| From: |
| Kees Cook <kees-AT-kernel.org> |
| To: |
| Qing Zhao <qing.zhao-AT-oracle.com> |
| Subject: |
| [PATCH v4 0/7] Introduce Kernel Control Flow Integrity ABI [PR107048] |
| Date: |
| Thu, 25 Sep 2025 20:02:42 -0700 |
| Message-ID: |
| <20250926023737.it.616-kees@kernel.org> |
| Cc: |
| Kees Cook <kees-AT-kernel.org>, Andrew Pinski <pinskia-AT-gmail.com>, Jakub Jelinek <jakub-AT-redhat.com>, Martin Uecker <uecker-AT-tugraz.at>, Richard Biener <rguenther-AT-suse.de>, Joseph Myers <josmyers-AT-redhat.com>, Peter Zijlstra <peterz-AT-infradead.org>, Ard Biesheuvel <ardb-AT-kernel.org>, Jeff Law <jeffreyalaw-AT-gmail.com>, Jan Hubicka <hubicka-AT-ucw.cz>, Richard Earnshaw <richard.earnshaw-AT-arm.com>, Richard Sandiford <richard.sandiford-AT-arm.com>, Marcus Shawcroft <marcus.shawcroft-AT-arm.com>, Kyrylo Tkachov <kyrylo.tkachov-AT-arm.com>, Kito Cheng <kito.cheng-AT-gmail.com>, Palmer Dabbelt <palmer-AT-dabbelt.com>, Andrew Waterman <andrew-AT-sifive.com>, Jim Wilson <jim.wilson.gcc-AT-gmail.com>, Dan Li <ashimida.1990-AT-gmail.com>, Sami Tolvanen <samitolvanen-AT-google.com>, Ramon de C Valle <rcvalle-AT-google.com>, Joao Moreira <joao-AT-overdrivepizza.com>, Nathan Chancellor <nathan-AT-kernel.org>, Bill Wendling <morbo-AT-google.com>, gcc-patches-AT-gcc.gnu.org, linux-hardening-AT-vger.kernel.org |
| Archive-link: |
| Article |
Hi,
Here is v4! :)
This series implements[1][2] the Linux Kernel Control Flow Integrity
ABI, which provides a function prototype based forward edge control flow
integrity protection by instrumenting every indirect call to check for
a hash value before the target function address. If the hash at the call
site and the hash at the target do not match, execution will trap.
Changes since v3[3]:
- Clarified commit logs and kcfi.cc design docs further.
- Switched to KCFI-specific global label counter.
- Refactored patchable function entry and alignment padding calculations
and added extensive comments.
- Moved option validation into early option processing.
- Switched arm to using eor sequence suggested by Ard Biesheuvel.
- Switched arm scratch register to ip with r3 fallback.
- Removed redundant aarch64 clobbers.
- Added KCFI availability function for regression tests.
- Refactored regression tests to use check-function-bodies.
- Split arch-specific regresion test patterns into per-arch patches (I
don't like having fully separate test source files be per-arch since
the conditions being tested are usually arch-agnostic).
- Added more complete function interface comments.
- Added -ffixed-$reg option checking and associated tests.
- Various other small cleanups.
Thanks!
-Kees
[1] https://gcc.gnu.org/bugzilla/show_bug.cgi?id=107048
[2] https://github.com/KSPP/linux/issues/369
[3] https://lore.kernel.org/linux-hardening/20250913231256.ma...
