| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <875xaei2u4.fsf@gentoo.org> Date: Wed, 10 Dec 2025 18:55:31 +0000 From: Sam James <sam@...too.org> To: Kees Cook <kees@...nel.org> Cc: Qing Zhao <qing.zhao@...cle.com>, Uros Bizjak <ubizjak@...il.com>, Joseph Myers <josmyers@...hat.com>, Richard Biener <rguenther@...e.de>, Jeff Law <jeffreyalaw@...il.com>, Andrew Pinski <pinskia@...il.com>, Jakub Jelinek <jakub@...hat.com>, Martin Uecker <uecker@...raz.at>, Peter Zijlstra <peterz@...radead.org>, Ard Biesheuvel <ardb@...nel.org>, Jan Hubicka <hubicka@....cz>, Richard Earnshaw <richard.earnshaw@....com>, Richard Sandiford <richard.sandiford@....com>, Marcus Shawcroft <marcus.shawcroft@....com>, Kyrylo Tkachov <kyrylo.tkachov@....com>, Kito Cheng <kito.cheng@...il.com>, Palmer Dabbelt <palmer@...belt.com>, Andrew Waterman <andrew@...ive.com>, Jim Wilson <jim.wilson.gcc@...il.com>, Dan Li <ashimida.1990@...il.com>, Sami Tolvanen <samitolvanen@...gle.com>, Ramon de C Valle <rcvalle@...gle.com>, Joao Moreira <joao@...rdrivepizza.com>, Nathan Chancellor <nathan@...nel.org>, Bill Wendling <morbo@...gle.com>, "Osterlund, Sebastian" <sebastian.osterlund@...el.com>, "Constable, Scott D" <scott.d.constable@...el.com>, gcc-patches@....gnu.org, linux-hardening@...r.kernel.org Subject: Re: [PATCH v9 0/7] Introduce Kernel Control Flow Integrity ABI [PR107048] Kees Cook <kees@...nel.org> writes: > Hi, > > This series implements[1][2] the Linux Kernel Control Flow Integrity > ABI, which provides a function prototype based forward edge control flow > integrity protection by instrumenting every indirect call to check for > a hash value before the target function address. If the hash at the call > site and the hash at the target do not match, execution will trap. > > I'm hoping we can land front- and middle-end and do architectures as > they also pass review. What do folks think? I'd really like to get this > in a position where more people can test with GCC snapshots, etc. What's the status of this on the kernel side? Could you link me to patches so I can have a play? Thank you for working on this. We get a lot of requests for it and pressure to build the kernel with Clang for this feature. > > Thanks! > > -Kees > > Changes since v8[3], addressing Andrew's feedback: > > - Split out aarch64 indirect branch logic into separate patch[4]. > - Simplify aarch64 asm output. > - Clarify BTI interaction (it's safe) in commit log. > - Move kcfi compatibility checking into hook logic instead of overrides > in aarch64, i386, and riscv. > > [1] https://gcc.gnu.org/bugzilla/show_bug.cgi?id=107048 > [2] https://github.com/KSPP/linux/issues/369 > [3] https://lore.kernel.org/linux-hardening/20251120222105.us.687-kees@kernel.org/ > [4] https://gcc.gnu.org/git/?p=gcc.git;a=commitdiff;h=59a5fecfb260456dd60be687491717f3dbdb354f > > Kees Cook (7): > typeinfo: Introduce KCFI typeinfo mangling API > kcfi: Add core Kernel Control Flow Integrity infrastructure > kcfi: Add regression test suite > x86: Add x86_64 Kernel Control Flow Integrity implementation > aarch64: Add AArch64 Kernel Control Flow Integrity implementation > arm: Add ARM 32-bit Kernel Control Flow Integrity implementation > riscv: Add RISC-V Kernel Control Flow Integrity implementation > > gcc/kcfi.h | 59 ++ > gcc/kcfi.cc | 696 ++++++++++++++++++ > gcc/config/aarch64/aarch64-protos.h | 4 + > gcc/config/arm/arm-protos.h | 4 + > gcc/config/i386/i386-protos.h | 2 +- > gcc/config/i386/i386.h | 3 +- > gcc/config/riscv/riscv-protos.h | 3 + > gcc/config/aarch64/aarch64.md | 56 ++ > gcc/config/arm/arm.md | 62 ++ > gcc/config/i386/i386.md | 63 +- > gcc/config/riscv/riscv.md | 76 +- > gcc/config/aarch64/aarch64.cc | 93 +++ > gcc/config/arm/arm.cc | 170 +++++ > gcc/config/i386/i386-expand.cc | 22 +- > gcc/config/i386/i386.cc | 210 +++++- > gcc/config/riscv/riscv.cc | 180 +++++ > gcc/doc/extend.texi | 137 ++++ > gcc/doc/invoke.texi | 127 ++++ > gcc/doc/tm.texi | 32 + > gcc/testsuite/gcc.dg/kcfi/kcfi.exp | 51 ++ > gcc/testsuite/lib/target-supports.exp | 14 + > .../gcc.dg/builtin-typeinfo-errors.c | 28 + > gcc/testsuite/gcc.dg/builtin-typeinfo.c | 350 +++++++++ > .../gcc.dg/kcfi/kcfi-aarch64-ilp32.c | 7 + > gcc/testsuite/gcc.dg/kcfi/kcfi-adjacency.c | 114 +++ > gcc/testsuite/gcc.dg/kcfi/kcfi-arm-fixed-ip.c | 15 + > .../gcc.dg/kcfi/kcfi-arm-fixed-r12.c | 15 + > gcc/testsuite/gcc.dg/kcfi/kcfi-basics.c | 149 ++++ > gcc/testsuite/gcc.dg/kcfi/kcfi-call-sharing.c | 90 +++ > .../gcc.dg/kcfi/kcfi-cold-partition.c | 126 ++++ > .../gcc.dg/kcfi/kcfi-complex-addressing.c | 203 +++++ > .../gcc.dg/kcfi/kcfi-complex-addressing.s | 0 > .../gcc.dg/kcfi/kcfi-ipa-robustness.c | 54 ++ > .../gcc.dg/kcfi/kcfi-move-preservation.c | 118 +++ > .../gcc.dg/kcfi/kcfi-no-sanitize-inline.c | 100 +++ > gcc/testsuite/gcc.dg/kcfi/kcfi-no-sanitize.c | 39 + > .../gcc.dg/kcfi/kcfi-offset-validation.c | 38 + > .../gcc.dg/kcfi/kcfi-patchable-entry-only.c | 64 ++ > .../gcc.dg/kcfi/kcfi-patchable-incompatible.c | 7 + > .../gcc.dg/kcfi/kcfi-patchable-large.c | 54 ++ > .../gcc.dg/kcfi/kcfi-patchable-medium.c | 60 ++ > .../gcc.dg/kcfi/kcfi-patchable-prefix-only.c | 61 ++ > gcc/testsuite/gcc.dg/kcfi/kcfi-riscv-32bit.c | 7 + > .../gcc.dg/kcfi/kcfi-riscv-fixed-t1.c | 7 + > .../gcc.dg/kcfi/kcfi-riscv-fixed-t2.c | 7 + > .../gcc.dg/kcfi/kcfi-riscv-fixed-t3.c | 7 + > gcc/testsuite/gcc.dg/kcfi/kcfi-runtime.c | 276 +++++++ > gcc/testsuite/gcc.dg/kcfi/kcfi-tail-calls.c | 140 ++++ > .../gcc.dg/kcfi/kcfi-trap-encoding.c | 69 ++ > gcc/testsuite/gcc.dg/kcfi/kcfi-trap-section.c | 29 + > gcc/testsuite/gcc.dg/kcfi/kcfi-x86-32bit.c | 7 + > gcc/testsuite/gcc.dg/kcfi/kcfi-x86-arity.c | 93 +++ > .../gcc.dg/kcfi/kcfi-x86-fixed-r10.c | 7 + > .../gcc.dg/kcfi/kcfi-x86-fixed-r11.c | 7 + > .../gcc.dg/kcfi/kcfi-x86-retpoline-r11.c | 40 + > gcc/Makefile.in | 2 + > gcc/c-family/c-common.h | 1 + > gcc/flag-types.h | 2 + > gcc/gimple.h | 22 + > gcc/kcfi-typeinfo.h | 32 + > gcc/tree-pass.h | 1 + > gcc/c-family/c-attribs.cc | 17 +- > gcc/c-family/c-common.cc | 2 + > gcc/c/c-parser.cc | 72 ++ > gcc/common.opt | 8 + > gcc/df-scan.cc | 7 + > gcc/doc/tm.texi.in | 12 + > gcc/final.cc | 3 + > gcc/kcfi-typeinfo.cc | 516 +++++++++++++ > gcc/opts.cc | 2 + > gcc/passes.cc | 1 + > gcc/passes.def | 1 + > gcc/rtl.def | 6 + > gcc/rtlanal.cc | 5 + > gcc/target.def | 39 + > gcc/toplev.cc | 12 + > gcc/tree-inline.cc | 10 + > gcc/varasm.cc | 37 +- > 78 files changed, 5218 insertions(+), 44 deletions(-) > create mode 100644 gcc/kcfi.h > create mode 100644 gcc/kcfi.cc > create mode 100644 gcc/testsuite/gcc.dg/kcfi/kcfi.exp > create mode 100644 gcc/testsuite/gcc.dg/builtin-typeinfo-errors.c > create mode 100644 gcc/testsuite/gcc.dg/builtin-typeinfo.c > create mode 100644 gcc/testsuite/gcc.dg/kcfi/kcfi-aarch64-ilp32.c > create mode 100644 gcc/testsuite/gcc.dg/kcfi/kcfi-adjacency.c > create mode 100644 gcc/testsuite/gcc.dg/kcfi/kcfi-arm-fixed-ip.c > create mode 100644 gcc/testsuite/gcc.dg/kcfi/kcfi-arm-fixed-r12.c > create mode 100644 gcc/testsuite/gcc.dg/kcfi/kcfi-basics.c > create mode 100644 gcc/testsuite/gcc.dg/kcfi/kcfi-call-sharing.c > create mode 100644 gcc/testsuite/gcc.dg/kcfi/kcfi-cold-partition.c > create mode 100644 gcc/testsuite/gcc.dg/kcfi/kcfi-complex-addressing.c > create mode 100644 gcc/testsuite/gcc.dg/kcfi/kcfi-complex-addressing.s > create mode 100644 gcc/testsuite/gcc.dg/kcfi/kcfi-ipa-robustness.c > create mode 100644 gcc/testsuite/gcc.dg/kcfi/kcfi-move-preservation.c > create mode 100644 gcc/testsuite/gcc.dg/kcfi/kcfi-no-sanitize-inline.c > create mode 100644 gcc/testsuite/gcc.dg/kcfi/kcfi-no-sanitize.c > create mode 100644 gcc/testsuite/gcc.dg/kcfi/kcfi-offset-validation.c > create mode 100644 gcc/testsuite/gcc.dg/kcfi/kcfi-patchable-entry-only.c > create mode 100644 gcc/testsuite/gcc.dg/kcfi/kcfi-patchable-incompatible.c > create mode 100644 gcc/testsuite/gcc.dg/kcfi/kcfi-patchable-large.c > create mode 100644 gcc/testsuite/gcc.dg/kcfi/kcfi-patchable-medium.c > create mode 100644 gcc/testsuite/gcc.dg/kcfi/kcfi-patchable-prefix-only.c > create mode 100644 gcc/testsuite/gcc.dg/kcfi/kcfi-riscv-32bit.c > create mode 100644 gcc/testsuite/gcc.dg/kcfi/kcfi-riscv-fixed-t1.c > create mode 100644 gcc/testsuite/gcc.dg/kcfi/kcfi-riscv-fixed-t2.c > create mode 100644 gcc/testsuite/gcc.dg/kcfi/kcfi-riscv-fixed-t3.c > create mode 100644 gcc/testsuite/gcc.dg/kcfi/kcfi-runtime.c > create mode 100644 gcc/testsuite/gcc.dg/kcfi/kcfi-tail-calls.c > create mode 100644 gcc/testsuite/gcc.dg/kcfi/kcfi-trap-encoding.c > create mode 100644 gcc/testsuite/gcc.dg/kcfi/kcfi-trap-section.c > create mode 100644 gcc/testsuite/gcc.dg/kcfi/kcfi-x86-32bit.c > create mode 100644 gcc/testsuite/gcc.dg/kcfi/kcfi-x86-arity.c > create mode 100644 gcc/testsuite/gcc.dg/kcfi/kcfi-x86-fixed-r10.c > create mode 100644 gcc/testsuite/gcc.dg/kcfi/kcfi-x86-fixed-r11.c > create mode 100644 gcc/testsuite/gcc.dg/kcfi/kcfi-x86-retpoline-r11.c > create mode 100644 gcc/kcfi-typeinfo.h > create mode 100644 gcc/kcfi-typeinfo.cc
Powered by blists - more mailing lists