v2:
 - integrate "transitional" Kconfig patch[2] (nathan, randy, miguel)
 - add arm32 KCFI trap handler
 - split pr_info changes (nathan)
 - clean up my broken SoB (peter)
 - remove Clang from CONFIG_CFI help (jeff)
 - add r-b (linus)
v1: https://lore.kernel.org/all/20250825141316.work.967-kees@kernel.org/

Hi,

With KCFI support in GCC coming[1], we need to make some (relatively
small) changes in the kernel to deal with it:

- move __nocfi out of compilers-clang.h (so GCC can see it too)
- add cfi=debug so future Kees can find fineibt breakage easier
- remove problematic __noinitretpoline usage
- rename CONFIG_CFI_CLANG to CONFIG_CFI (otherwise it is quite confusing)

If I can get some Acks, I will carry this in the hardening tree, unless
someone else would like to take it (perhaps tip).

Thanks!

-Kees

[1] https://lore.kernel.org/linux-hardening/20250821064202.work.893-kees@kernel.org/
[2] https://lore.kernel.org/all/20250901182334.make.517-kees@kernel.org/

Kees Cook (9):
  compiler_types.h: Move __nocfi out of compiler-specific header
  x86/traps: Clarify KCFI instruction layout
  x86/cfi: Document the "cfi=" bootparam options
  x86/cfi: Standardize on common "CFI:" prefix for CFI reports
  x86/cfi: Add "debug" option to "cfi=" bootparam
  x86/cfi: Remove __noinitretpoline and __noretpoline
  kconfig: Add transitional symbol attribute for migration support
  kcfi: Rename CONFIG_CFI_CLANG to CONFIG_CFI
  ARM: traps: Implement KCFI trap handler for ARM32

