
 
-# Basically: FUNCTION_ALIGNMENT - 5*CFI_CLANG
+# Basically: FUNCTION_ALIGNMENT - 5*CFI
 # except Kconfig can't do arithmetic :/
 config FUNCTION_PADDING_BYTES
 	int
-	default FUNCTION_PADDING_CFI if CFI_CLANG
+	default FUNCTION_PADDING_CFI if CFI
 	default FUNCTION_ALIGNMENT
 
 config CALL_PADDING
@@ -2410,7 +2410,7 @@ config CALL_PADDING
 
 config FINEIBT
 	def_bool y
-	depends on X86_KERNEL_IBT && CFI_CLANG && MITIGATION_RETPOLINE
+	depends on X86_KERNEL_IBT && CFI && MITIGATION_RETPOLINE
 	select CALL_PADDING
 
 config FINEIBT_BHI
@@ -2427,7 +2427,7 @@ config CALL_THUNKS
 
 config PREFIX_SYMBOLS
 	def_bool y
-	depends on CALL_PADDING && !CFI_CLANG
+	depends on CALL_PADDING && !CFI
 
 menuconfig CPU_MITIGATIONS
 	bool "Mitigations for CPU vulnerabilities"
diff --git a/init/Kconfig b/init/Kconfig
index 836320251219..67f10d8a33b7 100644
--- a/init/Kconfig
+++ b/init/Kconfig
@@ -2063,8 +2063,8 @@ config RUST
 	depends on !GCC_PLUGIN_RANDSTRUCT
 	depends on !RANDSTRUCT
 	depends on !DEBUG_INFO_BTF || (PAHOLE_HAS_LANG_EXCLUDE && !LTO)
-	depends on !CFI_CLANG || HAVE_CFI_ICALL_NORMALIZE_INTEGERS_RUSTC
-	select CFI_ICALL_NORMALIZE_INTEGERS if CFI_CLANG
+	depends on !CFI || HAVE_CFI_ICALL_NORMALIZE_INTEGERS_RUSTC
+	select CFI_ICALL_NORMALIZE_INTEGERS if CFI
 	depends on !CALL_PADDING || RUSTC_VERSION >= 108100
 	depends on !KASAN_SW_TAGS
 	depends on !(MITIGATION_RETHUNK && KASAN) || RUSTC_VERSION >= 108300
diff --git a/kernel/module/Kconfig b/kernel/module/Kconfig
index 39278737bb68..2a1beebf1d37 100644
--- a/kernel/module/Kconfig
+++ b/kernel/module/Kconfig
@@ -460,6 +460,6 @@ config UNUSED_KSYMS_WHITELIST
 
 config MODULES_TREE_LOOKUP
 	def_bool y
-	depends on PERF_EVENTS || TRACING || CFI_CLANG
+	depends on PERF_EVENTS || TRACING || CFI
 
 endif # MODULES
diff --git a/lib/Kconfig.debug b/lib/Kconfig.debug
index dc0e0c6ed075..e3e69df19e78 100644
--- a/lib/Kconfig.debug
+++ b/lib/Kconfig.debug
@@ -2894,7 +2894,7 @@ config FORTIFY_KUNIT_TEST
 config LONGEST_SYM_KUNIT_TEST
 	tristate "Test the longest symbol possible" if !KUNIT_ALL_TESTS
 	depends on KUNIT && KPROBES
-	depends on !PREFIX_SYMBOLS && !CFI_CLANG && !GCOV_KERNEL
+	depends on !PREFIX_SYMBOLS && !CFI && !GCOV_KERNEL
 	default KUNIT_ALL_TESTS
 	help
 	  Tests the longest symbol possible
diff --git a/Makefile b/Makefile
index d1adb78c3596..437989d6e0be 100644
--- a/Makefile
+++ b/Makefile
@@ -1020,7 +1020,7 @@ KBUILD_AFLAGS	+= -fno-lto
 export CC_FLAGS_LTO
 endif
 
-ifdef CONFIG_CFI_CLANG
+ifdef CONFIG_CFI
 CC_FLAGS_CFI	:= -fsanitize=kcfi
 ifdef CONFIG_CFI_ICALL_NORMALIZE_INTEGERS
 	CC_FLAGS_CFI	+= -fsanitize-cfi-icall-experimental-normalize-integers
diff --git a/arch/arm/mm/Makefile b/arch/arm/mm/Makefile
index a195cd1d3e6d..1e2201013371 100644
--- a/arch/arm/mm/Makefile
+++ b/arch/arm/mm/Makefile
@@ -89,7 +89,7 @@ obj-$(CONFIG_CPU_V6)		+= proc-v6.o
 obj-$(CONFIG_CPU_V6K)		+= proc-v6.o
 obj-$(CONFIG_CPU_V7)		+= proc-v7.o proc-v7-bugs.o
 obj-$(CONFIG_CPU_V7M)		+= proc-v7m.o
-obj-$(CONFIG_CFI_CLANG)		+= proc.o
+obj-$(CONFIG_CFI)		+= proc.o
 
 obj-$(CONFIG_OUTER_CACHE)	+= l2c-common.o
 obj-$(CONFIG_CACHE_B15_RAC)	+= cache-b15-rac.o
diff --git a/arch/riscv/kernel/Makefile b/arch/riscv/kernel/Makefile
index c7b542573407..f60fce69b725 100644
--- a/arch/riscv/kernel/Makefile
+++ b/arch/riscv/kernel/Makefile
@@ -113,7 +113,7 @@ obj-$(CONFIG_VMCORE_INFO)	+= vmcore_info.o
 
 obj-$(CONFIG_JUMP_LABEL)	+= jump_label.o
 
-obj-$(CONFIG_CFI_CLANG)		+= cfi.o
+obj-$(CONFIG_CFI)		+= cfi.o
 
 obj-$(CONFIG_EFI)		+= efi.o
 obj-$(CONFIG_COMPAT)		+= compat_syscall_table.o
diff --git a/arch/riscv/purgatory/Makefile b/arch/riscv/purgatory/Makefile
index 240592e3f5c2..530e497ca2f9 100644
--- a/arch/riscv/purgatory/Makefile
+++ b/arch/riscv/purgatory/Makefile
@@ -71,7 +71,7 @@ ifdef CONFIG_STACKPROTECTOR_STRONG
 PURGATORY_CFLAGS_REMOVE		+= -fstack-protector-strong
 endif
 
-ifdef CONFIG_CFI_CLANG
+ifdef CONFIG_CFI
 PURGATORY_CFLAGS_REMOVE		+= $(CC_FLAGS_CFI)
 endif
 
diff --git a/arch/x86/kernel/Makefile b/arch/x86/kernel/Makefile
index 0d2a6d953be9..bc184dd38d99 100644
--- a/arch/x86/kernel/Makefile
+++ b/arch/x86/kernel/Makefile
@@ -148,7 +148,7 @@ obj-$(CONFIG_UNWINDER_ORC)		+= unwind_orc.o
 obj-$(CONFIG_UNWINDER_FRAME_POINTER)	+= unwind_frame.o
 obj-$(CONFIG_UNWINDER_GUESS)		+= unwind_guess.o
 
-obj-$(CONFIG_CFI_CLANG)			+= cfi.o
+obj-$(CONFIG_CFI)			+= cfi.o
 
 obj-$(CONFIG_CALL_THUNKS)		+= callthunks.o
 
diff --git a/arch/x86/purgatory/Makefile b/arch/x86/purgatory/Makefile
index e0a607a14e7e..5ce1d4263000 100644
--- a/arch/x86/purgatory/Makefile
+++ b/arch/x86/purgatory/Makefile
@@ -57,7 +57,7 @@ ifdef CONFIG_MITIGATION_RETPOLINE
 PURGATORY_CFLAGS_REMOVE		+= $(RETPOLINE_CFLAGS)
 endif
 
-ifdef CONFIG_CFI_CLANG
+ifdef CONFIG_CFI
 PURGATORY_CFLAGS_REMOVE		+= $(CC_FLAGS_CFI)
 endif
 
diff --git a/kernel/Makefile b/kernel/Makefile
index c60623448235..27e0e6a33610 100644
--- a/kernel/Makefile
+++ b/kernel/Makefile
@@ -122,7 +122,7 @@ obj-$(CONFIG_KCSAN) += kcsan/
 obj-$(CONFIG_SHADOW_CALL_STACK) += scs.o
 obj-$(CONFIG_HAVE_STATIC_CALL) += static_call.o
 obj-$(CONFIG_HAVE_STATIC_CALL_INLINE) += static_call_inline.o
-obj-$(CONFIG_CFI_CLANG) += cfi.o
+obj-$(CONFIG_CFI) += cfi.o
 
 obj-$(CONFIG_PERF_EVENTS) += events/
 
diff --git a/arch/riscv/include/asm/cfi.h b/arch/riscv/include/asm/cfi.h
index 4508aaa7a2fd..710aa8192edd 100644
--- a/arch/riscv/include/asm/cfi.h
+++ b/arch/riscv/include/asm/cfi.h
@@ -11,7 +11,7 @@
 
 struct pt_regs;
 
-#ifdef CONFIG_CFI_CLANG
+#ifdef CONFIG_CFI
 enum bug_trap_type handle_cfi_failure(struct pt_regs *regs);
 #define __bpfcall
 #else
@@ -19,6 +19,6 @@ static inline enum bug_trap_type handle_cfi_failure(struct pt_regs *regs)
 {
 	return BUG_TRAP_TYPE_NONE;
 }
-#endif /* CONFIG_CFI_CLANG */
+#endif /* CONFIG_CFI */
 
 #endif /* _ASM_RISCV_CFI_H */
diff --git a/arch/x86/include/asm/cfi.h b/arch/x86/include/asm/cfi.h
index 1751f1eb95ef..976b90a3d190 100644
--- a/arch/x86/include/asm/cfi.h
+++ b/arch/x86/include/asm/cfi.h
@@ -113,7 +113,7 @@ extern bhi_thunk __bhi_args_end[];
 
 struct pt_regs;
 
