| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <20251210022025.harder.803-kees@kernel.org> Date: Tue, 9 Dec 2025 18:20:26 -0800 From: Kees Cook <kees@...nel.org> To: Qing Zhao <qing.zhao@...cle.com> Cc: Kees Cook <kees@...nel.org>, Uros Bizjak <ubizjak@...il.com>, Joseph Myers <josmyers@...hat.com>, Richard Biener <rguenther@...e.de>, Jeff Law <jeffreyalaw@...il.com>, Andrew Pinski <pinskia@...il.com>, Jakub Jelinek <jakub@...hat.com>, Martin Uecker <uecker@...raz.at>, Peter Zijlstra <peterz@...radead.org>, Ard Biesheuvel <ardb@...nel.org>, Jan Hubicka <hubicka@....cz>, Richard Earnshaw <richard.earnshaw@....com>, Richard Sandiford <richard.sandiford@....com>, Marcus Shawcroft <marcus.shawcroft@....com>, Kyrylo Tkachov <kyrylo.tkachov@....com>, Kito Cheng <kito.cheng@...il.com>, Palmer Dabbelt <palmer@...belt.com>, Andrew Waterman <andrew@...ive.com>, Jim Wilson <jim.wilson.gcc@...il.com>, Dan Li <ashimida.1990@...il.com>, Sami Tolvanen <samitolvanen@...gle.com>, Ramon de C Valle <rcvalle@...gle.com>, Joao Moreira <joao@...rdrivepizza.com>, Nathan Chancellor <nathan@...nel.org>, Bill Wendling <morbo@...gle.com>, "Osterlund, Sebastian" <sebastian.osterlund@...el.com>, "Constable, Scott D" <scott.d.constable@...el.com>, gcc-patches@....gnu.org, linux-hardening@...r.kernel.org Subject: [PATCH v9 0/7] Introduce Kernel Control Flow Integrity ABI [PR107048] Hi, This series implements[1][2] the Linux Kernel Control Flow Integrity ABI, which provides a function prototype based forward edge control flow integrity protection by instrumenting every indirect call to check for a hash value before the target function address. If the hash at the call site and the hash at the target do not match, execution will trap. I'm hoping we can land front- and middle-end and do architectures as they also pass review. What do folks think? I'd really like to get this in a position where more people can test with GCC snapshots, etc. Thanks! -Kees Changes since v8[3], addressing Andrew's feedback: - Split out aarch64 indirect branch logic into separate patch[4]. - Simplify aarch64 asm output. - Clarify BTI interaction (it's safe) in commit log. - Move kcfi compatibility checking into hook logic instead of overrides in aarch64, i386, and riscv. [1] https://gcc.gnu.org/bugzilla/show_bug.cgi?id=107048 [2] https://github.com/KSPP/linux/issues/369 [3] https://lore.kernel.org/linux-hardening/20251120222105.us.687-kees@kernel.org/ [4] https://gcc.gnu.org/git/?p=gcc.git;a=commitdiff;h=59a5fecfb260456dd60be687491717f3dbdb354f Kees Cook (7): typeinfo: Introduce KCFI typeinfo mangling API kcfi: Add core Kernel Control Flow Integrity infrastructure kcfi: Add regression test suite x86: Add x86_64 Kernel Control Flow Integrity implementation aarch64: Add AArch64 Kernel Control Flow Integrity implementation