linux/scripts
Sami Tolvanen cf68fffb66 add support for Clang CFI
This change adds support for Clang’s forward-edge Control Flow
Integrity (CFI) checking. With CONFIG_CFI_CLANG, the compiler
injects a runtime check before each indirect function call to ensure
the target is a valid function with the correct static type. This
restricts possible call targets and makes it more difficult for
an attacker to exploit bugs that allow the modification of stored
function pointers. For more details, see:

  https://clang.llvm.org/docs/ControlFlowIntegrity.html

Clang requires CONFIG_LTO_CLANG to be enabled with CFI to gain
visibility to possible call targets. Kernel modules are supported
with Clang’s cross-DSO CFI mode, which allows checking between
independently compiled components.

With CFI enabled, the compiler injects a __cfi_check() function into
the kernel and each module for validating local call targets. For
cross-module calls that cannot be validated locally, the compiler
calls the global __cfi_slowpath_diag() function, which determines
the target module and calls the correct __cfi_check() function. This
patch includes a slowpath implementation that uses __module_address()
to resolve call targets, and with CONFIG_CFI_CLANG_SHADOW enabled, a
shadow map that speeds up module look-ups by ~3x.

Clang implements indirect call checking using jump tables and
offers two methods of generating them. With canonical jump tables,
the compiler renames each address-taken function to <function>.cfi
and points the original symbol to a jump table entry, which passes
__cfi_check() validation. This isn’t compatible with stand-alone
assembly code, which the compiler doesn’t instrument, and would
result in indirect calls to assembly code to fail. Therefore, we
default to using non-canonical jump tables instead, where the compiler
generates a local jump table entry <function>.cfi_jt for each
address-taken function, and replaces all references to the function
with the address of the jump table entry.

Note that because non-canonical jump table addresses are local
to each component, they break cross-module function address
equality. Specifically, the address of a global function will be
different in each module, as it's replaced with the address of a local
jump table entry. If this address is passed to a different module,
it won’t match the address of the same function taken there. This
may break code that relies on comparing addresses passed from other
components.

CFI checking can be disabled in a function with the __nocfi attribute.
Additionally, CFI can be disabled for an entire compilation unit by
filtering out CC_FLAGS_CFI.

By default, CFI failures result in a kernel panic to stop a potential
exploit. CONFIG_CFI_PERMISSIVE enables a permissive mode, where the
kernel prints out a rate-limited warning instead, and allows execution
to continue. This option is helpful for locating type mismatches, but
should only be enabled during development.

