Clang RandStruct Lands As Part Of Kernel Hardening For Linux 5.19

Merged into the mainline Linux 5.19 kernel last week was the latest batch of kernel hardening work, which includes introducing the Clang RandStruct support and other changes to beef up the kernel's defenses.

The RandStruct feature is a new feature coming in LLVM/Clang 15.0 and is to randomize the structure layout. The Linux kernel has already had RandStruct support on the GCC side for randomizing the layout of sensitive kernel structures while now for Linux 5.19 is this new Clang 15 support.

Making use of the Linux kernel's RandStruct hardening can induce some performance impact but there is also a build-time tunable for trying to limit the randomization of the structure layout to cache line sized groups of members to lessen that performance cost albeit with reduced randomization.

The hardening updates also include user-copy hardening now checks for other allocation types, ARM64 StackLeak behavioral improvements, ARM64 Control-Flow Integrity (CFI) code generation improvements, and LoadPin LSM changes.