Clang CFI Patches For The Linux Kernel Aim To Provide Better Security

Written by Michael Larabel in LLVM on 14 March 2021 at 12:00 AM EST. 1 Comment
LLVM
Now that Clang LTO support was merged into Linux 5.12 for x86_64 and ARM64, Google engineers have sent out their patches enabling Clang Control-Flow Integrity (CFI) support for the Linux kernel.

Clang's CFI support depended upon the link-time optimization (LTO) support first landing in the kernel. Now that LTO is in place, Sami Tolvanen and the other Google engineers sent out their kernel patches for bringing up the CFI security feature.

Clang's Control-Flow Integrity injects run-time checks before every indirect function call to ensure the target is a valid function and with a valid static type. Clang CFI is implemented as a sanitizer and depends upon the LTO support for checking on hidden LTO visibility of a class. Clang CFI ultimately aims to ensure that the original control flow graph of the binary is not changed and makes it more difficult for malicious actors to change the control flow and take advantage of memory safety issues. CFI is all the more important for the kernel given its privileges.

Clang CFI in general is commonly reported as having a ~1% overhead or less on performance from the added run-time checks.

These patches allow the Linux kernel to be built with Clang Control-Flow Integrity enabled. At the moment it's about 600 lines of code to hook in all of the compiler instrumentation. At the moment this is only working for ARM64 but x86_64 support is expected in short order.
1 Comment
Related News
LLVM's libc Gets Much Faster memcpy For RISC-V
LLVM Clang 17 Adds Initial C++26 Compile Flags With -std=c++26
LLVM Clang Now Exposes -std=c++23 Rather Than -std=c++2b
LLVM 16.0.1 Released With Many Compiler Fixes, Backports AMD Zen 4 Scheduler Model
LLVM 17 Lands Initial Support For RISC-V Vector Crypto Extension ISA
AMD Adds Basic RPC Mechanism To LLVM libc For GPUs
About The Author
Michael Larabel

Michael Larabel is the principal author of Phoronix.com and founded the site in 2004 with a focus on enriching the Linux hardware experience. Michael has written more than 20,000 articles covering the state of Linux hardware support, Linux performance, graphics drivers, and other topics. Michael is also the lead developer of the Phoronix Test Suite, Phoromatic, and OpenBenchmarking.org automated benchmarking software. He can be followed via Twitter, LinkedIn, or contacted via MichaelLarabel.com.

Popular News This Week
XFS Metadata Corruption On Linux 6.3 Tracked Down To One Missing One-Line Patch
System76 Virgo Aims To Be The Quietest Yet Most Performant Linux Laptop
Those Using The XFS File-System Will Want To Avoid Linux 6.3 For Now
Intel Arc Graphics A750/A770 Quick Linux Competition With The Radeon RX 7600
Linux Patches Improve VM Guest Performance When The Host Encounters Memory Pressure
Vulkan 1.3.251 Released With One New Extension Worked On By Valve, Nintendo & Others
Wine 8.9 Released With More Wayland Bits, Mono 8.0 Upgrade
AMD Posts QDMA Linux Driver For Review