-#ifdef CONFIG_CFI_CLANG
+#ifdef CONFIG_CFI
 enum bug_trap_type handle_cfi_failure(struct pt_regs *regs);
 #define __bpfcall
 
@@ -157,7 +157,7 @@ static inline int cfi_get_func_arity(void *func)
 {
 	return 0;
 }
-#endif /* CONFIG_CFI_CLANG */
+#endif /* CONFIG_CFI */
 
 #if HAS_KERNEL_IBT == 1
 #define CFI_NOSEAL(x)	asm(IBT_NOSEAL(__stringify(x)))
diff --git a/include/asm-generic/vmlinux.lds.h b/include/asm-generic/vmlinux.lds.h
index ae2d2359b79e..a65a87366c48 100644
--- a/include/asm-generic/vmlinux.lds.h
+++ b/include/asm-generic/vmlinux.lds.h
@@ -157,7 +157,7 @@ defined(CONFIG_AUTOFDO_CLANG) || defined(CONFIG_PROPELLER_CLANG)
 #define PATCHABLE_DISCARDS	*(__patchable_function_entries)
 #endif
 
-#ifndef CONFIG_ARCH_SUPPORTS_CFI_CLANG
+#ifndef CONFIG_ARCH_SUPPORTS_CFI
 /*
  * Simply points to ftrace_stub, but with the proper protocol.
  * Defined by the linker script in linux/vmlinux.lds.h
diff --git a/include/linux/cfi.h b/include/linux/cfi.h
index 52a98886a455..1fd22ea6eba4 100644
--- a/include/linux/cfi.h
+++ b/include/linux/cfi.h
@@ -11,7 +11,7 @@
 #include <linux/module.h>
 #include <asm/cfi.h>
 
-#ifdef CONFIG_CFI_CLANG
+#ifdef CONFIG_CFI
 extern bool cfi_warn;
 
 enum bug_trap_type report_cfi_failure(struct pt_regs *regs, unsigned long addr,
@@ -52,7 +52,7 @@ static inline u32 cfi_get_func_hash(void *func)
 extern u32 cfi_bpf_hash;
 extern u32 cfi_bpf_subprog_hash;
 
-#else /* CONFIG_CFI_CLANG */
+#else /* CONFIG_CFI */
 
 static inline int cfi_get_offset(void) { return 0; }
 static inline u32 cfi_get_func_hash(void *func) { return 0; }
@@ -60,7 +60,7 @@ static inline u32 cfi_get_func_hash(void *func) { return 0; }
 #define cfi_bpf_hash 0U
 #define cfi_bpf_subprog_hash 0U
 
-#endif /* CONFIG_CFI_CLANG */
+#endif /* CONFIG_CFI */
 
 #ifdef CONFIG_ARCH_USES_CFI_TRAPS
 bool is_cfi_trap(unsigned long addr);
diff --git a/include/linux/cfi_types.h b/include/linux/cfi_types.h
index 685f7181780f..a86af9bc8bdc 100644
--- a/include/linux/cfi_types.h
+++ b/include/linux/cfi_types.h
@@ -8,7 +8,7 @@
 #ifdef __ASSEMBLY__
 #include <linux/linkage.h>
 
-#ifdef CONFIG_CFI_CLANG
+#ifdef CONFIG_CFI
 /*
  * Use the __kcfi_typeid_<function> type identifier symbol to
  * annotate indirectly called assembly functions. The compiler emits
@@ -29,12 +29,12 @@
 #define SYM_TYPED_START(name, linkage, align...)	\
 	SYM_TYPED_ENTRY(name, linkage, align)
 
-#else /* CONFIG_CFI_CLANG */
+#else /* CONFIG_CFI */
 
 #define SYM_TYPED_START(name, linkage, align...)	\
 	SYM_START(name, linkage, align)
 
-#endif /* CONFIG_CFI_CLANG */
+#endif /* CONFIG_CFI */
 
 #ifndef SYM_TYPED_FUNC_START
 #define SYM_TYPED_FUNC_START(name) 			\
@@ -43,7 +43,7 @@
 
 #else /* __ASSEMBLY__ */
 
-#ifdef CONFIG_CFI_CLANG
+#ifdef CONFIG_CFI
 #define DEFINE_CFI_TYPE(name, func)						\
 	/*									\
 	 * Force a reference to the function so the compiler generates		\
diff --git a/include/linux/compiler.h b/include/linux/compiler.h
index 6f04a1d8c720..fb27da2221ee 100644
--- a/include/linux/compiler.h
+++ b/include/linux/compiler.h
@@ -248,7 +248,7 @@ void ftrace_likely_update(struct ftrace_likely_data *f, int val,
 
 #endif /* __KERNEL__ */
 
-#if defined(CONFIG_CFI_CLANG) && !defined(__DISABLE_EXPORTS) && !defined(BUILD_VDSO)
+#if defined(CONFIG_CFI) && !defined(__DISABLE_EXPORTS) && !defined(BUILD_VDSO)
 /*
  * Force a reference to the external symbol so the compiler generates
  * __kcfi_typid.
diff --git a/include/linux/compiler_types.h b/include/linux/compiler_types.h
index a910f9fa5341..27026752aec8 100644
--- a/include/linux/compiler_types.h
+++ b/include/linux/compiler_types.h
@@ -432,7 +432,7 @@ struct ftrace_likely_data {
 # define __noscs
 #endif
 
-#if defined(CONFIG_CFI_CLANG)
+#if defined(CONFIG_CFI)
 # define __nocfi		__attribute__((__no_sanitize__("kcfi")))
 #else
 # define __nocfi
diff --git a/tools/include/linux/cfi_types.h b/tools/include/linux/cfi_types.h
index 6b8713675765..2e098274e45c 100644
--- a/tools/include/linux/cfi_types.h
+++ b/tools/include/linux/cfi_types.h
@@ -8,7 +8,7 @@
 #ifdef __ASSEMBLY__
 #include <linux/linkage.h>
 
-#ifdef CONFIG_CFI_CLANG
+#ifdef CONFIG_CFI
 /*
  * Use the __kcfi_typeid_<function> type identifier symbol to
  * annotate indirectly called assembly functions. The compiler emits
@@ -29,12 +29,12 @@
 #define SYM_TYPED_START(name, linkage, align...)	\
 	SYM_TYPED_ENTRY(name, linkage, align)
 
-#else /* CONFIG_CFI_CLANG */
+#else /* CONFIG_CFI */
 
 #define SYM_TYPED_START(name, linkage, align...)	\
 	SYM_START(name, linkage, align)
 
-#endif /* CONFIG_CFI_CLANG */
+#endif /* CONFIG_CFI */
 
 #ifndef SYM_TYPED_FUNC_START
 #define SYM_TYPED_FUNC_START(name) 			\
diff --git a/tools/perf/util/include/linux/linkage.h b/tools/perf/util/include/linux/linkage.h
index 89979ca23c3f..34e2fdfe7300 100644
--- a/tools/perf/util/include/linux/linkage.h
+++ b/tools/perf/util/include/linux/linkage.h
@@ -120,7 +120,7 @@
 #endif
 
