mbox series

[v3,0/7] Introduce Kernel Control Flow Integrity ABI [PR107048]

Message ID 20250913231256.make.519-kees@kernel.org
Headers
Series Introduce Kernel Control Flow Integrity ABI [PR107048] |

Message

Kees Cook Sept. 13, 2025, 11:23 p.m. UTC 
  Hi!

Here is v3, which has continued to evolve a lot from v2[1].

This series implements[2][3] the Linux Kernel Control Flow Integrity
ABI, which provides a function prototype based forward edge control flow
integrity protection by instrumenting every indirect call to check for
a hash value before the target function address. If the hash at the call
site and the hash at the target do not match, execution will trap.

Changes since v2:

- Refactored mangling to provide actual builtins, making it SO much
  easier to test. This is good not just for KCFI but also for coming
  type-aware allocators that need to have a stable value (32-bit
  hash) to represent C types.

- Consolidated DECL vs TYPE attributes for KCFI type_id, allowing
  for the removal of all the GIMPLE type wrapping and the GIMPLE
  passes entirely.

- Tightened testsuite to be much more target and option aware.

- Support nocf_check to disable preamble generation.

- Passes contrib/check_GNU_style.py (with some clear exceptions).

- Added more documentation.

- General cleanups and comment clarifications.

Thanks!

-Kees

[1] https://lore.kernel.org/linux-hardening/20250905001157.it.269-kees@kernel.org/
[2] https://gcc.gnu.org/bugzilla/show_bug.cgi?id=107048
[3] https://github.com/KSPP/linux/issues/369

Kees Cook (7):
  typeinfo: Introduce KCFI typeinfo mangling API
  kcfi: Add core Kernel Control Flow Integrity infrastructure
  x86: Add x86_64 Kernel Control Flow Integrity implementation
  aarch64: Add AArch64 Kernel Control Flow Integrity implementation
  arm: Add ARM 32-bit Kernel Control Flow Integrity implementation
  riscv: Add RISC-V Kernel Control Flow Integrity implementation
  kcfi: Add regression test suite