arm: Add ARM 32-bit Kernel Control Flow Integrity implementation riscv: Add RISC-V Kernel Control Flow Integrity implementation gcc/kcfi.h | 59 ++ gcc/kcfi.cc | 696 ++++++++++++++++++ gcc/config/aarch64/aarch64-protos.h | 4 + gcc/config/arm/arm-protos.h | 4 + gcc/config/i386/i386-protos.h | 2 +- gcc/config/i386/i386.h | 3 +- gcc/config/riscv/riscv-protos.h | 3 + gcc/config/aarch64/aarch64.md | 56 ++ gcc/config/arm/arm.md | 62 ++ gcc/config/i386/i386.md | 63 +- gcc/config/riscv/riscv.md | 76 +- gcc/config/aarch64/aarch64.cc | 93 +++ gcc/config/arm/arm.cc | 170 +++++ gcc/config/i386/i386-expand.cc | 22 +- gcc/config/i386/i386.cc | 210 +++++- gcc/config/riscv/riscv.cc | 180 +++++ gcc/doc/extend.texi | 137 ++++ gcc/doc/invoke.texi | 127 ++++ gcc/doc/tm.texi | 32 + gcc/testsuite/gcc.dg/kcfi/kcfi.exp | 51 ++ gcc/testsuite/lib/target-supports.exp | 14 + .../gcc.dg/builtin-typeinfo-errors.c | 28 + gcc/testsuite/gcc.dg/builtin-typeinfo.c | 350 +++++++++ .../gcc.dg/kcfi/kcfi-aarch64-ilp32.c | 7 + gcc/testsuite/gcc.dg/kcfi/kcfi-adjacency.c | 114 +++ gcc/testsuite/gcc.dg/kcfi/kcfi-arm-fixed-ip.c | 15 + .../gcc.dg/kcfi/kcfi-arm-fixed-r12.c | 15 + gcc/testsuite/gcc.dg/kcfi/kcfi-basics.c | 149 ++++ gcc/testsuite/gcc.dg/kcfi/kcfi-call-sharing.c | 90 +++ .../gcc.dg/kcfi/kcfi-cold-partition.c | 126 ++++ .../gcc.dg/kcfi/kcfi-complex-addressing.c | 203 +++++ .../gcc.dg/kcfi/kcfi-complex-addressing.s | 0 .../gcc.dg/kcfi/kcfi-ipa-robustness.c | 54 ++ .../gcc.dg/kcfi/kcfi-move-preservation.c | 118 +++ .../gcc.dg/kcfi/kcfi-no-sanitize-inline.c | 100 +++ gcc/testsuite/gcc.dg/kcfi/kcfi-no-sanitize.c | 39 + .../gcc.dg/kcfi/kcfi-offset-validation.c | 38 + .../gcc.dg/kcfi/kcfi-patchable-entry-only.c | 64 ++ .../gcc.dg/kcfi/kcfi-patchable-incompatible.c | 7 + .../gcc.dg/kcfi/kcfi-patchable-large.c | 54 ++ .../gcc.dg/kcfi/kcfi-patchable-medium.c | 60 ++ .../gcc.dg/kcfi/kcfi-patchable-prefix-only.c | 61 ++ gcc/testsuite/gcc.dg/kcfi/kcfi-riscv-32bit.c | 7 + .../gcc.dg/kcfi/kcfi-riscv-fixed-t1.c | 7 + .../gcc.dg/kcfi/kcfi-riscv-fixed-t2.c | 7 + .../gcc.dg/kcfi/kcfi-riscv-fixed-t3.c | 7 + gcc/testsuite/gcc.dg/kcfi/kcfi-runtime.c | 276 +++++++ gcc/testsuite/gcc.dg/kcfi/kcfi-tail-calls.c | 140 ++++ .../gcc.dg/kcfi/kcfi-trap-encoding.c | 69 ++ gcc/testsuite/gcc.dg/kcfi/kcfi-trap-section.c | 29 + gcc/testsuite/gcc.dg/kcfi/kcfi-x86-32bit.c | 7 + gcc/testsuite/gcc.dg/kcfi/kcfi-x86-arity.c | 93 +++ .../gcc.dg/kcfi/kcfi-x86-fixed-r10.c | 7 + .../gcc.dg/kcfi/kcfi-x86-fixed-r11.c | 7 + .../gcc.dg/kcfi/kcfi-x86-retpoline-r11.c | 40 + gcc/Makefile.in | 2 + gcc/c-family/c-common.h | 1 + gcc/flag-types.h | 2 + gcc/gimple.h | 22 + gcc/kcfi-typeinfo.h | 32 + gcc/tree-pass.h | 1 + gcc/c-family/c-attribs.cc | 17 +- gcc/c-family/c-common.cc | 2 + gcc/c/c-parser.cc | 72 ++ gcc/common.opt | 8 + gcc/df-scan.cc | 7 + gcc/doc/tm.texi.in | 12 + gcc/final.cc | 3 + gcc/kcfi-typeinfo.cc | 516 +++++++++++++ gcc/opts.cc | 2 + gcc/passes.cc | 1 + gcc/passes.def | 1 + gcc/rtl.def | 6 + gcc/rtlanal.cc | 5 + gcc/target.def | 39 + gcc/toplev.cc | 12 + gcc/tree-inline.cc | 10 + gcc/varasm.cc | 37 +- 78 files changed, 5218 insertions(+), 44 deletions(-) create mode 100644 gcc/kcfi.h create mode 100644 gcc/kcfi.cc create mode 100644 gcc/testsuite/gcc.dg/kcfi/kcfi.exp create mode 100644 gcc/testsuite/gcc.dg/builtin-typeinfo-errors.c create mode 100644 gcc/testsuite/gcc.dg/builtin-typeinfo.c create mode 100644 gcc/testsuite/gcc.dg/kcfi/kcfi-aarch64-ilp32.c create mode 100644 gcc/testsuite/gcc.dg/kcfi/kcfi-adjacency.c create mode 100644 gcc/testsuite/gcc.dg/kcfi/kcfi-arm-fixed-ip.c create mode 100644 gcc/testsuite/gcc.dg/kcfi/kcfi-arm-fixed-r12.c create mode 100644 gcc/testsuite/gcc.dg/kcfi/kcfi-basics.c create mode 100644 gcc/testsuite/gcc.dg/kcfi/kcfi-call-sharing.c create mode 100644 gcc/testsuite/gcc.dg/kcfi/kcfi-cold-partition.c create mode 100644 gcc/testsuite/gcc.dg/kcfi/kcfi-complex-addressing.c create mode 100644 gcc/testsuite/gcc.dg/kcfi/kcfi-complex-addressing.s create mode 100644 gcc/testsuite/gcc.dg/kcfi/kcfi-ipa-robustness.c create mode 100644 gcc/testsuite/gcc.dg/kcfi/kcfi-move-preservation.c create mode 100644 gcc/testsuite/gcc.dg/kcfi/kcfi-no-sanitize-inline.c create mode 100644 gcc/testsuite/gcc.dg/kcfi/kcfi-no-sanitize.c create mode 100644 gcc/testsuite/gcc.dg/kcfi/kcfi-offset-validation.c create mode 100644 gcc/testsuite/gcc.dg/kcfi/kcfi-patchable-entry-only.c create mode 100644 gcc/testsuite/gcc.dg/kcfi/kcfi-patchable-incompatible.c create mode 100644 gcc/testsuite/gcc.dg/kcfi/kcfi-patchable-large.c create mode 100644 gcc/testsuite/gcc.dg/kcfi/kcfi-patchable-medium.c create mode 100644 gcc/testsuite/gcc.dg/kcfi/kcfi-patchable-prefix-only.c create mode 100644 gcc/testsuite/gcc.dg/kcfi/kcfi-riscv-32bit.c create mode 100644 gcc/testsuite/gcc.dg/kcfi/kcfi-riscv-fixed-t1.c create mode 100644 gcc/testsuite/gcc.dg/kcfi/kcfi-riscv-fixed-t2.c create mode 100644 gcc/testsuite/gcc.dg/kcfi/kcfi-riscv-fixed-t3.c create mode 100644 gcc/testsuite/gcc.dg/kcfi/kcfi-runtime.c create mode 100644 gcc/testsuite/gcc.dg/kcfi/kcfi-tail-calls.c create mode 100644 gcc/testsuite/gcc.dg/kcfi/kcfi-trap-encoding.c create mode 100644 gcc/testsuite/gcc.dg/kcfi/kcfi-trap-section.c create mode 100644 gcc/testsuite/gcc.dg/kcfi/kcfi-x86-32bit.c create mode 100644 gcc/testsuite/gcc.dg/kcfi/kcfi-x86-arity.c create mode 100644 gcc/testsuite/gcc.dg/kcfi/kcfi-x86-fixed-r10.c create mode 100644 gcc/testsuite/gcc.dg/kcfi/kcfi-x86-fixed-r11.c create mode 100644 gcc/testsuite/gcc.dg/kcfi/kcfi-x86-retpoline-r11.c create mode 100644 gcc/kcfi-typeinfo.h create mode 100644 gcc/kcfi-typeinfo.cc -- 2.34.1
Powered by blists - more mailing lists