 // In the kernel sources (include/linux/cfi_types.h), this has a different
-// definition when CONFIG_CFI_CLANG is used, for tools/ just use the !clang
+// definition when CONFIG_CFI is used, for tools/ just use the !cfi
 // definition:
 #ifndef SYM_TYPED_START
 #define SYM_TYPED_START(name, linkage, align...)        \
diff --git a/arch/arm/mm/cache-fa.S b/arch/arm/mm/cache-fa.S
index 4a3668b52a2d..e1641799569b 100644
--- a/arch/arm/mm/cache-fa.S
+++ b/arch/arm/mm/cache-fa.S
@@ -112,7 +112,7 @@ SYM_FUNC_END(fa_flush_user_cache_range)
  *	- end	 - virtual end address
  */
 SYM_TYPED_FUNC_START(fa_coherent_kern_range)
-#ifdef CONFIG_CFI_CLANG /* Fallthrough if !CFI */
+#ifdef CONFIG_CFI /* Fallthrough if !CFI */
 	b	fa_coherent_user_range
 #endif
 SYM_FUNC_END(fa_coherent_kern_range)
diff --git a/arch/arm/mm/cache-v4.S b/arch/arm/mm/cache-v4.S
index 0e94e5193dbd..001d7042bd46 100644
--- a/arch/arm/mm/cache-v4.S
+++ b/arch/arm/mm/cache-v4.S
@@ -104,7 +104,7 @@ SYM_FUNC_END(v4_coherent_user_range)
  *	- size	- region size
  */
 SYM_TYPED_FUNC_START(v4_flush_kern_dcache_area)
-#ifdef CONFIG_CFI_CLANG /* Fallthrough if !CFI */
+#ifdef CONFIG_CFI /* Fallthrough if !CFI */
 	b	v4_dma_flush_range
 #endif
 SYM_FUNC_END(v4_flush_kern_dcache_area)
diff --git a/arch/arm/mm/cache-v4wb.S b/arch/arm/mm/cache-v4wb.S
index ce55a2eef5da..874fe5310f9a 100644
--- a/arch/arm/mm/cache-v4wb.S
+++ b/arch/arm/mm/cache-v4wb.S
@@ -136,7 +136,7 @@ SYM_FUNC_END(v4wb_flush_user_cache_range)
  */
 SYM_TYPED_FUNC_START(v4wb_flush_kern_dcache_area)
 	add	r1, r0, r1
-#ifdef CONFIG_CFI_CLANG /* Fallthrough if !CFI */
+#ifdef CONFIG_CFI /* Fallthrough if !CFI */
 	b	v4wb_coherent_user_range
 #endif
 SYM_FUNC_END(v4wb_flush_kern_dcache_area)
@@ -152,7 +152,7 @@ SYM_FUNC_END(v4wb_flush_kern_dcache_area)
  *	- end	 - virtual end address
  */
 SYM_TYPED_FUNC_START(v4wb_coherent_kern_range)
-#ifdef CONFIG_CFI_CLANG /* Fallthrough if !CFI */
+#ifdef CONFIG_CFI /* Fallthrough if !CFI */
 	b	v4wb_coherent_user_range
 #endif
 SYM_FUNC_END(v4wb_coherent_kern_range)
diff --git a/arch/arm/mm/cache-v4wt.S b/arch/arm/mm/cache-v4wt.S
index a97dc267b3b0..2ee62e4b2b07 100644
--- a/arch/arm/mm/cache-v4wt.S
+++ b/arch/arm/mm/cache-v4wt.S
@@ -108,7 +108,7 @@ SYM_FUNC_END(v4wt_flush_user_cache_range)
  *	- end	 - virtual end address
  */
 SYM_TYPED_FUNC_START(v4wt_coherent_kern_range)
-#ifdef CONFIG_CFI_CLANG /* Fallthrough if !CFI */
+#ifdef CONFIG_CFI /* Fallthrough if !CFI */
 	b	v4wt_coherent_user_range
 #endif
 SYM_FUNC_END(v4wt_coherent_kern_range)
diff --git a/arch/arm/mm/cache-v6.S b/arch/arm/mm/cache-v6.S
index 9f415476e218..5ceea8965ea1 100644
--- a/arch/arm/mm/cache-v6.S
+++ b/arch/arm/mm/cache-v6.S
@@ -117,7 +117,7 @@ SYM_FUNC_END(v6_flush_user_cache_range)
  *	- the Icache does not read data from the write buffer
  */
 SYM_TYPED_FUNC_START(v6_coherent_kern_range)
-#ifdef CONFIG_CFI_CLANG /* Fallthrough if !CFI */
+#ifdef CONFIG_CFI /* Fallthrough if !CFI */
 	b	v6_coherent_user_range
 #endif
 SYM_FUNC_END(v6_coherent_kern_range)
diff --git a/arch/arm/mm/cache-v7.S b/arch/arm/mm/cache-v7.S
index 201ca05436fa..726681fb7d4d 100644
--- a/arch/arm/mm/cache-v7.S
+++ b/arch/arm/mm/cache-v7.S
@@ -261,7 +261,7 @@ SYM_FUNC_END(v7_flush_user_cache_range)
  *	- the Icache does not read data from the write buffer
  */
 SYM_TYPED_FUNC_START(v7_coherent_kern_range)
-#ifdef CONFIG_CFI_CLANG /* Fallthrough if !CFI */
+#ifdef CONFIG_CFI /* Fallthrough if !CFI */
 	b	v7_coherent_user_range
 #endif
 SYM_FUNC_END(v7_coherent_kern_range)
diff --git a/arch/arm/mm/cache-v7m.S b/arch/arm/mm/cache-v7m.S
index 14d719eba729..7f9cfad2ea21 100644
--- a/arch/arm/mm/cache-v7m.S
+++ b/arch/arm/mm/cache-v7m.S
@@ -286,7 +286,7 @@ SYM_FUNC_END(v7m_flush_user_cache_range)
  *	- the Icache does not read data from the write buffer
  */
 SYM_TYPED_FUNC_START(v7m_coherent_kern_range)
-#ifdef CONFIG_CFI_CLANG /* Fallthrough if !CFI */
+#ifdef CONFIG_CFI /* Fallthrough if !CFI */
 	b	v7m_coherent_user_range
 #endif
 SYM_FUNC_END(v7m_coherent_kern_range)
diff --git a/arch/arm/mm/proc-arm1020.S b/arch/arm/mm/proc-arm1020.S
index d0ce3414a13e..4612a4961e81 100644
--- a/arch/arm/mm/proc-arm1020.S
+++ b/arch/arm/mm/proc-arm1020.S
@@ -203,7 +203,7 @@ SYM_FUNC_END(arm1020_flush_user_cache_range)
  *	- end	- virtual end address
  */
 SYM_TYPED_FUNC_START(arm1020_coherent_kern_range)
-#ifdef CONFIG_CFI_CLANG /* Fallthrough if !CFI */
+#ifdef CONFIG_CFI /* Fallthrough if !CFI */
 	b	arm1020_coherent_user_range
 #endif
 SYM_FUNC_END(arm1020_coherent_kern_range)
diff --git a/arch/arm/mm/proc-arm1020e.S b/arch/arm/mm/proc-arm1020e.S
index 64f031bf6eff..b4a8a3a8eda3 100644
--- a/arch/arm/mm/proc-arm1020e.S
+++ b/arch/arm/mm/proc-arm1020e.S
@@ -200,7 +200,7 @@ SYM_FUNC_END(arm1020e_flush_user_cache_range)
  *	- end	- virtual end address
  */
 SYM_TYPED_FUNC_START(arm1020e_coherent_kern_range)
-#ifdef CONFIG_CFI_CLANG /* Fallthrough if !CFI */
+#ifdef CONFIG_CFI /* Fallthrough if !CFI */
 	b	arm1020e_coherent_user_range
 #endif
 SYM_FUNC_END(arm1020e_coherent_kern_range)
diff --git a/arch/arm/mm/proc-arm1022.S b/arch/arm/mm/proc-arm1022.S
index 42ed5ed07252..709870e99e19 100644
--- a/arch/arm/mm/proc-arm1022.S
+++ b/arch/arm/mm/proc-arm1022.S
@@ -199,7 +199,7 @@ SYM_FUNC_END(arm1022_flush_user_cache_range)
  *	- end	- virtual end address
  */
 SYM_TYPED_FUNC_START(arm1022_coherent_kern_range)
-#ifdef CONFIG_CFI_CLANG /* Fallthrough if !CFI */
+#ifdef CONFIG_CFI /* Fallthrough if !CFI */
 	b	arm1022_coherent_user_range
 #endif
 SYM_FUNC_END(arm1022_coherent_kern_range)
diff --git a/arch/arm/mm/proc-arm1026.S b/arch/arm/mm/proc-arm1026.S
index b3ae62cd553a..02f7370a8c5c 100644
--- a/arch/arm/mm/proc-arm1026.S
+++ b/arch/arm/mm/proc-arm1026.S
@@ -194,7 +194,7 @@ SYM_FUNC_END(arm1026_flush_user_cache_range)
  *	- end	- virtual end address
  */
 SYM_TYPED_FUNC_START(arm1026_coherent_kern_range)
-#ifdef CONFIG_CFI_CLANG /* Fallthrough if !CFI */
+#ifdef CONFIG_CFI /* Fallthrough if !CFI */
 	b	arm1026_coherent_user_range
 #endif
 SYM_FUNC_END(arm1026_coherent_kern_range)
diff --git a/arch/arm/mm/proc-arm920.S b/arch/arm/mm/proc-arm920.S
index a30df54ad5fa..4727f4b5b6e8 100644
--- a/arch/arm/mm/proc-arm920.S
+++ b/arch/arm/mm/proc-arm920.S
@@ -180,7 +180,7 @@ SYM_FUNC_END(arm920_flush_user_cache_range)
  *	- end	- virtual end address
  */
 SYM_TYPED_FUNC_START(arm920_coherent_kern_range)
-#ifdef CONFIG_CFI_CLANG /* Fallthrough if !CFI */
+#ifdef CONFIG_CFI /* Fallthrough if !CFI */
 	b	arm920_coherent_user_range
 #endif
 SYM_FUNC_END(arm920_coherent_kern_range)
diff --git a/arch/arm/mm/proc-arm922.S b/arch/arm/mm/proc-arm922.S
index aac4e048100d..5a4a3f4f2683 100644
--- a/arch/arm/mm/proc-arm922.S
+++ b/arch/arm/mm/proc-arm922.S
@@ -182,7 +182,7 @@ SYM_FUNC_END(arm922_flush_user_cache_range)
  *	- end	- virtual end address
  */
 SYM_TYPED_FUNC_START(arm922_coherent_kern_range)
-#ifdef CONFIG_CFI_CLANG /* Fallthrough if !CFI */
+#ifdef CONFIG_CFI /* Fallthrough if !CFI */
 	b	arm922_coherent_user_range
 #endif
 SYM_FUNC_END(arm922_coherent_kern_range)
diff --git a/arch/arm/mm/proc-arm925.S b/arch/arm/mm/proc-arm925.S
index 035941faeb2e..1c4830afe1d3 100644
--- a/arch/arm/mm/proc-arm925.S
+++ b/arch/arm/mm/proc-arm925.S
@@ -229,7 +229,7 @@ SYM_FUNC_END(arm925_flush_user_cache_range)
  *	- end	- virtual end address
  */
 SYM_TYPED_FUNC_START(arm925_coherent_kern_range)
-#ifdef CONFIG_CFI_CLANG /* Fallthrough if !CFI */
+#ifdef CONFIG_CFI /* Fallthrough if !CFI */
 	b	arm925_coherent_user_range
 #endif
 SYM_FUNC_END(arm925_coherent_kern_range)
diff --git a/arch/arm/mm/proc-arm926.S b/arch/arm/mm/proc-arm926.S
index 6f43d6af2d9a..a09cc3e02efd 100644
--- a/arch/arm/mm/proc-arm926.S
+++ b/arch/arm/mm/proc-arm926.S
@@ -192,7 +192,7 @@ SYM_FUNC_END(arm926_flush_user_cache_range)
  *	- end	- virtual end address
  */
 SYM_TYPED_FUNC_START(arm926_coherent_kern_range)
-#ifdef CONFIG_CFI_CLANG /* Fallthrough if !CFI */
+#ifdef CONFIG_CFI /* Fallthrough if !CFI */
 	b	arm926_coherent_user_range
 #endif
 SYM_FUNC_END(arm926_coherent_kern_range)
diff --git a/arch/arm/mm/proc-arm940.S b/arch/arm/mm/proc-arm940.S
index 0d30bb25c42b..545c076c36d2 100644
--- a/arch/arm/mm/proc-arm940.S
+++ b/arch/arm/mm/proc-arm940.S
@@ -153,7 +153,7 @@ SYM_FUNC_END(arm940_coherent_kern_range)
  *	- end	- virtual end address
  */
 SYM_TYPED_FUNC_START(arm940_coherent_user_range)
-#ifdef CONFIG_CFI_CLANG /* Fallthrough if !CFI */
+#ifdef CONFIG_CFI /* Fallthrough if !CFI */
 	b	arm940_flush_kern_dcache_area
 #endif
 SYM_FUNC_END(arm940_coherent_user_range)
diff --git a/arch/arm/mm/proc-arm946.S b/arch/arm/mm/proc-arm946.S
index 27750ace2ced..f3d4e18c3fba 100644
--- a/arch/arm/mm/proc-arm946.S
+++ b/arch/arm/mm/proc-arm946.S
@@ -173,7 +173,7 @@ SYM_FUNC_END(arm946_flush_user_cache_range)
  *	- end	- virtual end address
  */
 SYM_TYPED_FUNC_START(arm946_coherent_kern_range)
-#ifdef CONFIG_CFI_CLANG /* Fallthrough if !CFI */
+#ifdef CONFIG_CFI /* Fallthrough if !CFI */
 	b	arm946_coherent_user_range
 #endif
 SYM_FUNC_END(arm946_coherent_kern_range)
diff --git a/arch/arm/mm/proc-feroceon.S b/arch/arm/mm/proc-feroceon.S
index f67b2ffac854..7f08d06c9625 100644
--- a/arch/arm/mm/proc-feroceon.S
+++ b/arch/arm/mm/proc-feroceon.S
@@ -208,7 +208,7 @@ SYM_FUNC_END(feroceon_flush_user_cache_range)
  */
 	.align	5
 SYM_TYPED_FUNC_START(feroceon_coherent_kern_range)
-#ifdef CONFIG_CFI_CLANG /* Fallthrough if !CFI */
+#ifdef CONFIG_CFI /* Fallthrough if !CFI */
 	b	feroceon_coherent_user_range
 #endif
 SYM_FUNC_END(feroceon_coherent_kern_range)
diff --git a/arch/arm/mm/proc-mohawk.S b/arch/arm/mm/proc-mohawk.S
index 8e9f38da863a..4669c63e3121 100644
--- a/arch/arm/mm/proc-mohawk.S
+++ b/arch/arm/mm/proc-mohawk.S
@@ -163,7 +163,7 @@ SYM_FUNC_END(mohawk_flush_user_cache_range)
  *	- end	- virtual end address
  */
 SYM_TYPED_FUNC_START(mohawk_coherent_kern_range)
-#ifdef CONFIG_CFI_CLANG /* Fallthrough if !CFI */
+#ifdef CONFIG_CFI /* Fallthrough if !CFI */
 	b	mohawk_coherent_user_range
 #endif
 SYM_FUNC_END(mohawk_coherent_kern_range)
diff --git a/arch/arm/mm/proc-xsc3.S b/arch/arm/mm/proc-xsc3.S
index 14927b380452..fd25634a2ed5 100644
--- a/arch/arm/mm/proc-xsc3.S
+++ b/arch/arm/mm/proc-xsc3.S
@@ -223,7 +223,7 @@ SYM_FUNC_END(xsc3_flush_user_cache_range)
  *	it also trashes the mini I-cache used by JTAG debuggers.
  */
 SYM_TYPED_FUNC_START(xsc3_coherent_kern_range)
-#ifdef CONFIG_CFI_CLANG /* Fallthrough if !CFI */
+#ifdef CONFIG_CFI /* Fallthrough if !CFI */
 	b	xsc3_coherent_user_range
 #endif
 SYM_FUNC_END(xsc3_coherent_kern_range)
diff --git a/arch/arm/mm/tlb-v4.S b/arch/arm/mm/tlb-v4.S
index 09ff69008d94..079774a02be6 100644
--- a/arch/arm/mm/tlb-v4.S
+++ b/arch/arm/mm/tlb-v4.S
@@ -52,7 +52,7 @@ SYM_FUNC_END(v4_flush_user_tlb_range)
  *	- start - virtual address (may not be aligned)
  *	- end   - virtual address (may not be aligned)
  */
-#ifdef CONFIG_CFI_CLANG
+#ifdef CONFIG_CFI
 SYM_TYPED_FUNC_START(v4_flush_kern_tlb_range)
 	b	.v4_flush_kern_tlb_range
 SYM_FUNC_END(v4_flush_kern_tlb_range)
diff --git a/arch/arm/kernel/hw_breakpoint.c b/arch/arm/kernel/hw_breakpoint.c
index a12efd0f43e8..cd4b34c96e35 100644
--- a/arch/arm/kernel/hw_breakpoint.c
+++ b/arch/arm/kernel/hw_breakpoint.c
@@ -904,7 +904,7 @@ static void breakpoint_handler(unsigned long unknown, struct pt_regs *regs)
 	watchpoint_single_step_handler(addr);
 }
 
