Clang CFI Patches For The Linux Kernel Updated To Beef Up Security
Earlier this year when Clang LTO support was added for Linux 5.12 that link-time optimization support wasn't done solely for squeezing out greater performance but also because it's a prerequisite for making use of Clang's Control Flow Integrity (CFI) functionality. Google engineers have now sent out their latest set of patches for bringing up Clang CFI support within the Linux kernel.
Clang's CFI are designed to enhance security against attacks that subvert the software's control flow. Unlike other solutions, Clang CFI is quite speedy with an intent that it's safe and performant enough to use for release builds of software. CFI adds a run-time check before indirect function calls to ensure nothing nefarious is happening to the control flow. Clang's CFI relies upon link-time optimizations for inferring visibility of a class and as another added benefit of this solution it doesn't require any specialized CPU/hardware capabilities.
Sami Tolvanen of Google on Monday posted the second revision to the proposed Clang CFI x86 (x86_64) Linux kernel support. With this new version are various fixes and low-level code improvements.
The patch in its current form also restricts the functionality to using LLVM Clang 14 and newer, which isn't to be released until early 2022. There is a rather simple patch in Clang 14/Git but upon discussion looks like something that will be back-ported to the upcoming Clang 13 compiler release. So ultimately Clang 13 that is due out next month might be in good shape for handling CFI duties of the Linux kernel.
See these 14 patches if Clang CFI for the mainline Linux kernel is something of interest for you. Though sadly due to the 5.15 merge window being imminent, this will likely wait until at least 5.16.
Clang's CFI are designed to enhance security against attacks that subvert the software's control flow. Unlike other solutions, Clang CFI is quite speedy with an intent that it's safe and performant enough to use for release builds of software. CFI adds a run-time check before indirect function calls to ensure nothing nefarious is happening to the control flow. Clang's CFI relies upon link-time optimizations for inferring visibility of a class and as another added benefit of this solution it doesn't require any specialized CPU/hardware capabilities.
Sami Tolvanen of Google on Monday posted the second revision to the proposed Clang CFI x86 (x86_64) Linux kernel support. With this new version are various fixes and low-level code improvements.
The patch in its current form also restricts the functionality to using LLVM Clang 14 and newer, which isn't to be released until early 2022. There is a rather simple patch in Clang 14/Git but upon discussion looks like something that will be back-ported to the upcoming Clang 13 compiler release. So ultimately Clang 13 that is due out next month might be in good shape for handling CFI duties of the Linux kernel.
See these 14 patches if Clang CFI for the mainline Linux kernel is something of interest for you. Though sadly due to the 5.15 merge window being imminent, this will likely wait until at least 5.16.
Add A Comment