Skip to content
Branch: clang-cfi
Commits on Dec 6, 2019
  1. crypto: arm64/sha: fix function types

    samitolvanen committed Aug 10, 2017
    Instead of casting pointers to callback functions, add C wrappers
    to avoid type mismatch failures with Control-Flow Integrity (CFI)
    Signed-off-by: Sami Tolvanen <>
    Reviewed-by: Ard Biesheuvel <>
  2. arm64: kvm: disable CFI

    samitolvanen committed Apr 23, 2018
    Disable CFI for code that runs at EL2 because __cfi_check only
    understands EL1 addresses.
    Signed-off-by: Sami Tolvanen <>
  3. arm64: add __nocfi to __apply_alternatives

    samitolvanen committed Aug 16, 2019
    __apply_alternatives makes indirect calls to functions whose address is
    taken in assembly code using the alternative_cb macro. With CFI enabled
    using non-canonical jump tables, the compiler isn't able to replace the
    function reference with the jump table reference, which trips CFI.
    Signed-off-by: Sami Tolvanen <>
  4. arm64: add __pa_function

    samitolvanen committed Oct 4, 2019
    We use non-canonical CFI jump tables with CONFIG_CFI_CLANG, which
    means the compiler replaces function address references with the
    address of the function's CFI jump table entry. This results in
    __pa_symbol(function) returning the physical address of the jump
    table entry, which can lead to address space confusion since the
    jump table points to a virtual address.
    This change adds a __pa_function macro, which uses inline assembly
    to take the actual function address instead.
    Signed-off-by: Sami Tolvanen <>
  5. arm64: add __nocfi to functions that jump to a physical address

    samitolvanen committed Aug 18, 2017
    Disable CFI checking for functions that switch to linear mapping and
    make an indirect call to a physical address, since the compiler only
    understands virtual addresses.
    Signed-off-by: Sami Tolvanen <>
  6. arm64: bpf: implement arch_bpf_jit_check_func

    samitolvanen committed Sep 4, 2019
    Implement arch_bpf_jit_check_func to check that pointers to jited BPF
    functions are correctly aligned and point to the BPF JIT region. This
    narrows down the attack surface on the stored pointer.
    Signed-off-by: Sami Tolvanen <>
  7. bpf: validate bpf_func when BPF_JIT is enabled with CFI

    samitolvanen committed Sep 4, 2019
    With CONFIG_BPF_JIT, the kernel makes indirect calls to dynamically
    generated code, which the compile-time Control-Flow Integrity (CFI)
    checking cannot validate. This change adds basic sanity checking to
    ensure we are jumping to a valid location, which narrows down the
    attack surface on the stored pointer.
    In addition, this change adds a weak arch_bpf_jit_check_func function,
    which architectures that implement BPF JIT can override to perform
    additional validation, such as verifying that the pointer points to
    the correct memory region.
    Signed-off-by: Sami Tolvanen <>
  8. export: fix ksymtab addresses with CFI

    samitolvanen committed Dec 3, 2019
    With CONFIG_CFI_CLANG, LLVM replaces function references with CFI
    jump table addresses to allow type checking with indirect calls. This is
    unnecessary in ksymtab, so this change uses inline assembly to emit
    ksymtab entries that point to the actual function instead when CFI is
    Signed-off-by: Sami Tolvanen <>
  9. add support for Clang's Control Flow Integrity (CFI)

    samitolvanen committed Apr 25, 2019
    This change adds the CONFIG_CFI_CLANG option, CFI error handling,
    and a faster look-up table for cross module CFI checks.
    Signed-off-by: Sami Tolvanen <>
  10. x86: add support for CONFIG_LTO_CLANG

    samitolvanen committed Apr 10, 2019
    Signed-off-by: Sami Tolvanen <>
  11. x86: disable UNWINDER_ORC with LTO_CLANG

    samitolvanen committed May 14, 2019
    Signed-off-by: Sami Tolvanen <>
  12. x86: disable STACK_VALIDATION with LTO_CLANG

    samitolvanen committed Apr 30, 2019
    Disable CONFIG_STACK_VALIDATION with LTO, because objtool doesn't
    understand LLVM IR.
    Signed-off-by: Sami Tolvanen <>
  13. x86: disable HAVE_ARCH_PREL32_RELOCATIONS with LTO_CLANG

    samitolvanen committed Apr 19, 2019
    Disable HAVE_ARCH_PREL32_RELOCATIONS to stop LLVM from reordering
    Signed-off-by: Sami Tolvanen <>
  14. x86/vdso: disable LTO only for VDSO