-#ifdef CONFIG_CFI_CLANG
+#ifdef CONFIG_CFI
 static void hw_breakpoint_cfi_handler(struct pt_regs *regs)
 {
 	/*
diff --git a/arch/arm64/kernel/debug-monitors.c b/arch/arm64/kernel/debug-monitors.c
index 110d9ff54174..ebf010443e22 100644
--- a/arch/arm64/kernel/debug-monitors.c
+++ b/arch/arm64/kernel/debug-monitors.c
@@ -212,7 +212,7 @@ static int call_el1_break_hook(struct pt_regs *regs, unsigned long esr)
 	if (esr_brk_comment(esr) == BUG_BRK_IMM)
 		return bug_brk_handler(regs, esr);
 
-	if (IS_ENABLED(CONFIG_CFI_CLANG) && esr_is_cfi_brk(esr))
+	if (IS_ENABLED(CONFIG_CFI) && esr_is_cfi_brk(esr))
 		return cfi_brk_handler(regs, esr);
 
 	if (esr_brk_comment(esr) == FAULT_BRK_IMM)
diff --git a/arch/arm64/kernel/traps.c b/arch/arm64/kernel/traps.c
index f528b6041f6a..5041817af267 100644
--- a/arch/arm64/kernel/traps.c
+++ b/arch/arm64/kernel/traps.c
@@ -1015,7 +1015,7 @@ int bug_brk_handler(struct pt_regs *regs, unsigned long esr)
 	return DBG_HOOK_HANDLED;
 }
 
-#ifdef CONFIG_CFI_CLANG
+#ifdef CONFIG_CFI
 int cfi_brk_handler(struct pt_regs *regs, unsigned long esr)
 {
 	unsigned long target;
@@ -1039,7 +1039,7 @@ int cfi_brk_handler(struct pt_regs *regs, unsigned long esr)
 	arm64_skip_faulting_instruction(regs, AARCH64_INSN_SIZE);
 	return DBG_HOOK_HANDLED;
 }
-#endif /* CONFIG_CFI_CLANG */
+#endif /* CONFIG_CFI */
 
 int reserved_fault_brk_handler(struct pt_regs *regs, unsigned long esr)
 {
diff --git a/arch/arm64/kvm/handle_exit.c b/arch/arm64/kvm/handle_exit.c
index a598072f36d2..8bdb1eed090a 100644
--- a/arch/arm64/kvm/handle_exit.c
+++ b/arch/arm64/kvm/handle_exit.c
@@ -545,7 +545,7 @@ void __noreturn __cold nvhe_hyp_panic_handler(u64 esr, u64 spsr,
 			kvm_err("nVHE hyp BUG at: %s:%u!\n", file, line);
 		else
 			print_nvhe_hyp_panic("BUG", panic_addr);
-	} else if (IS_ENABLED(CONFIG_CFI_CLANG) && esr_is_cfi_brk(esr)) {
+	} else if (IS_ENABLED(CONFIG_CFI) && esr_is_cfi_brk(esr)) {
 		kvm_nvhe_report_cfi_failure(panic_addr);
 	} else if (IS_ENABLED(CONFIG_UBSAN_KVM_EL2) &&
 		   ESR_ELx_EC(esr) == ESR_ELx_EC_BRK64 &&
diff --git a/arch/arm64/net/bpf_jit_comp.c b/arch/arm64/net/bpf_jit_comp.c
index 52ffe115a8c4..28996e0a9b00 100644
--- a/arch/arm64/net/bpf_jit_comp.c
+++ b/arch/arm64/net/bpf_jit_comp.c
@@ -185,7 +185,7 @@ static inline void emit_bti(u32 insn, struct jit_ctx *ctx)
 
 static inline void emit_kcfi(u32 hash, struct jit_ctx *ctx)
 {
-	if (IS_ENABLED(CONFIG_CFI_CLANG))
+	if (IS_ENABLED(CONFIG_CFI))
 		emit_u32_data(hash, ctx);
 }
 
diff --git a/arch/riscv/net/bpf_jit_comp64.c b/arch/riscv/net/bpf_jit_comp64.c
index 10e01ff06312..24ba546a1c0e 100644
--- a/arch/riscv/net/bpf_jit_comp64.c
+++ b/arch/riscv/net/bpf_jit_comp64.c
@@ -18,7 +18,7 @@
 #define RV_MAX_REG_ARGS 8
 #define RV_FENTRY_NINSNS 2
 #define RV_FENTRY_NBYTES (RV_FENTRY_NINSNS * 4)
-#define RV_KCFI_NINSNS (IS_ENABLED(CONFIG_CFI_CLANG) ? 1 : 0)
+#define RV_KCFI_NINSNS (IS_ENABLED(CONFIG_CFI) ? 1 : 0)
 /* imm that allows emit_imm to emit max count insns */
 #define RV_MAX_COUNT_IMM 0x7FFF7FF7FF7FF7FF
 
@@ -469,7 +469,7 @@ static int emit_call(u64 addr, bool fixed_addr, struct rv_jit_context *ctx)
 
 static inline void emit_kcfi(u32 hash, struct rv_jit_context *ctx)
 {
-	if (IS_ENABLED(CONFIG_CFI_CLANG))
+	if (IS_ENABLED(CONFIG_CFI))
 		emit(hash, ctx);
 }
 
diff --git a/arch/x86/kernel/alternative.c b/arch/x86/kernel/alternative.c
index 5d80ae77c042..197751967ade 100644
--- a/arch/x86/kernel/alternative.c
+++ b/arch/x86/kernel/alternative.c
@@ -1170,7 +1170,7 @@ void __init_or_module apply_seal_endbr(s32 *start, s32 *end) { }
 