 arch/Kconfig                                  |  36 ++++---
 arch/arm/Kconfig                              |   2 +-
 arch/arm64/Kconfig                            |   4 +-
 arch/riscv/Kconfig                            |   6 +-
 arch/x86/Kconfig                              |  12 +--
 init/Kconfig                                  |   4 +-
 kernel/module/Kconfig                         |   2 +-
 .../kconfig/tests/err_transitional/Kconfig    |  52 +++++++++
 scripts/kconfig/tests/transitional/Kconfig    | 100 +++++++++++++++++
 lib/Kconfig.debug                             |   2 +-
 Makefile                                      |   2 +-
 arch/arm/mm/Makefile                          |   2 +-
 arch/riscv/kernel/Makefile                    |   2 +-
 arch/riscv/purgatory/Makefile                 |   2 +-
 arch/x86/kernel/Makefile                      |   2 +-
 arch/x86/purgatory/Makefile                   |   2 +-
 kernel/Makefile                               |   2 +-
 scripts/kconfig/expr.h                        |   1 +
 scripts/kconfig/lexer.l                       |   1 +
 scripts/kconfig/parser.y                      |  47 ++++++++
 scripts/kconfig/symbol.c                      |  16 ++-
 .../tests/err_transitional/__init__.py        |  14 +++
 .../tests/err_transitional/expected_stderr    |   7 ++
 .../kconfig/tests/transitional/__init__.py    |  18 ++++
 .../tests/transitional/expected_config        |  12 +++
 .../kconfig/tests/transitional/initial_config |  16 +++
 .../admin-guide/kernel-parameters.txt         |  18 ++++
 Documentation/kbuild/kconfig-language.rst     |  32 ++++++
 arch/riscv/include/asm/cfi.h                  |   4 +-
 arch/x86/include/asm/cfi.h                    |   4 +-
 include/asm-generic/vmlinux.lds.h             |   2 +-
 include/linux/cfi.h                           |   6 +-
 include/linux/cfi_types.h                     |   8 +-
 include/linux/compiler-clang.h                |   5 -
 include/linux/compiler-gcc.h                  |   4 -
 include/linux/compiler.h                      |   2 +-
 include/linux/compiler_types.h                |   4 +-
 include/linux/init.h                          |   8 --
 tools/include/linux/cfi_types.h               |   6 +-
 tools/perf/util/include/linux/linkage.h       |   2 +-
 arch/arm/mm/cache-fa.S                        |   2 +-
 arch/arm/mm/cache-v4.S                        |   2 +-
 arch/arm/mm/cache-v4wb.S                      |   4 +-
 arch/arm/mm/cache-v4wt.S                      |   2 +-
 arch/arm/mm/cache-v6.S                        |   2 +-
 arch/arm/mm/cache-v7.S                        |   2 +-
 arch/arm/mm/cache-v7m.S                       |   2 +-
 arch/arm/mm/proc-arm1020.S                    |   2 +-
 arch/arm/mm/proc-arm1020e.S                   |   2 +-
 arch/arm/mm/proc-arm1022.S                    |   2 +-
 arch/arm/mm/proc-arm1026.S                    |   2 +-
 arch/arm/mm/proc-arm920.S                     |   2 +-
 arch/arm/mm/proc-arm922.S                     |   2 +-
 arch/arm/mm/proc-arm925.S                     |   2 +-
 arch/arm/mm/proc-arm926.S                     |   2 +-
 arch/arm/mm/proc-arm940.S                     |   2 +-
 arch/arm/mm/proc-arm946.S                     |   2 +-
 arch/arm/mm/proc-feroceon.S                   |   2 +-
 arch/arm/mm/proc-mohawk.S                     |   2 +-
 arch/arm/mm/proc-xsc3.S                       |   2 +-
 arch/arm/mm/tlb-v4.S                          |   2 +-
 arch/arm/kernel/hw_breakpoint.c               |   2 +-
 arch/arm/kernel/traps.c                       | 102 ++++++++++++++++++
 arch/arm64/kernel/debug-monitors.c            |   2 +-
 arch/arm64/kernel/traps.c                     |   4 +-
 arch/arm64/kvm/handle_exit.c                  |   2 +-
 arch/arm64/net/bpf_jit_comp.c                 |   2 +-
 arch/riscv/net/bpf_jit_comp64.c               |   4 +-
 arch/x86/kernel/alternative.c                 |  44 ++++++--
 arch/x86/kernel/cfi.c                         |   2 +-
 arch/x86/kernel/kprobes/core.c                |   2 +-
 drivers/misc/lkdtm/cfi.c                      |   2 +-
 kernel/module/tree_lookup.c                   |   2 +-
 kernel/configs/hardening.config               |   2 +-
 74 files changed, 569 insertions(+), 118 deletions(-)
 create mode 100644 scripts/kconfig/tests/err_transitional/Kconfig
 create mode 100644 scripts/kconfig/tests/transitional/Kconfig
 create mode 100644 scripts/kconfig/tests/err_transitional/__init__.py
 create mode 100644 scripts/kconfig/tests/err_transitional/expected_stderr
 create mode 100644 scripts/kconfig/tests/transitional/__init__.py
 create mode 100644 scripts/kconfig/tests/transitional/expected_config
 create mode 100644 scripts/kconfig/tests/transitional/initial_config

-- 
2.34.1

On Wed, Sep 03, 2025 at 08:46:39PM -0700, Kees Cook wrote:

> Kees Cook (9):
>   compiler_types.h: Move __nocfi out of compiler-specific header
>   x86/traps: Clarify KCFI instruction layout
>   x86/cfi: Document the "cfi=" bootparam options
>   x86/cfi: Standardize on common "CFI:" prefix for CFI reports
>   x86/cfi: Add "debug" option to "cfi=" bootparam
>   x86/cfi: Remove __noinitretpoline and __noretpoline

So I can take these first 6 patches (and edit that debug patch to
un-annoy myself ;-), but I'm thinking this Kconfig stuff:

>   kconfig: Add transitional symbol attribute for migration support
>   kcfi: Rename CONFIG_CFI_CLANG to CONFIG_CFI

Should perhaps go through the kbuild tree? A

Leaving this:

>   ARM: traps: Implement KCFI trap handler for ARM32

Can that go independently through the arm tree, or are there
dependencies?

