Clang CFI Patches For The Linux Kernel Aim To Provide Better Security

Written by Michael Larabel in LLVM on 14 March 2021 at 12:00 AM EST. 1 Comment
LLVM
Now that Clang LTO support was merged into Linux 5.12 for x86_64 and ARM64, Google engineers have sent out their patches enabling Clang Control-Flow Integrity (CFI) support for the Linux kernel.

Clang's CFI support depended upon the link-time optimization (LTO) support first landing in the kernel. Now that LTO is in place, Sami Tolvanen and the other Google engineers sent out their kernel patches for bringing up the CFI security feature.

Clang's Control-Flow Integrity injects run-time checks before every indirect function call to ensure the target is a valid function and with a valid static type. Clang CFI is implemented as a sanitizer and depends upon the LTO support for checking on hidden LTO visibility of a class. Clang CFI ultimately aims to ensure that the original control flow graph of the binary is not changed and makes it more difficult for malicious actors to change the control flow and take advantage of memory safety issues. CFI is all the more important for the kernel given its privileges.

Clang CFI in general is commonly reported as having a ~1% overhead or less on performance from the added run-time checks.

These patches allow the Linux kernel to be built with Clang Control-Flow Integrity enabled. At the moment it's about 600 lines of code to hook in all of the compiler instrumentation. At the moment this is only working for ARM64 but x86_64 support is expected in short order.
Related News
About The Author
Michael Larabel

Michael Larabel is the principal author of Phoronix.com and founded the site in 2004 with a focus on enriching the Linux hardware experience. Michael has written more than 20,000 articles covering the state of Linux hardware support, Linux performance, graphics drivers, and other topics. Michael is also the lead developer of the Phoronix Test Suite, Phoromatic, and OpenBenchmarking.org automated benchmarking software. He can be followed via Twitter, LinkedIn, or contacted via MichaelLarabel.com.

Popular News This Week