 #ifdef CONFIG_CFI_AUTO_DEFAULT
 # define __CFI_DEFAULT CFI_AUTO
-#elif defined(CONFIG_CFI_CLANG)
+#elif defined(CONFIG_CFI)
 # define __CFI_DEFAULT CFI_KCFI
 #else
 # define __CFI_DEFAULT CFI_OFF
@@ -1182,7 +1182,7 @@ enum cfi_mode cfi_mode __ro_after_init = __CFI_DEFAULT;
 bool cfi_bhi __ro_after_init = false;
 #endif
 
-#ifdef CONFIG_CFI_CLANG
+#ifdef CONFIG_CFI
 u32 cfi_get_func_hash(void *func)
 {
 	u32 hash;
diff --git a/arch/x86/kernel/kprobes/core.c b/arch/x86/kernel/kprobes/core.c
index 6079d15dab8c..3863d7709386 100644
--- a/arch/x86/kernel/kprobes/core.c
+++ b/arch/x86/kernel/kprobes/core.c
@@ -339,7 +339,7 @@ static bool can_probe(unsigned long paddr)
 	if (is_exception_insn(&insn))
 		return false;
 
-	if (IS_ENABLED(CONFIG_CFI_CLANG)) {
+	if (IS_ENABLED(CONFIG_CFI)) {
 		/*
 		 * The compiler generates the following instruction sequence
 		 * for indirect call checks and cfi.c decodes this;
diff --git a/drivers/misc/lkdtm/cfi.c b/drivers/misc/lkdtm/cfi.c
index 6a33889d0902..c3971f7caa65 100644
--- a/drivers/misc/lkdtm/cfi.c
+++ b/drivers/misc/lkdtm/cfi.c
@@ -43,7 +43,7 @@ static void lkdtm_CFI_FORWARD_PROTO(void)
 	lkdtm_indirect_call((void *)lkdtm_increment_int);
 
 	pr_err("FAIL: survived mismatched prototype function call!\n");
-	pr_expected_config(CONFIG_CFI_CLANG);
+	pr_expected_config(CONFIG_CFI);
 }
 
 /*
diff --git a/kernel/module/tree_lookup.c b/kernel/module/tree_lookup.c
index d3204c5c74eb..f8e8c126705c 100644
--- a/kernel/module/tree_lookup.c
+++ b/kernel/module/tree_lookup.c
@@ -14,7 +14,7 @@
  * Use a latched RB-tree for __module_address(); this allows us to use
  * RCU lookups of the address from any context.
  *
- * This is conditional on PERF_EVENTS || TRACING || CFI_CLANG because those can
+ * This is conditional on PERF_EVENTS || TRACING || CFI because those can
  * really hit __module_address() hard by doing a lot of stack unwinding;
  * potentially from NMI context.
  */
diff --git a/kernel/configs/hardening.config b/kernel/configs/hardening.config
index 64caaf997fc0..94a3d023e15e 100644
--- a/kernel/configs/hardening.config
+++ b/kernel/configs/hardening.config
@@ -94,7 +94,7 @@ CONFIG_SECCOMP_FILTER=y
 CONFIG_SYN_COOKIES=y
 
 # Enable Kernel Control Flow Integrity (currently Clang only).
-CONFIG_CFI_CLANG=y
+CONFIG_CFI=y
 # CONFIG_CFI_PERMISSIVE is not set
 
 # Attack surface reduction: do not autoload TTY line disciplines.
-- 
2.34.1


_______________________________________________
linux-riscv mailing list
linux-riscv@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-riscv

Re: [PATCH 5/5] kcfi: Rename CONFIG_CFI_CLANG to CONFIG_CFI

[Miguel Ojeda]

On Mon, Aug 25, 2025 at 4:28 PM Kees Cook <kees@kernel.org> wrote:
>
> -config CFI_CLANG
> -       bool "Use Clang's Control Flow Integrity (CFI)"
> -       depends on ARCH_SUPPORTS_CFI_CLANG
> +config CFI
> +       bool "Use Kernel Control Flow Integrity (kCFI)"
> +       depends on ARCH_SUPPORTS_CFI
>         depends on $(cc-option,-fsanitize=kcfi)
>         help

Do we need to do something to make the transition smoother, i.e.
keeping the old one for a while to avoid a new question etc.?

Thanks!

Cheers,
Miguel

_______________________________________________
linux-riscv mailing list
linux-riscv@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-riscv

Re: [PATCH 5/5] kcfi: Rename CONFIG_CFI_CLANG to CONFIG_CFI

[Kees Cook]

On Mon, Aug 25, 2025 at 05:01:13PM +0200, Miguel Ojeda wrote:
> On Mon, Aug 25, 2025 at 4:28 PM Kees Cook <kees@kernel.org> wrote:
> >
> > -config CFI_CLANG
> > -       bool "Use Clang's Control Flow Integrity (CFI)"
> > -       depends on ARCH_SUPPORTS_CFI_CLANG
> > +config CFI
> > +       bool "Use Kernel Control Flow Integrity (kCFI)"
> > +       depends on ARCH_SUPPORTS_CFI
> >         depends on $(cc-option,-fsanitize=kcfi)
> >         help
> 
> Do we need to do something to make the transition smoother, i.e.
> keeping the old one for a while to avoid a new question etc.?

Yeah, that's a good idea. What the right way to do that?

config CFI_CLANG
	bool "Use Clang's Control Flow Integrity (CFI)"
	depends on ARCH_SUPPORTS_CFI
	select CFI

?

-- 
Kees Cook

_______________________________________________
linux-riscv mailing list
linux-riscv@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-riscv

Re: [PATCH 5/5] kcfi: Rename CONFIG_CFI_CLANG to CONFIG_CFI

[Miguel Ojeda]

On Mon, Aug 25, 2025 at 5:35 PM Kees Cook <kees@kernel.org> wrote:
>
> Yeah, that's a good idea. What the right way to do that?
>
> config CFI_CLANG
>         bool "Use Clang's Control Flow Integrity (CFI)"
>         depends on ARCH_SUPPORTS_CFI
>         select CFI
>
> ?

I don't recall what is the idiomatic solution for renames, but I
remember Linus talking about this topic and about avoiding losing old
values if possible (perhaps getting a new question in `oldconfig` is
OK as long as the `olddefconfig` respects the old value).

I think your suggestion above will still make it appear twice in
`menuconfig` -- there may be a way to play with visibility to make it
better.

A simple possibility I can think of (assuming it works) is having the
CFI symbol for the time being introduced just as a `def_bool
CFI_CLANG` for a few releases so that people get the new one in their
configs.

Cheers,
Miguel

_______________________________________________
linux-riscv mailing list
linux-riscv@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-riscv

Re: [PATCH 5/5] kcfi: Rename CONFIG_CFI_CLANG to CONFIG_CFI

[Kees Cook]

On August 25, 2025 1:00:22 PM EDT, Miguel Ojeda <miguel.ojeda.sandonis@gmail.com> wrote:
>On Mon, Aug 25, 2025 at 5:35 PM Kees Cook <kees@kernel.org> wrote:
>>
>> Yeah, that's a good idea. What the right way to do that?
>>
>> config CFI_CLANG
>>         bool "Use Clang's Control Flow Integrity (CFI)"
>>         depends on ARCH_SUPPORTS_CFI
>>         select CFI
>>
>> ?
>
>I don't recall what is the idiomatic solution for renames, but I
>remember Linus talking about this topic and about avoiding losing old
>values if possible (perhaps getting a new question in `oldconfig` is
>OK as long as the `olddefconfig` respects the old value).
>
>I think your suggestion above will still make it appear twice in
>`menuconfig` -- there may be a way to play with visibility to make it
>better.
>
>A simple possibility I can think of (assuming it works) is having the
>CFI symbol for the time being introduced just as a `def_bool
>CFI_CLANG` for a few releases so that people get the new one in their
>configs.

Ah, I think this works:

config CFI_CLANG
    bool

config CFI
    bool "...."
    default CFI_CLANG

I will add that for v2.

-Kees

-- 
Kees Cook

_______________________________________________
linux-riscv mailing list
linux-riscv@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-riscv

Re: [PATCH 5/5] kcfi: Rename CONFIG_CFI_CLANG to CONFIG_CFI

[Nathan Chancellor]

On Mon, Aug 25, 2025 at 03:31:34PM -0400, Kees Cook wrote:
> On August 25, 2025 1:00:22 PM EDT, Miguel Ojeda <miguel.ojeda.sandonis@gmail.com> wrote:
> >On Mon, Aug 25, 2025 at 5:35 PM Kees Cook <kees@kernel.org> wrote:
> >>
> >> Yeah, that's a good idea. What the right way to do that?
> >>
> >> config CFI_CLANG
> >>         bool "Use Clang's Control Flow Integrity (CFI)"
> >>         depends on ARCH_SUPPORTS_CFI
> >>         select CFI
> >>
> >> ?
> >
> >I don't recall what is the idiomatic solution for renames, but I
> >remember Linus talking about this topic and about avoiding losing old
> >values if possible (perhaps getting a new question in `oldconfig` is
> >OK as long as the `olddefconfig` respects the old value).
> >
> >I think your suggestion above will still make it appear twice in
> >`menuconfig` -- there may be a way to play with visibility to make it
> >better.
> >
> >A simple possibility I can think of (assuming it works) is having the
> >CFI symbol for the time being introduced just as a `def_bool
> >CFI_CLANG` for a few releases so that people get the new one in their
> >configs.
> 
> Ah, I think this works:
> 
> config CFI_CLANG
>     bool
> 
> config CFI
>     bool "...."
>     default CFI_CLANG
> 
> I will add that for v2.