Signed-off-by: Sami Tolvanen <samitolvanen@google.com>
Reviewed-by: Kees Cook <keescook@chromium.org>
Tested-by: Nathan Chancellor <nathan@kernel.org>
Signed-off-by: Kees Cook <keescook@chromium.org>
Link: https://lore.kernel.org/r/20210408182843.1754385-2-samitolvanen@google.com
2021-04-08 16:04:20 -07:00
..
atomic locking/atomics: Regenerate the atomics-check SHA1's 2020-11-07 13:20:41 +01:00
basic kbuild: introduce hostprogs-always-y and userprogs-always-y 2020-08-10 01:32:59 +09:00
clang-tools gen_compile_commands: prune some directories 2021-02-16 22:23:56 +09:00
coccinelle of: Remove of_dev_{get,put}() 2021-02-12 19:23:39 -06:00
dtc Devicetree fixes for v5.12-rc: 2021-03-05 12:12:28 -08:00
dummy-tools kbuild: dummy-tools: adjust to scripts/cc-version.sh 2021-03-11 14:52:54 +09:00
gcc-plugins kbuild: rebuild GCC plugins when the compiler is upgraded 2021-03-11 14:40:50 +09:00
gdb scripts/gdb: fix list_for_each 2021-02-26 09:41:05 -08:00
genksyms genksyms: remove useless case DOTS 2021-02-16 12:01:45 +09:00
kconfig kconfig: unify rule of config, menuconfig, nconfig, gconfig, xconfig 2021-02-24 15:12:06 +09:00
ksymoops
mod Char/Misc driver patches for 5.12-rc1 2021-02-24 10:25:37 -08:00
package builddeb: Fix rootless build in setuid/setgid directory 2020-11-02 11:31:00 +09:00
selinux scripts/selinux,selinux: update mdp to enable policy capabilities 2020-08-17 20:42:00 -04:00
tracing tweewide: Fix most Shebang lines 2020-12-08 23:30:04 +09:00
.gitignore kbuild: preprocess module linker script 2020-09-25 00:36:41 +09:00
adjust_autoksyms.sh kbuild: do not include include/config/auto.conf from adjust_autoksyms.sh 2021-02-28 15:22:02 +09:00
asn1_compiler.c
bin2c.c
bloat-o-meter scripts: switch explicitly to Python 3 2021-01-22 06:34:44 +09:00
bootgraph.pl
bpf_helpers_doc.py bpf: Add a bpf_sock_from_file helper 2020-12-04 22:32:40 +01:00
cc-can-link.sh
cc-version.sh kbuild: check the minimum compiler version in Kconfig 2021-02-16 12:01:32 +09:00
check_extable.sh
check-sysctl-docs docs: add a script to check sysctl docs 2020-02-25 03:35:16 -07:00
checkincludes.pl
checkkconfigsymbols.py kconfig: remove '---help---' support 2020-08-14 13:30:03 +09:00
checkpatch.pl checkpatch: do not apply "initialise globals to 0" check to BPF progs 2021-02-26 09:41:04 -08:00
checkstack.pl scripts/checkstack.pl: fix arm sp regex 2020-05-26 00:03:16 +09:00
checksyscalls.sh
checkversion.pl
cleanfile
cleanpatch
coccicheck scripts: coccicheck: Correct usage of make coccicheck 2020-12-24 12:59:43 +01:00
config kconfig: config script: add a little user help 2021-01-04 10:38:11 +09:00
const_structs.checkpatch const_structs.checkpatch: add pinctrl_ops and pinmux_ops 2020-10-16 11:11:21 -07:00
decode_stacktrace.sh scripts/decode_stacktrace.sh: guess path to vmlinux by release name 2020-08-07 11:33:21 -07:00
decodecode scripts/decodecode: add the capability to supply the program counter 2020-10-13 18:38:26 -07:00
depmod.sh depmod: handle the case of /sbin/depmod without /sbin in PATH 2021-01-01 12:26:39 -08:00
dev-needs.sh scripts/dev-needs: Add script to list device dependencies 2020-09-04 18:19:37 +02:00
diffconfig scripts: switch explicitly to Python 3 2021-01-22 06:34:44 +09:00
documentation-file-ref-check scripts: documentation-file-ref-check: Add line break before exit 2020-04-15 15:13:13 -06:00
export_report.pl modpost: move the namespace field in Module.symvers last 2020-03-17 08:59:03 +09:00
extract_xc3028.pl
extract-cert.c extract-cert: add static to local data 2020-08-18 20:16:46 +09:00
extract-ikconfig
extract-module-sig.pl
extract-sys-certs.pl
extract-vmlinux
faddr2line
file-size.sh
find-unused-docs.sh scripts/find-unused-docs: Fix massive false positives 2020-01-27 14:25:06 -07:00
gcc-goto.sh
gcc-ld
gcc-x86_32-has-stack-protector.sh
gcc-x86_64-has-stack-protector.sh
gen_autoksyms.sh kbuild: fix UNUSED_KSYMS_WHITELIST for Clang LTO 2021-02-28 15:19:21 +09:00
gen_ksymdeps.sh
generate_initcall_order.pl init: lto: ensure initcall ordering 2021-01-14 08:21:09 -08:00
get_abi.pl tweewide: Fix most Shebang lines 2020-12-08 23:30:04 +09:00
get_dvb_firmware
get_feat.pl scripts: get_feat.pl: reduce table width for all features output 2020-12-04 14:34:27 -07:00
get_maintainer.pl get_maintainer: exclude MAINTAINERS file(s) from --git-fallback 2020-10-16 11:11:19 -07:00
gfp-translate
headerdep.pl
headers_check.pl
headers_install.sh Merge branch 'work.fdpic' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs 2020-08-07 13:29:39 -07:00
insert-sys-cert.c