Kees Cook (7):
typeinfo: Introduce KCFI typeinfo mangling API
kcfi: Add core Kernel Control Flow Integrity infrastructure
kcfi: Add regression test suite
x86: Add x86_64 Kernel Control Flow Integrity implementation
aarch64: Add AArch64 Kernel Control Flow Integrity implementation
arm: Add ARM 32-bit Kernel Control Flow Integrity implementation
riscv: Add RISC-V Kernel Control Flow Integrity implementation
gcc/kcfi.h | 55 ++
gcc/kcfi.cc | 670 ++++++++++++++++++
gcc/config/aarch64/aarch64-protos.h | 5 +
gcc/config/arm/arm-protos.h | 4 +
gcc/config/i386/i386-protos.h | 1 +
gcc/config/i386/i386.h | 3 +-
gcc/config/riscv/riscv-protos.h | 3 +
gcc/config/aarch64/aarch64.md | 64 +-
gcc/config/arm/arm.md | 62 ++
gcc/config/i386/i386.md | 62 +-
gcc/config/riscv/riscv.md | 76 +-
gcc/config/aarch64/aarch64.cc | 111 +++
gcc/config/arm/arm.cc | 170 +++++
gcc/config/i386/i386-expand.cc | 22 +-
gcc/config/i386/i386-options.cc | 11 +
gcc/config/i386/i386.cc | 128 ++++
gcc/config/riscv/riscv.cc | 169 +++++
gcc/doc/extend.texi | 132 ++++
gcc/doc/invoke.texi | 104 +++
gcc/doc/tm.texi | 31 +
gcc/testsuite/gcc.dg/kcfi/kcfi.exp | 42 ++
gcc/testsuite/lib/target-supports.exp | 14 +
.../gcc.dg/builtin-typeinfo-errors.c | 28 +
gcc/testsuite/gcc.dg/builtin-typeinfo.c | 350 +++++++++
.../gcc.dg/kcfi/kcfi-aarch64-fixed-x16.c | 17 +
.../gcc.dg/kcfi/kcfi-aarch64-fixed-x17.c | 17 +
gcc/testsuite/gcc.dg/kcfi/kcfi-adjacency.c | 114 +++
gcc/testsuite/gcc.dg/kcfi/kcfi-arm-fixed-ip.c | 15 +
.../gcc.dg/kcfi/kcfi-arm-fixed-r12.c | 15 +
gcc/testsuite/gcc.dg/kcfi/kcfi-basics.c | 149 ++++
gcc/testsuite/gcc.dg/kcfi/kcfi-call-sharing.c | 90 +++
.../gcc.dg/kcfi/kcfi-cold-partition.c | 126 ++++
.../gcc.dg/kcfi/kcfi-complex-addressing.c | 203 ++++++
.../gcc.dg/kcfi/kcfi-complex-addressing.s | 0
.../gcc.dg/kcfi/kcfi-ipa-robustness.c | 54 ++
.../gcc.dg/kcfi/kcfi-move-preservation.c | 118 +++
.../gcc.dg/kcfi/kcfi-no-sanitize-inline.c | 100 +++
gcc/testsuite/gcc.dg/kcfi/kcfi-no-sanitize.c | 39 +
.../gcc.dg/kcfi/kcfi-offset-validation.c | 38 +
.../gcc.dg/kcfi/kcfi-patchable-entry-only.c | 64 ++
.../gcc.dg/kcfi/kcfi-patchable-incompatible.c | 7 +
.../gcc.dg/kcfi/kcfi-patchable-large.c | 54 ++
.../gcc.dg/kcfi/kcfi-patchable-medium.c | 60 ++
.../gcc.dg/kcfi/kcfi-patchable-prefix-only.c | 61 ++
.../gcc.dg/kcfi/kcfi-riscv-fixed-t1.c | 17 +
.../gcc.dg/kcfi/kcfi-riscv-fixed-t2.c | 17 +
.../gcc.dg/kcfi/kcfi-riscv-fixed-t3.c | 17 +
gcc/testsuite/gcc.dg/kcfi/kcfi-runtime.c | 276 ++++++++
gcc/testsuite/gcc.dg/kcfi/kcfi-tail-calls.c | 140 ++++
.../gcc.dg/kcfi/kcfi-trap-encoding.c | 69 ++
gcc/testsuite/gcc.dg/kcfi/kcfi-trap-section.c | 29 +
.../gcc.dg/kcfi/kcfi-x86-fixed-r10.c | 17 +
.../gcc.dg/kcfi/kcfi-x86-fixed-r11.c | 17 +
.../gcc.dg/kcfi/kcfi-x86-retpoline-r11.c | 40 ++
gcc/Makefile.in | 2 +
gcc/c-family/c-common.h | 1 +
gcc/flag-types.h | 2 +
gcc/gimple.h | 22 +