That does not appear to work for me. I applied

diff --git a/arch/Kconfig b/arch/Kconfig
index c25a45d9aa96..0d3ed03c76c2 100644
--- a/arch/Kconfig
+++ b/arch/Kconfig
@@ -876,8 +876,12 @@ config ARCH_SUPPORTS_CFI
 config ARCH_USES_CFI_TRAPS
        bool

+config CFI_CLANG
+       bool
+
 config CFI
        bool "Use Kernel Control Flow Integrity (kCFI)"
+       default CFI_CLANG
        depends on ARCH_SUPPORTS_CFI
        depends on $(cc-option,-fsanitize=kcfi)
        help

on top of this series and

  CONFIG_CFI_CLANG=y
  # CONFIG_CFI_ICALL_NORMALIZE_INTEGERS is not set
  # CONFIG_CFI_PERMISSIVE is not set

gets turned into

  # CONFIG_CFI is not set

after olddefconfig. CONFIG_CFI_CLANG has to be user selectable with a
prompt but the only solution I can think of at the moment results in a
duplicate prompt for Clang.

diff --git a/arch/Kconfig b/arch/Kconfig
index c25a45d9aa96..93bf9b41a9de 100644
--- a/arch/Kconfig
+++ b/arch/Kconfig
@@ -876,8 +876,17 @@ config ARCH_SUPPORTS_CFI
 config ARCH_USES_CFI_TRAPS
        bool

+config CFI_CLANG
+       bool "Use Kernel Control Flow Integrity (kCFI) - Transitional" if CC_IS_CLANG
+       select CFI
+       depends on ARCH_SUPPORTS_CFI
+       depends on $(cc-option,-fsanitize=kcfi)
+       help
+         This is a transitional symbol to CONFIG_CFI, see its help text
+         for more information.
+
 config CFI
-       bool "Use Kernel Control Flow Integrity (kCFI)"
+       bool "Use Kernel Control Flow Integrity (kCFI)" if CC_IS_GCC
        depends on ARCH_SUPPORTS_CFI
        depends on $(cc-option,-fsanitize=kcfi)
        help

Maybe that does not matter for the sake of keeping things working?
Otherwise, we could just keep things as they are with the patch set and
expect people to actually use oldconfig or diff the results of
olddefconfig (which I think is good practice anyways).

Cheers,
Nathan

_______________________________________________
linux-riscv mailing list
linux-riscv@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-riscv

Re: [PATCH 5/5] kcfi: Rename CONFIG_CFI_CLANG to CONFIG_CFI

[Randy Dunlap]

On 8/26/25 6:34 PM, Nathan Chancellor wrote:
> On Mon, Aug 25, 2025 at 03:31:34PM -0400, Kees Cook wrote:
>> On August 25, 2025 1:00:22 PM EDT, Miguel Ojeda <miguel.ojeda.sandonis@gmail.com> wrote:
>>> On Mon, Aug 25, 2025 at 5:35 PM Kees Cook <kees@kernel.org> wrote:
>>>>
>>>> Yeah, that's a good idea. What the right way to do that?
>>>>
>>>> config CFI_CLANG
>>>>         bool "Use Clang's Control Flow Integrity (CFI)"
>>>>         depends on ARCH_SUPPORTS_CFI
>>>>         select CFI
>>>>
>>>> ?
>>>
>>> I don't recall what is the idiomatic solution for renames, but I
>>> remember Linus talking about this topic and about avoiding losing old
>>> values if possible (perhaps getting a new question in `oldconfig` is
>>> OK as long as the `olddefconfig` respects the old value).
>>>
>>> I think your suggestion above will still make it appear twice in
>>> `menuconfig` -- there may be a way to play with visibility to make it
>>> better.
>>>
>>> A simple possibility I can think of (assuming it works) is having the
>>> CFI symbol for the time being introduced just as a `def_bool
>>> CFI_CLANG` for a few releases so that people get the new one in their
>>> configs.
>>
>> Ah, I think this works:
>>
>> config CFI_CLANG
>>     bool
>>
>> config CFI
>>     bool "...."
>>     default CFI_CLANG
>>
>> I will add that for v2.
> 
> That does not appear to work for me. I applied
> 
> diff --git a/arch/Kconfig b/arch/Kconfig
> index c25a45d9aa96..0d3ed03c76c2 100644
> --- a/arch/Kconfig
> +++ b/arch/Kconfig
> @@ -876,8 +876,12 @@ config ARCH_SUPPORTS_CFI
>  config ARCH_USES_CFI_TRAPS
>         bool
> 
> +config CFI_CLANG
> +       bool
> +
>  config CFI
>         bool "Use Kernel Control Flow Integrity (kCFI)"
> +       default CFI_CLANG
>         depends on ARCH_SUPPORTS_CFI
>         depends on $(cc-option,-fsanitize=kcfi)
>         help
> 
> on top of this series and
> 
>   CONFIG_CFI_CLANG=y
>   # CONFIG_CFI_ICALL_NORMALIZE_INTEGERS is not set
>   # CONFIG_CFI_PERMISSIVE is not set
> 
> gets turned into
> 
>   # CONFIG_CFI is not set
> 
> after olddefconfig. CONFIG_CFI_CLANG has to be user selectable with a

Could/did you test with 'oldconfig' instead?

olddefconfig is going to use the default value from the Kconfig file,
which if CFI_CLANG which is undefined/No/Not set.

oldconfig will use the old value from the .config file.



> prompt but the only solution I can think of at the moment results in a
> duplicate prompt for Clang.
> 
> diff --git a/arch/Kconfig b/arch/Kconfig
> index c25a45d9aa96..93bf9b41a9de 100644
> --- a/arch/Kconfig
> +++ b/arch/Kconfig
> @@ -876,8 +876,17 @@ config ARCH_SUPPORTS_CFI
>  config ARCH_USES_CFI_TRAPS
>         bool
> 
> +config CFI_CLANG
> +       bool "Use Kernel Control Flow Integrity (kCFI) - Transitional" if CC_IS_CLANG
> +       select CFI
> +       depends on ARCH_SUPPORTS_CFI
> +       depends on $(cc-option,-fsanitize=kcfi)
> +       help
> +         This is a transitional symbol to CONFIG_CFI, see its help text
> +         for more information.
> +
>  config CFI
> -       bool "Use Kernel Control Flow Integrity (kCFI)"
> +       bool "Use Kernel Control Flow Integrity (kCFI)" if CC_IS_GCC
>         depends on ARCH_SUPPORTS_CFI
>         depends on $(cc-option,-fsanitize=kcfi)
>         help
> 
> Maybe that does not matter for the sake of keeping things working?
> Otherwise, we could just keep things as they are with the patch set and
> expect people to actually use oldconfig or diff the results of
> olddefconfig (which I think is good practice anyways).
> 
> Cheers,
> Nathan
> 

-- 
~Randy


_______________________________________________
linux-riscv mailing list
linux-riscv@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-riscv

Re: [PATCH 5/5] kcfi: Rename CONFIG_CFI_CLANG to CONFIG_CFI

[Nathan Chancellor]

On Wed, Aug 27, 2025 at 12:35:12AM -0700, Randy Dunlap wrote:
> On 8/26/25 6:34 PM, Nathan Chancellor wrote:
> > On Mon, Aug 25, 2025 at 03:31:34PM -0400, Kees Cook wrote:
> >> On August 25, 2025 1:00:22 PM EDT, Miguel Ojeda <miguel.ojeda.sandonis@gmail.com> wrote:
> >>> On Mon, Aug 25, 2025 at 5:35 PM Kees Cook <kees@kernel.org> wrote:
> >>>>
> >>>> Yeah, that's a good idea. What the right way to do that?
> >>>>
> >>>> config CFI_CLANG
> >>>>         bool "Use Clang's Control Flow Integrity (CFI)"
> >>>>         depends on ARCH_SUPPORTS_CFI
> >>>>         select CFI
> >>>>
> >>>> ?
> >>>
> >>> I don't recall what is the idiomatic solution for renames, but I
> >>> remember Linus talking about this topic and about avoiding losing old
> >>> values if possible (perhaps getting a new question in `oldconfig` is
> >>> OK as long as the `olddefconfig` respects the old value).
> >>>
> >>> I think your suggestion above will still make it appear twice in
> >>> `menuconfig` -- there may be a way to play with visibility to make it
> >>> better.
> >>>
> >>> A simple possibility I can think of (assuming it works) is having the
> >>> CFI symbol for the time being introduced just as a `def_bool
> >>> CFI_CLANG` for a few releases so that people get the new one in their
> >>> configs.
> >>
> >> Ah, I think this works:
> >>
> >> config CFI_CLANG
> >>     bool
> >>
> >> config CFI
> >>     bool "...."
> >>     default CFI_CLANG
> >>
> >> I will add that for v2.
> > 
> > That does not appear to work for me. I applied
> > 
> > diff --git a/arch/Kconfig b/arch/Kconfig
> > index c25a45d9aa96..0d3ed03c76c2 100644
> > --- a/arch/Kconfig
> > +++ b/arch/Kconfig
> > @@ -876,8 +876,12 @@ config ARCH_SUPPORTS_CFI
> >  config ARCH_USES_CFI_TRAPS
> >         bool
> > 
> > +config CFI_CLANG
> > +       bool
> > +
> >  config CFI
> >         bool "Use Kernel Control Flow Integrity (kCFI)"
> > +       default CFI_CLANG
> >         depends on ARCH_SUPPORTS_CFI
> >         depends on $(cc-option,-fsanitize=kcfi)
> >         help
> > 
> > on top of this series and
> > 
> >   CONFIG_CFI_CLANG=y
> >   # CONFIG_CFI_ICALL_NORMALIZE_INTEGERS is not set
> >   # CONFIG_CFI_PERMISSIVE is not set
> > 
> > gets turned into
> > 
> >   # CONFIG_CFI is not set
> > 
> > after olddefconfig. CONFIG_CFI_CLANG has to be user selectable with a
> 
> Could/did you test with 'oldconfig' instead?
> 
> olddefconfig is going to use the default value from the Kconfig file,
> which if CFI_CLANG which is undefined/No/Not set.
> 
> oldconfig will use the old value from the .config file.

