Clang CFI Patches For The Linux Kernel Updated To Beef Up Security

Written by Michael Larabel in Linux Kernel on 25 August 2021 at 12:00 AM EDT. Add A Comment
LINUX KERNEL
Earlier this year when Clang LTO support was added for Linux 5.12 that link-time optimization support wasn't done solely for squeezing out greater performance but also because it's a prerequisite for making use of Clang's Control Flow Integrity (CFI) functionality. Google engineers have now sent out their latest set of patches for bringing up Clang CFI support within the Linux kernel.

Clang's CFI are designed to enhance security against attacks that subvert the software's control flow. Unlike other solutions, Clang CFI is quite speedy with an intent that it's safe and performant enough to use for release builds of software. CFI adds a run-time check before indirect function calls to ensure nothing nefarious is happening to the control flow. Clang's CFI relies upon link-time optimizations for inferring visibility of a class and as another added benefit of this solution it doesn't require any specialized CPU/hardware capabilities.

Sami Tolvanen of Google on Monday posted the second revision to the proposed Clang CFI x86 (x86_64) Linux kernel support. With this new version are various fixes and low-level code improvements.

The patch in its current form also restricts the functionality to using LLVM Clang 14 and newer, which isn't to be released until early 2022. There is a rather simple patch in Clang 14/Git but upon discussion looks like something that will be back-ported to the upcoming Clang 13 compiler release. So ultimately Clang 13 that is due out next month might be in good shape for handling CFI duties of the Linux kernel.

See these 14 patches if Clang CFI for the mainline Linux kernel is something of interest for you. Though sadly due to the 5.15 merge window being imminent, this will likely wait until at least 5.16.
Related News
About The Author
Michael Larabel

Michael Larabel is the principal author of Phoronix.com and founded the site in 2004 with a focus on enriching the Linux hardware experience. Michael has written more than 20,000 articles covering the state of Linux hardware support, Linux performance, graphics drivers, and other topics. Michael is also the lead developer of the Phoronix Test Suite, Phoromatic, and OpenBenchmarking.org automated benchmarking software. He can be followed via Twitter, LinkedIn, or contacted via MichaelLarabel.com.

Popular News This Week