    samitolvanen committed Apr 16, 2019
    Instead of disabling LTO for all the code in the directory, only
    disable it for the VDSO itself.
    Signed-off-by: Sami Tolvanen <>
  15. arm64: fix alternatives with LLVM's integrated assembler

    samitolvanen committed Aug 8, 2019
    LLVM's integrated assembler fails with the following error when
    building KVM:
      <inline asm>:12:6: error: expected absolute expression
       .if kvm_update_va_mask == 0
      <inline asm>:21:6: error: expected absolute expression
       .if kvm_update_va_mask == 0
      <inline asm>:24:2: error: unrecognized instruction mnemonic
      LLVM ERROR: Error parsing inline asm
    These errors come from ALTERNATIVE_CB and __ALTERNATIVE_CFG,
    which test for the existence of the callback parameter in inline
    assembly using the following expression:
      " .if " __stringify(cb) " == 0\n"
    This works with GNU as, but isn't supported by LLVM. This change
    splits __ALTERNATIVE_CFG and ALTINSTR_ENTRY into separate macros
    to fix the LLVM build.
    Link: ClangBuiltLinux#472
    Signed-off-by: Sami Tolvanen <>
  16. arm64: lse: fix LSE atomics with LLVM's integrated assembler

    samitolvanen committed Feb 6, 2019
    Unlike gcc, clang considers each inline assembly block to be independent
    and therefore, when using the integrated assembler for inline assembly,
    any preambles that enable features must be repeated in each block.
    This change defines __LSE_PREAMBLE and adds it to each inline assembly
    block that has LSE instructions, which allows them to be compiled also
    with clang's assembler.
    Link: ClangBuiltLinux#671
    Signed-off-by: Sami Tolvanen <>
  17. arm64: allow LTO_CLANG and THINLTO to be selected

    samitolvanen committed Nov 2, 2017
    Allow CONFIG_LTO_CLANG and CONFIG_THINLTO to be enabled.
    Signed-off-by: Sami Tolvanen <>
  18. arm64: disable HAVE_ARCH_PREL32_RELOCATIONS with LTO_CLANG

    samitolvanen committed Apr 25, 2019
    Disable HAVE_ARCH_PREL32_RELOCATIONS to stop LLVM from reordering
    Signed-off-by: Sami Tolvanen <>
  19. arm64: vdso: disable LTO

    samitolvanen committed Dec 19, 2017
    Signed-off-by: Sami Tolvanen <>
  20. soc/tegra: disable ARCH_TEGRA_210_SOC with LTO

    samitolvanen committed Jun 13, 2019
    Disable CONFIG_ARCH_TEGRA_210_SOC with LTO to work around an issue
    with ThinLTO.
    Link: ClangBuiltLinux#510
    Signed-off-by: Sami Tolvanen <>
  21. init: ensure initcall ordering with LTO

    samitolvanen committed Dec 8, 2017
    With LTO, the compiler doesn't necessarily obey link order for
    initcalls, and the initcall variables need to be globally unique
    to avoid naming collisions.
    In order to preserve the intended order, this change moves each
    initcall variable into its own section and generates a linker
    script (in scripts/ to define the correct order
    for these sections. We also add a __COUNTER__ prefix to the name,
    so we can retain the order of initcalls within each compilation
    unit, and __LINE__ to help ensure uniqueness.
    Signed-off-by: Sami Tolvanen <>
  22. drivers/misc/lkdtm: disable LTO for rodata.o

    samitolvanen committed Dec 5, 2017
    Disable LTO for rodata.o to allow objcopy to be used to
    manipulate sections.
    Signed-off-by: Sami Tolvanen <>
  23. efi/libstub: disable LTO

    samitolvanen committed May 1, 2017
    With CONFIG_LTO_CLANG, we produce LLVM IR instead of object files. Since LTO
    is not really needed here and the Makefile assumes we produce an object file,
    disable LTO for libstub.
    Signed-off-by: Sami Tolvanen <>
    Acked-by: Ard Biesheuvel <>
  24. scripts/mod: disable LTO for empty.c

    samitolvanen committed Apr 10, 2017
    With CONFIG_LTO_CLANG, clang generates LLVM IR instead of ELF object
    files. As empty.o is used for probing target properties, disable LTO
    for it to produce an object file instead.
    Signed-off-by: Sami Tolvanen <>
  25. kbuild: limit LTO inlining