I am not sure I understand what you mean here. With the series as it is
or Kees's suggested fix, oldconfig still prompts the user to enable
CONFIG_CFI with CONFIG_CFI_CLANG=y in the old configuration. Both Miguel
and I allude to that being fine but it would be really nice if users
with CONFIG_CFI_CLANG=y were automatically transitioned to CONFIG_CFI=y
without any action on their part. That seems to be in line with how
Linus feels even as recently as this past merge window:

https://lore.kernel.org/CAHk-=wgO0Rx2LcYT4f75Xs46orbJ4JxO2jbAFQnVKDYAjV5HeQ@mail.gmail.com/

Another idea I had to avoid this is introducing CONFIG_CFI_GCC as a user
selectable symbol and making CONFIG_CFI the hidden symbol that both
compiler symbols select. After a couple of releases (or maybe the next
LTS), both CONFIG_CFI_CLANG and CONFIG_CFI_GCC could be eliminated with
CONFIG_CFI becoming user selectable, which would keep things working
since CONFIG_CFI=y will be present in the previous configuration.

Maybe it is not worth optimizing for this situation. I personally check
my configurations into git so that it is easy to deal with losing
things, as I have had my networking broken several times by new symbols
and dependencies that do not get handled well with olddefconfig.

> > prompt but the only solution I can think of at the moment results in a
> > duplicate prompt for Clang.
> > 
> > diff --git a/arch/Kconfig b/arch/Kconfig
> > index c25a45d9aa96..93bf9b41a9de 100644
> > --- a/arch/Kconfig
> > +++ b/arch/Kconfig
> > @@ -876,8 +876,17 @@ config ARCH_SUPPORTS_CFI
> >  config ARCH_USES_CFI_TRAPS
> >         bool
> > 
> > +config CFI_CLANG
> > +       bool "Use Kernel Control Flow Integrity (kCFI) - Transitional" if CC_IS_CLANG
> > +       select CFI
> > +       depends on ARCH_SUPPORTS_CFI
> > +       depends on $(cc-option,-fsanitize=kcfi)
> > +       help
> > +         This is a transitional symbol to CONFIG_CFI, see its help text
> > +         for more information.
> > +
> >  config CFI
> > -       bool "Use Kernel Control Flow Integrity (kCFI)"
> > +       bool "Use Kernel Control Flow Integrity (kCFI)" if CC_IS_GCC
> >         depends on ARCH_SUPPORTS_CFI
> >         depends on $(cc-option,-fsanitize=kcfi)
> >         help
> > 
> > Maybe that does not matter for the sake of keeping things working?
> > Otherwise, we could just keep things as they are with the patch set and
> > expect people to actually use oldconfig or diff the results of
> > olddefconfig (which I think is good practice anyways).
> > 
> > Cheers,
> > Nathan
> > 
> 
> -- 
> ~Randy
> 

_______________________________________________
linux-riscv mailing list
linux-riscv@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-riscv

Re: [PATCH 5/5] kcfi: Rename CONFIG_CFI_CLANG to CONFIG_CFI

[Randy Dunlap]

On 8/27/25 12:38 PM, Nathan Chancellor wrote:
> On Wed, Aug 27, 2025 at 12:35:12AM -0700, Randy Dunlap wrote:
>> On 8/26/25 6:34 PM, Nathan Chancellor wrote:
>>> On Mon, Aug 25, 2025 at 03:31:34PM -0400, Kees Cook wrote:
>>>> On August 25, 2025 1:00:22 PM EDT, Miguel Ojeda <miguel.ojeda.sandonis@gmail.com> wrote:
>>>>> On Mon, Aug 25, 2025 at 5:35 PM Kees Cook <kees@kernel.org> wrote:
>>>>>>
>>>>>> Yeah, that's a good idea. What the right way to do that?
>>>>>>
>>>>>> config CFI_CLANG
>>>>>>         bool "Use Clang's Control Flow Integrity (CFI)"
>>>>>>         depends on ARCH_SUPPORTS_CFI
>>>>>>         select CFI
>>>>>>
>>>>>> ?
>>>>>
>>>>> I don't recall what is the idiomatic solution for renames, but I
>>>>> remember Linus talking about this topic and about avoiding losing old
>>>>> values if possible (perhaps getting a new question in `oldconfig` is
>>>>> OK as long as the `olddefconfig` respects the old value).
>>>>>
>>>>> I think your suggestion above will still make it appear twice in
>>>>> `menuconfig` -- there may be a way to play with visibility to make it
>>>>> better.
>>>>>
>>>>> A simple possibility I can think of (assuming it works) is having the
>>>>> CFI symbol for the time being introduced just as a `def_bool
>>>>> CFI_CLANG` for a few releases so that people get the new one in their
>>>>> configs.
>>>>
>>>> Ah, I think this works:
>>>>
>>>> config CFI_CLANG
>>>>     bool
>>>>
>>>> config CFI
>>>>     bool "...."
>>>>     default CFI_CLANG
>>>>
>>>> I will add that for v2.
>>>
>>> That does not appear to work for me. I applied
>>>
>>> diff --git a/arch/Kconfig b/arch/Kconfig
>>> index c25a45d9aa96..0d3ed03c76c2 100644
>>> --- a/arch/Kconfig
>>> +++ b/arch/Kconfig
>>> @@ -876,8 +876,12 @@ config ARCH_SUPPORTS_CFI
>>>  config ARCH_USES_CFI_TRAPS
>>>         bool
>>>
>>> +config CFI_CLANG
>>> +       bool
>>> +
>>>  config CFI
>>>         bool "Use Kernel Control Flow Integrity (kCFI)"
>>> +       default CFI_CLANG
>>>         depends on ARCH_SUPPORTS_CFI
>>>         depends on $(cc-option,-fsanitize=kcfi)
>>>         help
>>>
>>> on top of this series and
>>>
>>>   CONFIG_CFI_CLANG=y
>>>   # CONFIG_CFI_ICALL_NORMALIZE_INTEGERS is not set
>>>   # CONFIG_CFI_PERMISSIVE is not set
>>>
>>> gets turned into
>>>
>>>   # CONFIG_CFI is not set
>>>
>>> after olddefconfig. CONFIG_CFI_CLANG has to be user selectable with a
>>
>> Could/did you test with 'oldconfig' instead?
>>
>> olddefconfig is going to use the default value from the Kconfig file,
>> which if CFI_CLANG which is undefined/No/Not set.
>>
>> oldconfig will use the old value from the .config file.
> 
> I am not sure I understand what you mean here. With the series as it is
> or Kees's suggested fix, oldconfig still prompts the user to enable

OK, I don't know the state of the CFI_CLANG / CLANG patch(es).

I just mean the difference in 'make oldconfig' and 'make olddefconfig'
(at least AIUI).


> CONFIG_CFI with CONFIG_CFI_CLANG=y in the old configuration. Both Miguel
> and I allude to that being fine but it would be really nice if users
> with CONFIG_CFI_CLANG=y were automatically transitioned to CONFIG_CFI=y
> without any action on their part. That seems to be in line with how

Yes, I agree.

> Linus feels even as recently as this past merge window:
> 
> https://lore.kernel.org/CAHk-=wgO0Rx2LcYT4f75Xs46orbJ4JxO2jbAFQnVKDYAjV5HeQ@mail.gmail.com/
> 
> Another idea I had to avoid this is introducing CONFIG_CFI_GCC as a user
> selectable symbol and making CONFIG_CFI the hidden symbol that both
> compiler symbols select. After a couple of releases (or maybe the next
> LTS), both CONFIG_CFI_CLANG and CONFIG_CFI_GCC could be eliminated with
> CONFIG_CFI becoming user selectable, which would keep things working
> since CONFIG_CFI=y will be present in the previous configuration.


-- 
~Randy


_______________________________________________
linux-riscv mailing list
linux-riscv@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-riscv

Re: [PATCH 5/5] kcfi: Rename CONFIG_CFI_CLANG to CONFIG_CFI

[Miguel Ojeda]

On Wed, Aug 27, 2025 at 9:38 PM Nathan Chancellor <nathan@kernel.org> wrote:
>
> I am not sure I understand what you mean here. With the series as it is
> or Kees's suggested fix, oldconfig still prompts the user to enable
> CONFIG_CFI with CONFIG_CFI_CLANG=y in the old configuration. Both Miguel
> and I allude to that being fine but it would be really nice if users
> with CONFIG_CFI_CLANG=y were automatically transitioned to CONFIG_CFI=y
> without any action on their part. That seems to be in line with how
> Linus feels even as recently as this past merge window:
>
> https://lore.kernel.org/CAHk-=wgO0Rx2LcYT4f75Xs46orbJ4JxO2jbAFQnVKDYAjV5HeQ@mail.gmail.com/

Yeah, I think for pure renames one we should try to avoid churn if possible.

> Another idea I had to avoid this is introducing CONFIG_CFI_GCC as a user
> selectable symbol and making CONFIG_CFI the hidden symbol that both
> compiler symbols select. After a couple of releases (or maybe the next
> LTS), both CONFIG_CFI_CLANG and CONFIG_CFI_GCC could be eliminated with
> CONFIG_CFI becoming user selectable, which would keep things working
> since CONFIG_CFI=y will be present in the previous configuration.

If we are OK with something like this (i.e. waiting a few releases),
then isn't it simpler the `def_bool` approach I mentioned? i.e. it
means one less symbol and one less rename later, right?

Cheers,
Miguel

_______________________________________________
linux-riscv mailing list
linux-riscv@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-riscv

Re: [PATCH 5/5] kcfi: Rename CONFIG_CFI_CLANG to CONFIG_CFI

[Nathan Chancellor]

On Thu, Aug 28, 2025 at 02:11:51PM +0200, Miguel Ojeda wrote:
> On Wed, Aug 27, 2025 at 9:38 PM Nathan Chancellor <nathan@kernel.org> wrote:
> > Another idea I had to avoid this is introducing CONFIG_CFI_GCC as a user
> > selectable symbol and making CONFIG_CFI the hidden symbol that both
> > compiler symbols select. After a couple of releases (or maybe the next
> > LTS), both CONFIG_CFI_CLANG and CONFIG_CFI_GCC could be eliminated with
> > CONFIG_CFI becoming user selectable, which would keep things working
> > since CONFIG_CFI=y will be present in the previous configuration.
> 
> If we are OK with something like this (i.e. waiting a few releases),
> then isn't it simpler the `def_bool` approach I mentioned? i.e. it
> means one less symbol and one less rename later, right?

