Clang CFI Support Upstreamed For Linux 5.13 - But Only On ARM64 For Now

Now that Clang LTO support landed in Linux 5.12 and cleared the blocker on CFI support, that LLVM Clang control-flow integrity (CFI) capability is now upstream for Linux 5.13.

Clang's Control-Flow Integrity provides run-time checks before every indirect function call to ensure the target is a valid function with a valid static type. Clang CFI is implemented as a sanitizer and requires link-time optimizations (LTO) be enabled and thus was blocked until that support first landed in the kernel. Clang CFI can be benficial at ensuring the intended control flow of the software doesn't change and generally at a cost of ~1% or less to the run-time performance.

Google has already been using Clang CFI when building their Android kernels the past few years. Now given the Clang LTO support upstream and the overall improving state of LLVM/Clang compiler support for the Linux kernel, CFI support has landed upstream in Linux 5.13.

One important note though is that for Linux 5.13 only 64-bit ARM is supported. The Clang CFI support for Linux x86/x86_64 is still being worked on but almost complete.

More details on Clang CFI for Linux 5.13 via this pull request that was already merged to mainline.