Hi, Control Flow Integrity is a new set of exploit mitigations (strictly speaking, there is not "the CFI", but many variants). LLVM/clang has support for some form of CFI since a while. The rough idea is that it adds additional checks to the code to avoid jumps to code pieces that shouldn't happen.
I'm wondering if there's interest in creating a gentoo-hardened-cfi variant. I've been playing with it a bit. By setting the right cc/cflags/etc. variables it's relatively straightforward to compile single packages with cfi. However when one tries to recompile packages a lot of errors show up. Most of them aren't directly related to CFI (though some are). CFI depends on: * clang, which is not our default (there has been work in the past for gentoo with clang). * fvisibility=hidden. This was afair discussed a while back, but never considered to be enabled in general, only for specific packages. * link time optimization/lto and thus the gold linker, because the "classic" ld doesn't support lto. Many issues that pop up seem like issues to build systems and linking. In some cases though one needs to fix function pointer definitions that don't match their respective functions. (Here's a fix [1] that I sent to curl and that'll be applied in the next version.) For now I'm just investigating whether there's interest in this. I could create some docs in the wiki on how to get started. [1] https://github.com/curl/curl/commit/aced311d189a70c7d9b2d958739bcfc1231b3698 -- Hanno Böck https://hboeck.de/ mail/jabber: ha...@hboeck.de GPG: FE73757FA60E4E21B937579FA5880072BBB51E42