gcc/kcfi-typeinfo.h | 32 +
gcc/tree-pass.h | 1 +
gcc/c-family/c-attribs.cc | 17 +-
gcc/c-family/c-common.cc | 2 +
gcc/c/c-parser.cc | 72 ++
gcc/df-scan.cc | 7 +
gcc/doc/tm.texi.in | 12 +
gcc/final.cc | 3 +
gcc/kcfi-typeinfo.cc | 472 ++++++++++++
gcc/opts.cc | 1 +
gcc/passes.cc | 1 +
gcc/passes.def | 1 +
gcc/rtl.def | 6 +
gcc/rtlanal.cc | 5 +
gcc/target.def | 38 +
gcc/toplev.cc | 10 +
gcc/tree-inline.cc | 10 +
gcc/varasm.cc | 37 +-
76 files changed, 5018 insertions(+), 33 deletions(-)
create mode 100644 gcc/kcfi.h
create mode 100644 gcc/kcfi.cc
create mode 100644 gcc/testsuite/gcc.dg/kcfi/kcfi.exp
create mode 100644 gcc/testsuite/gcc.dg/builtin-typeinfo-errors.c
create mode 100644 gcc/testsuite/gcc.dg/builtin-typeinfo.c
create mode 100644 gcc/testsuite/gcc.dg/kcfi/kcfi-aarch64-fixed-x16.c
create mode 100644 gcc/testsuite/gcc.dg/kcfi/kcfi-aarch64-fixed-x17.c
create mode 100644 gcc/testsuite/gcc.dg/kcfi/kcfi-adjacency.c
create mode 100644 gcc/testsuite/gcc.dg/kcfi/kcfi-arm-fixed-ip.c
create mode 100644 gcc/testsuite/gcc.dg/kcfi/kcfi-arm-fixed-r12.c
create mode 100644 gcc/testsuite/gcc.dg/kcfi/kcfi-basics.c
create mode 100644 gcc/testsuite/gcc.dg/kcfi/kcfi-call-sharing.c
create mode 100644 gcc/testsuite/gcc.dg/kcfi/kcfi-cold-partition.c
create mode 100644 gcc/testsuite/gcc.dg/kcfi/kcfi-complex-addressing.c
create mode 100644 gcc/testsuite/gcc.dg/kcfi/kcfi-complex-addressing.s
create mode 100644 gcc/testsuite/gcc.dg/kcfi/kcfi-ipa-robustness.c
create mode 100644 gcc/testsuite/gcc.dg/kcfi/kcfi-move-preservation.c
create mode 100644 gcc/testsuite/gcc.dg/kcfi/kcfi-no-sanitize-inline.c
create mode 100644 gcc/testsuite/gcc.dg/kcfi/kcfi-no-sanitize.c
create mode 100644 gcc/testsuite/gcc.dg/kcfi/kcfi-offset-validation.c
create mode 100644 gcc/testsuite/gcc.dg/kcfi/kcfi-patchable-entry-only.c
create mode 100644 gcc/testsuite/gcc.dg/kcfi/kcfi-patchable-incompatible.c
create mode 100644 gcc/testsuite/gcc.dg/kcfi/kcfi-patchable-large.c
create mode 100644 gcc/testsuite/gcc.dg/kcfi/kcfi-patchable-medium.c
create mode 100644 gcc/testsuite/gcc.dg/kcfi/kcfi-patchable-prefix-only.c
create mode 100644 gcc/testsuite/gcc.dg/kcfi/kcfi-riscv-fixed-t1.c
create mode 100644 gcc/testsuite/gcc.dg/kcfi/kcfi-riscv-fixed-t2.c
create mode 100644 gcc/testsuite/gcc.dg/kcfi/kcfi-riscv-fixed-t3.c
create mode 100644 gcc/testsuite/gcc.dg/kcfi/kcfi-runtime.c
create mode 100644 gcc/testsuite/gcc.dg/kcfi/kcfi-tail-calls.c
create mode 100644 gcc/testsuite/gcc.dg/kcfi/kcfi-trap-encoding.c
create mode 100644 gcc/testsuite/gcc.dg/kcfi/kcfi-trap-section.c
create mode 100644 gcc/testsuite/gcc.dg/kcfi/kcfi-x86-fixed-r10.c
create mode 100644 gcc/testsuite/gcc.dg/kcfi/kcfi-x86-fixed-r11.c
create mode 100644 gcc/testsuite/gcc.dg/kcfi/kcfi-x86-retpoline-r11.c
create mode 100644 gcc/kcfi-typeinfo.h
create mode 100644 gcc/kcfi-typeinfo.cc
--
2.34.1