 gcc/kcfi.h                                    |  52 ++
 gcc/kcfi.cc                                   | 601 ++++++++++++++++++
 gcc/Makefile.in                               |   2 +
 gcc/c-family/c-common.h                       |   1 +
 gcc/config/aarch64/aarch64-protos.h           |   5 +
 gcc/config/arm/arm-protos.h                   |   4 +
 gcc/config/i386/i386-protos.h                 |   1 +
 gcc/config/i386/i386.h                        |   3 +-
 gcc/config/riscv/riscv-protos.h               |   3 +
 gcc/flag-types.h                              |   2 +
 gcc/gimple.h                                  |  22 +
 gcc/kcfi-typeinfo.h                           |  32 +
 gcc/tree-pass.h                               |   1 +
 .../gcc.dg/builtin-typeinfo-errors.c          |  28 +
 gcc/testsuite/gcc.dg/builtin-typeinfo.c       | 350 ++++++++++
 gcc/testsuite/gcc.dg/kcfi/kcfi-adjacency.c    |  72 +++
 gcc/testsuite/gcc.dg/kcfi/kcfi-basics.c       | 108 ++++
 gcc/testsuite/gcc.dg/kcfi/kcfi-call-sharing.c |  84 +++
 .../gcc.dg/kcfi/kcfi-cold-partition.c         | 136 ++++
 .../gcc.dg/kcfi/kcfi-complex-addressing.c     | 135 ++++
 .../gcc.dg/kcfi/kcfi-ipa-robustness.c         |  54 ++
 .../gcc.dg/kcfi/kcfi-move-preservation.c      |  55 ++
 .../gcc.dg/kcfi/kcfi-no-sanitize-inline.c     | 100 +++
 gcc/testsuite/gcc.dg/kcfi/kcfi-no-sanitize.c  |  39 ++
 .../gcc.dg/kcfi/kcfi-offset-validation.c      |  48 ++
 .../gcc.dg/kcfi/kcfi-patchable-basic.c        |  70 ++
 .../gcc.dg/kcfi/kcfi-patchable-entry-only.c   |  62 ++
 .../gcc.dg/kcfi/kcfi-patchable-large.c        |  51 ++
 .../gcc.dg/kcfi/kcfi-patchable-medium.c       |  60 ++
 .../gcc.dg/kcfi/kcfi-patchable-prefix-only.c  |  60 ++
 .../gcc.dg/kcfi/kcfi-pic-addressing.c         | 104 +++
 .../gcc.dg/kcfi/kcfi-retpoline-r11.c          |  50 ++
 gcc/testsuite/gcc.dg/kcfi/kcfi-runtime.c      | 151 +++++
 gcc/testsuite/gcc.dg/kcfi/kcfi-tail-calls.c   | 142 +++++
 .../gcc.dg/kcfi/kcfi-trap-encoding.c          |  54 ++
 gcc/testsuite/gcc.dg/kcfi/kcfi-trap-section.c |  41 ++
 gcc/c-family/c-attribs.cc                     |  17 +-
 gcc/c-family/c-common.cc                      |   2 +
 gcc/c/c-parser.cc                             |  72 +++
 gcc/config/aarch64/aarch64.cc                 | 116 ++++
 gcc/config/aarch64/aarch64.md                 |  64 +-
 gcc/config/arm/arm.cc                         | 146 +++++
 gcc/config/arm/arm.md                         |  62 ++
 gcc/config/i386/i386-expand.cc                |  22 +-
 gcc/config/i386/i386.cc                       | 130 ++++
 gcc/config/i386/i386.md                       |  62 +-
 gcc/config/riscv/riscv.cc                     | 159 +++++
 gcc/config/riscv/riscv.md                     |  76 ++-
 gcc/df-scan.cc                                |   7 +
 gcc/doc/extend.texi                           | 132 ++++
 gcc/doc/invoke.texi                           | 100 +++
 gcc/doc/tm.texi                               |  31 +
 gcc/doc/tm.texi.in                            |  12 +
 gcc/final.cc                                  |   3 +
 gcc/kcfi-typeinfo.cc                          | 475 ++++++++++++++
 gcc/opts.cc                                   |   1 +
 gcc/passes.cc                                 |   1 +
 gcc/passes.def                                |   1 +
 gcc/rtl.def                                   |   6 +
 gcc/rtlanal.cc                                |   5 +
 gcc/target.def                                |  38 ++
 gcc/testsuite/gcc.dg/kcfi/kcfi.exp            |  64 ++
 gcc/toplev.cc                                 |  10 +
 gcc/tree-inline.cc                            |  10 +
 gcc/varasm.cc                                 |  37 +-
 65 files changed, 4611 insertions(+), 33 deletions(-)
 create mode 100644 gcc/kcfi.h
 create mode 100644 gcc/kcfi.cc
 create mode 100644 gcc/kcfi-typeinfo.h
 create mode 100644 gcc/testsuite/gcc.dg/builtin-typeinfo-errors.c
 create mode 100644 gcc/testsuite/gcc.dg/builtin-typeinfo.c
 create mode 100644 gcc/testsuite/gcc.dg/kcfi/kcfi-adjacency.c
 create mode 100644 gcc/testsuite/gcc.dg/kcfi/kcfi-basics.c
 create mode 100644 gcc/testsuite/gcc.dg/kcfi/kcfi-call-sharing.c
 create mode 100644 gcc/testsuite/gcc.dg/kcfi/kcfi-cold-partition.c
 create mode 100644 gcc/testsuite/gcc.dg/kcfi/kcfi-complex-addressing.c
 create mode 100644 gcc/testsuite/gcc.dg/kcfi/kcfi-ipa-robustness.c
 create mode 100644 gcc/testsuite/gcc.dg/kcfi/kcfi-move-preservation.c
 create mode 100644 gcc/testsuite/gcc.dg/kcfi/kcfi-no-sanitize-inline.c
 create mode 100644 gcc/testsuite/gcc.dg/kcfi/kcfi-no-sanitize.c
 create mode 100644 gcc/testsuite/gcc.dg/kcfi/kcfi-offset-validation.c
 create mode 100644 gcc/testsuite/gcc.dg/kcfi/kcfi-patchable-basic.c
 create mode 100644 gcc/testsuite/gcc.dg/kcfi/kcfi-patchable-entry-only.c
 create mode 100644 gcc/testsuite/gcc.dg/kcfi/kcfi-patchable-large.c
 create mode 100644 gcc/testsuite/gcc.dg/kcfi/kcfi-patchable-medium.c
 create mode 100644 gcc/testsuite/gcc.dg/kcfi/kcfi-patchable-prefix-only.c
 create mode 100644 gcc/testsuite/gcc.dg/kcfi/kcfi-pic-addressing.c
 create mode 100644 gcc/testsuite/gcc.dg/kcfi/kcfi-retpoline-r11.c
 create mode 100644 gcc/testsuite/gcc.dg/kcfi/kcfi-runtime.c
 create mode 100644 gcc/testsuite/gcc.dg/kcfi/kcfi-tail-calls.c
 create mode 100644 gcc/testsuite/gcc.dg/kcfi/kcfi-trap-encoding.c
 create mode 100644 gcc/testsuite/gcc.dg/kcfi/kcfi-trap-section.c
 create mode 100644 gcc/kcfi-typeinfo.cc
 create mode 100644 gcc/testsuite/gcc.dg/kcfi/kcfi.exp