Ah yes, I reread your suggestion and that would probably be the best
course of action, as it does avoid the extra symbol (although I am not
sure what you mean by one less rename?). As I understand it:

  config CFI_CLANG
      bool "Use Kernel Control Flow Integrity (kCFI)"
      depends on ARCH_SUPPORTS_CFI
      depends on $(cc-option,-fsanitize=kcfi)
      help
        <generic help text>

  config CFI
      def_bool CFI_CLANG

then keep the rest of the change the same with the rename? I guess the
CLANG in the symbol name could be confusing for some people but thinking
about the timeline more, kCFI would not ship until GCC 16 in the spring
of 2026, which would be after the Linux LTS release at the end of 2025.
That means we could easily drop CONFIG_CFI_CLANG in the first release of
2026 so that compatible GCC users should only ever see CONFIG_CFI from
mainline. They could see CONFIG_CFI_CLANG in the LTS release but at
least it would work.

Cheers,
Nathan

_______________________________________________
linux-riscv mailing list
linux-riscv@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-riscv

Re: [PATCH 5/5] kcfi: Rename CONFIG_CFI_CLANG to CONFIG_CFI

[Kees Cook]

On August 28, 2025 4:19:15 PM EDT, Nathan Chancellor <nathan@kernel.org> wrote:
>On Thu, Aug 28, 2025 at 02:11:51PM +0200, Miguel Ojeda wrote:
>> On Wed, Aug 27, 2025 at 9:38 PM Nathan Chancellor <nathan@kernel.org> wrote:
>> > Another idea I had to avoid this is introducing CONFIG_CFI_GCC as a user
>> > selectable symbol and making CONFIG_CFI the hidden symbol that both
>> > compiler symbols select. After a couple of releases (or maybe the next
>> > LTS), both CONFIG_CFI_CLANG and CONFIG_CFI_GCC could be eliminated with
>> > CONFIG_CFI becoming user selectable, which would keep things working
>> > since CONFIG_CFI=y will be present in the previous configuration.
>> 
>> If we are OK with something like this (i.e. waiting a few releases),
>> then isn't it simpler the `def_bool` approach I mentioned? i.e. it
>> means one less symbol and one less rename later, right?
>
>Ah yes, I reread your suggestion and that would probably be the best
>course of action, as it does avoid the extra symbol (although I am not
>sure what you mean by one less rename?). As I understand it:
>
>  config CFI_CLANG
>      bool "Use Kernel Control Flow Integrity (kCFI)"
>      depends on ARCH_SUPPORTS_CFI
>      depends on $(cc-option,-fsanitize=kcfi)
>      help
>        <generic help text>
>
>  config CFI
>      def_bool CFI_CLANG

Oh! Keep CFI_CLANG the visible option? Will the later rename work right? I'll give it a try.

-Kees

-- 
Kees Cook

_______________________________________________
linux-riscv mailing list
linux-riscv@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-riscv

Re: [PATCH 5/5] kcfi: Rename CONFIG_CFI_CLANG to CONFIG_CFI

[Nathan Chancellor]

On Thu, Aug 28, 2025 at 04:32:16PM -0400, Kees Cook wrote:
> On August 28, 2025 4:19:15 PM EDT, Nathan Chancellor <nathan@kernel.org> wrote:
> >On Thu, Aug 28, 2025 at 02:11:51PM +0200, Miguel Ojeda wrote:
> >> On Wed, Aug 27, 2025 at 9:38 PM Nathan Chancellor <nathan@kernel.org> wrote:
> >> > Another idea I had to avoid this is introducing CONFIG_CFI_GCC as a user
> >> > selectable symbol and making CONFIG_CFI the hidden symbol that both
> >> > compiler symbols select. After a couple of releases (or maybe the next
> >> > LTS), both CONFIG_CFI_CLANG and CONFIG_CFI_GCC could be eliminated with
> >> > CONFIG_CFI becoming user selectable, which would keep things working
> >> > since CONFIG_CFI=y will be present in the previous configuration.
> >> 
> >> If we are OK with something like this (i.e. waiting a few releases),
> >> then isn't it simpler the `def_bool` approach I mentioned? i.e. it
> >> means one less symbol and one less rename later, right?
> >
> >Ah yes, I reread your suggestion and that would probably be the best
> >course of action, as it does avoid the extra symbol (although I am not
> >sure what you mean by one less rename?). As I understand it:
> >
> >  config CFI_CLANG
> >      bool "Use Kernel Control Flow Integrity (kCFI)"
> >      depends on ARCH_SUPPORTS_CFI
> >      depends on $(cc-option,-fsanitize=kcfi)
> >      help
> >        <generic help text>
> >
> >  config CFI
> >      def_bool CFI_CLANG
> 
> Oh! Keep CFI_CLANG the visible option? Will the later rename work right? I'll give it a try.

It should, as long as people are at least upgrading LTS releases
continuously. In theory, there could be people who upgrade with a
configuration that has CONFIG_CFI_CLANG=y to a release after the rename
to CONFIG_CFI happens but at that point, I would expect them to need to
diff their configuration to make sure other items did not go missing or
change since they are going across many months/releases when upgrading.
I think doing it this way is a healthy balance of not breaking the
people who upgrade their kernels yearly (via LTS) or every stable
release while allowing the code as a whole to become more generic in the
meantime.

Folks who have CONFIG_CFI_CLANG=y in defconfigs like Android should
notice it disappearing and be able to figure out that it got renamed and
adjust, since they already have to do that for other symbols.

Cheers,
Nathan

_______________________________________________
linux-riscv mailing list
linux-riscv@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-riscv

Re: [PATCH 5/5] kcfi: Rename CONFIG_CFI_CLANG to CONFIG_CFI

[Miguel Ojeda]

On Thu, Aug 28, 2025 at 10:32 PM Kees Cook <kees@kernel.org> wrote:
>
> Oh! Keep CFI_CLANG the visible option? Will the later rename work right? I'll give it a try.

Yeah -- whenever we want, we can move everything to the CFI one, and
hopefully many users that enabled it will not see the prompt since
they will already have the value there already.

Kconfig doesn't save the unset value in this case, so some users will
still see the prompt. Which I guess is good for the GCC users, since
for them it is a new possibility after all, that they should consider.

I didn't really test it thoroughly though. Caveat emptor and all that...

Cheers,
Miguel

_______________________________________________
linux-riscv mailing list
linux-riscv@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-riscv

Re: [PATCH 5/5] kcfi: Rename CONFIG_CFI_CLANG to CONFIG_CFI

[Miguel Ojeda]

On Thu, Aug 28, 2025 at 10:19 PM Nathan Chancellor <nathan@kernel.org> wrote:
>
> Ah yes, I reread your suggestion and that would probably be the best
> course of action, as it does avoid the extra symbol (although I am not
> sure what you mean by one less rename?). As I understand it:
>
>   config CFI_CLANG
>       bool "Use Kernel Control Flow Integrity (kCFI)"
>       depends on ARCH_SUPPORTS_CFI
>       depends on $(cc-option,-fsanitize=kcfi)
>       help
>         <generic help text>
>
>   config CFI
>       def_bool CFI_CLANG
>
> then keep the rest of the change the same with the rename? I guess the

Yeah, exactly. The name isn't great, though, as you mention, if users
with GCC see it early on.

By one less rename I just meant that we wouldn't have both CFI_GCC and
CFI_CLANG "moved"/"merged" into CFI later on (just 1).

Cheers,
Miguel

_______________________________________________
linux-riscv mailing list
linux-riscv@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-riscv

Re: [PATCH 5/5] kcfi: Rename CONFIG_CFI_CLANG to CONFIG_CFI

[Jeff Johnson]

On 8/25/2025 7:25 AM, Kees Cook wrote:
...
> -config ARCH_SUPPORTS_CFI_CLANG
> +config ARCH_SUPPORTS_CFI
>  	bool
>  	help
>  	  An architecture should select this option if it can support Clang's

nit: Do you want to replace the mention of Clang in the help text?



_______________________________________________
linux-riscv mailing list
linux-riscv@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-riscv

Re: [PATCH 5/5] kcfi: Rename CONFIG_CFI_CLANG to CONFIG_CFI

[Linus Walleij]

On Mon, Aug 25, 2025 at 4:26 PM Kees Cook <kees@kernel.org> wrote:

> From: Kees Cook <kees@outflux.net>
>
> The kernel's CFI implementation uses the KCFI ABI specifically, and is
> not strictly tied to a particular compiler. In preparation for GCC
> supporting KCFI[1], rename CONFIG_CFI_CLANG to CONFIG_CFI (along with
> associated options).
>
> Link: https://lore.kernel.org/linux-hardening/20250821064202.work.893-kees@kernel.org [1]
> Signed-off-by: Kees Cook <kees@outflux.net>
> ---
> Cc: Sami Tolvanen <samitolvanen@google.com>
> Cc: Linus Walleij <linus.walleij@linaro.org>
> Cc: Mark Rutland <mark.rutland@arm.com>
> Cc: Peter Zijlstra <peterz@infradead.org>
> Cc: Puranjay Mohan <puranjay@kernel.org>

Yeah that was not a good neutral name to begin with.
Reviewed-by: Linus Walleij <linus.walleij@linaro.org>

I don't know about all that fuzz with providing the old symbol.
Seems complex. Folks anyway have to go over their config
symbols with every new kernel. But if people insist. I'm fine
either way.

Yours,
Linus Walleij

_______________________________________________
linux-riscv mailing list
linux-riscv@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-riscv