On January 1, 2026 2:42:59 PM PST, Andrew Pinski
<[email protected]> wrote:
>On Tue, Dec 9, 2025 at 6:22 PM Kees Cook <[email protected]> wrote:
>>
>> Hi,
>>
>> This series implements[1][2] the Linux Kernel Control Flow Integrity
>> ABI, which provides a function prototype based forward edge control flow
>> integrity protection by instrumenting every indirect call to check for
>> a hash value before the target function address. If the hash at the call
>> site and the hash at the target do not match, execution will trap.
>>
>> I'm hoping we can land front- and middle-end and do architectures as
>> they also pass review. What do folks think? I'd really like to get this
>> in a position where more people can test with GCC snapshots, etc.
>
>So looking back into the other implementation that was submitted a few
>years back
>(https://patchwork.sourceware.org/project/gcc/patch/[email protected]/),
>a regnote (REG_CALL_CFI_TYPEID) was used instead of the wrapping with
>kfci rtl.
>I get the feeling a regnote would be better as there is less for the
>backend to deal with including new patterns.
>What do others think?
I started there and it created way too many problems that I had to continuously
hack around. Switching to RTL solved all of it. (See v1 and v2 of this series
where that was how it was implemented.)
-Kees
--
Kees Cook