    samitolvanen committed Dec 4, 2019
    This change limits function inlining across translation unit
    boundaries in order to reduce the binary size with LTO.
    The -import-instr-limit flag defines a size limit, as the number
    of LLVM IR instructions, for importing functions from other TUs.
    The default value is 100, and decreasing it to 5 reduces the size
    of a stripped arm64 defconfig vmlinux by 11%.
    Suggested-by: George Burgess IV <>
    Signed-off-by: Sami Tolvanen <>
  26. kbuild: merge module sections with LTO

    samitolvanen committed Dec 3, 2019
    LLD always splits sections with LTO, which increases module sizes. This
    change adds a linker script that merges the split sections in the final
    Suggested-by: Nick Desaulniers <>
    Signed-off-by: Sami Tolvanen <>
  27. kbuild: fix dynamic ftrace with clang LTO

    samitolvanen committed May 8, 2019
    With CONFIG_LTO_CLANG enabled, LLVM IR won't be compiled into object
    files until modpost_link. This change postpones calls to recordmcount
    until after this step.
    In order to exclude ftrace_process_locs from inspection, we add a new
    code section .text..ftrace, which we tell recordmcount to ignore, and
    a __norecordmcount attribute for moving functions to this section.
    Signed-off-by: Sami Tolvanen <>
  28. kbuild: add support for Clang LTO

    samitolvanen committed Nov 28, 2017
    This change adds the configuration option CONFIG_LTO_CLANG, and
    build system support for Clang's Link Time Optimization (LTO). In
    preparation for LTO support with other compilers, potentially common
    parts of the changes are gated behind CONFIG_LTO instead.
    With -flto, instead of object files, Clang produces LLVM bitcode,
    which is compiled into a native object at link time, allowing the
    final binary to be optimized globally. For more details, see:
    While the kernel normally uses GNU ld for linking, LLVM supports LTO
    only with LLD or GNU gold linkers. This change assumes LLD is used.
    Signed-off-by: Sami Tolvanen <>
  29. kbuild: add CONFIG_LD_IS_LLD

    samitolvanen committed Mar 20, 2019
    Similarly to the CC_IS_CLANG config, add LD_IS_LLD to simplify feature
    selection based on the linker.
    Signed-off-by: Sami Tolvanen <>
  30. arm64: scs: add shadow stacks for SDEI

    samitolvanen committed Nov 16, 2019
    This change adds per-CPU shadow call stacks for the SDEI handler.
    Similarly to how the kernel stacks are handled, we add separate shadow
    stacks for normal and critical events.
    Signed-off-by: Sami Tolvanen <>
  31. arm64: implement Shadow Call Stack

    samitolvanen committed May 2, 2018
    This change implements shadow stack switching, initial SCS set-up,
    and interrupt shadow stacks for arm64.
    Signed-off-by: Sami Tolvanen <>
    Reviewed-by: Kees Cook <>
  32. arm64: disable SCS for hypervisor code

    samitolvanen committed Aug 16, 2019
    Filter out CC_FLAGS_SCS for code that runs at a different exception
    Suggested-by: Steven Rostedt (VMware) <>
    Signed-off-by: Sami Tolvanen <>
    Reviewed-by: Kees Cook <>
    Reviewed-by: Mark Rutland <>
  33. arm64: vdso: disable Shadow Call Stack

    samitolvanen committed May 2, 2018
    Shadow stacks are only available in the kernel, so disable SCS
    instrumentation for the vDSO.
    Signed-off-by: Sami Tolvanen <>
    Reviewed-by: Nick Desaulniers <>
    Reviewed-by: Kees Cook <>
    Reviewed-by: Mark Rutland <>
  34. arm64: efi: restore x18 if it was corrupted

    samitolvanen committed Oct 2, 2019
    If we detect a corrupted x18 and SCS is enabled, restore the register
    before jumping back to instrumented code. This is safe, because the
    wrapper is called with preemption disabled and a separate shadow stack
    is used for interrupt handling.
    Signed-off-by: Sami Tolvanen <>
    Reviewed-by: Kees Cook <>
  35. arm64: preserve x18 when CPU is suspended

    samitolvanen committed May 2, 2018
    Don't lose the current task's shadow stack when the CPU is suspended.
    Signed-off-by: Sami Tolvanen <>
    Reviewed-by: Nick Desaulniers <>
    Reviewed-by: Kees Cook <>
    Reviewed-by: Mark Rutland <>
You can’t perform that action at this time.