jobserver-exec kbuild: remove PYTHON variable 2021-02-01 10:37:19 +09:00
kallsyms.c kallsyms: fix nonconverging kallsyms table with lld 2021-02-05 17:53:28 +09:00
Kbuild.include kbuild: remove ld-version macro 2021-02-22 08:22:04 +09:00
Kconfig.include kbuild: check the minimum linker version in Kconfig 2021-02-22 08:22:04 +09:00
kernel-doc scripts: kernel-doc: fix array element capture in pointer-to-func parsing 2021-02-22 14:20:36 -07:00
ld-version.sh kbuild: fix ld-version.sh to not be affected by locale 2021-03-13 11:12:13 +09:00
leaking_addresses.pl
Lindent
link-vmlinux.sh kbuild: lto: postpone objtool 2021-02-23 12:46:57 -08:00
Makefile scripts: set proper OpenSSL include dir also for sign-file 2021-02-15 01:54:11 +09:00
Makefile.asm-generic
Makefile.build Kbuild updates for v5.12 2021-02-25 10:17:31 -08:00
Makefile.clean kbuild: remove deprecated 'always' and 'hostprogs-y/m' 2021-02-24 15:12:06 +09:00
Makefile.dtbinst kbuild: Add support to build overlays (%.dtbo) 2021-02-04 09:00:04 -06:00
Makefile.extrawarn Makefile.extrawarn: remove -Wnested-externs warning 2020-12-08 23:30:05 +09:00
Makefile.gcc-plugins gcc-plugins/stackleak: Use asm instrumentation to avoid useless register saving 2020-06-24 07:48:28 -07:00
Makefile.headersinst
Makefile.host kbuild: sort hostprogs before passing it to ifneq 2020-08-10 01:32:59 +09:00
Makefile.kasan kbuild: move CFLAGS_{KASAN,UBSAN,KCSAN} exports to relevant Makefiles 2020-09-25 00:36:50 +09:00
Makefile.kcov kbuild: include scripts/Makefile.* only when relevant CONFIG is enabled 2020-08-10 01:32:59 +09:00
Makefile.kcsan Kbuild updates for v5.10 2020-10-22 13:13:57 -07:00
Makefile.lib kbuild: remove meaningless parameter to $(call if_changed_rule,dtc) 2021-03-11 18:22:48 +09:00
Makefile.modfinal add support for Clang CFI 2021-04-08 16:04:20 -07:00
Makefile.modinst
Makefile.modpost kbuild: lto: fix module versioning 2021-01-14 08:21:08 -08:00
Makefile.modsign
Makefile.package kbuild: fix broken builds because of GZIP,BZIP2,LZOP variables 2020-06-11 20:14:41 +09:00
Makefile.ubsan ubsan: remove overflow checks 2021-02-26 09:41:05 -08:00
Makefile.userprogs kbuild: add infrastructure to build userspace programs 2020-05-17 18:52:01 +09:00
makelst
markup_oops.pl
mkcompile_h kbuild: Use uname for LINUX_COMPILE_HOST detection 2020-10-21 00:46:04 +09:00
mkmakefile
mksysmap mksysmap: Fix the mismatch of '.L' symbols in System.map 2020-06-06 23:39:20 +09:00
mkuboot.sh
module.lds.S kbuild: lto: Merge module sections if and only if CONFIG_LTO_CLANG is enabled 2021-04-01 14:15:59 -07:00
modules-check.sh kbuild: make module name conflict fatal error 2020-05-26 00:03:16 +09:00
nsdeps kbuild: do not use scripts/ld-version.sh for checking spatch version 2020-12-12 18:31:29 +01:00
objdiff
parse-maintainers.pl parse-maintainers: Do not sort section content by default 2020-03-26 15:08:27 -07:00
patch-kernel
profile2linkerlist.pl
prune-kernel
recordmcount.c ftrace: Have recordmcount use w8 to read relp->r_info in arm64_is_fake_mcount 2021-03-02 17:27:18 -05:00
recordmcount.h recordmcount: support >64k sections 2020-06-16 21:21:00 -04:00
recordmcount.pl scripts/recordmcount.pl: support big endian for ARCH sh 2021-02-13 11:42:40 -08:00
setlocalversion scripts/setlocalversion: make git describe output more reliable 2020-09-25 02:28:12 +09:00
show_delta tweewide: Fix most Shebang lines 2020-12-08 23:30:04 +09:00
sign-file.c
sorttable.c s390/kernel: expand exception table logic to allow new handling options 2020-07-20 10:55:50 +02:00
sorttable.h scripts/sorttable: Implement build-time ORC unwind table sorting 2019-12-13 10:47:58 +01:00
spdxcheck-test.sh
spdxcheck.py spdxcheck.py: Use Python 3 2021-01-27 14:50:12 +01:00
spelling.txt scripts/spelling.txt: add more spellings to spelling.txt 2021-02-24 13:38:26 -08:00
sphinx-pre-install Docs: drop Python 2 support 2021-02-01 17:17:14 -07:00
split-man.pl tweewide: Fix most Shebang lines 2020-12-08 23:30:04 +09:00
stackdelta
stackusage
subarch.include
syscallhdr.sh scripts: add generic syscallhdr.sh 2021-02-22 08:22:04 +09:00
syscalltbl.sh scripts: add generic syscalltbl.sh 2021-02-22 08:22:03 +09:00
tags.sh Merge branch 'locking/urgent' into locking/core, to pick up fixes 2020-10-09 08:55:17 +02:00
test_dwarf5_support.sh Kconfig: allow explicit opt in to DWARF v5 2021-02-16 12:01:45 +09:00
tools-support-relr.sh
unifdef.c
ver_linux ver_linux: Eliminate duplicate code in ldconfig processing logic 2021-01-27 14:54:42 +01:00
xen-hypercalls.sh
xz_wrap.sh kbuild: add variables for compression tools 2020-06-06 23:42:01 +09:00