On Thu, Sep 04, 2025 at 09:04:10AM +0200, Peter Zijlstra wrote:
> On Wed, Sep 03, 2025 at 08:46:39PM -0700, Kees Cook wrote:
> 
> > Kees Cook (9):
> >   compiler_types.h: Move __nocfi out of compiler-specific header
> >   x86/traps: Clarify KCFI instruction layout
> >   x86/cfi: Document the "cfi=" bootparam options
> >   x86/cfi: Standardize on common "CFI:" prefix for CFI reports
> >   x86/cfi: Add "debug" option to "cfi=" bootparam
> >   x86/cfi: Remove __noinitretpoline and __noretpoline
> 
> So I can take these first 6 patches (and edit that debug patch to
> un-annoy myself ;-), but I'm thinking this Kconfig stuff:

Sure, yeah. Do you want a v3 for the debug stuff that uses your proposed
helper?

> >   kconfig: Add transitional symbol attribute for migration support
> >   kcfi: Rename CONFIG_CFI_CLANG to CONFIG_CFI
> 
> Should perhaps go through the kbuild tree? A

I had chatted offline with Nathan about this series, and he'd suggested
the kconfig change could go with it's first user (the rename). So if you
don't want to put it in -tip, I can take it in the hardening tree.
(There's no dependencies between these 2 and the first 6.)

> Leaving this:
> 
> >   ARM: traps: Implement KCFI trap handler for ARM32
> 
> Can that go independently through the arm tree, or are there
> dependencies?

I can take this too, assuming ARM folks don't want to snag it. I may,
however, wait on it, just to avoid implementing the kernel support
before the GCC folks are happy with the arm32 KCFI backend and its UDF
encoding, etc.

Thanks for looking at these! :)

-Kees

-- 
Kees Cook

On Thu, Sep 04, 2025 at 09:37:14AM -0700, Kees Cook wrote:
> On Thu, Sep 04, 2025 at 09:04:10AM +0200, Peter Zijlstra wrote:
> > On Wed, Sep 03, 2025 at 08:46:39PM -0700, Kees Cook wrote:
> > 
> > > Kees Cook (9):
> > >   compiler_types.h: Move __nocfi out of compiler-specific header
> > >   x86/traps: Clarify KCFI instruction layout
> > >   x86/cfi: Document the "cfi=" bootparam options
> > >   x86/cfi: Standardize on common "CFI:" prefix for CFI reports
> > >   x86/cfi: Add "debug" option to "cfi=" bootparam
> > >   x86/cfi: Remove __noinitretpoline and __noretpoline
> > 
> > So I can take these first 6 patches (and edit that debug patch to
> > un-annoy myself ;-), but I'm thinking this Kconfig stuff:
> 
> Sure, yeah. Do you want a v3 for the debug stuff that uses your proposed
> helper?

Nah, already done :-) I just pushed out these 6 and my UDB hackery to
queue.git/x86/core. If the robots don't complain, I'll stuff it into tip
in a few days.

> > >   kconfig: Add transitional symbol attribute for migration support
> > >   kcfi: Rename CONFIG_CFI_CLANG to CONFIG_CFI
> > 
> > Should perhaps go through the kbuild tree? A
> 
> I had chatted offline with Nathan about this series, and he'd suggested
> the kconfig change could go with it's first user (the rename). So if you
> don't want to put it in -tip, I can take it in the hardening tree.
> (There's no dependencies between these 2 and the first 6.)

So I suppose I can carry them, just to keep the lot together, but then I
need an ack from someone that actually knows this Kconfig language stuff
:-)

You taking them through the hardening tree also works for em.

On Thu, Sep 04, 2025 at 10:01:34PM +0200, Peter Zijlstra wrote:
> Nah, already done :-) I just pushed out these 6 and my UDB hackery to
> queue.git/x86/core. If the robots don't complain, I'll stuff it into tip
> in a few days.

Okay, thanks!

> So I suppose I can carry them, just to keep the lot together, but then I
> need an ack from someone that actually knows this Kconfig language stuff
> :-)
> 
> You taking them through the hardening tree also works for em.

Assuming Nathan (and Vegard? or other folks from the other thread?) are
okay with the kconfig changes, I'll take it via hardening.

Wheee

-- 
Kees Cook

On Fri, Sep 5, 2025 at 2:42 AM Kees Cook <kees@kernel.org> wrote:
>
> Assuming Nathan (and Vegard? or other folks from the other thread?) are
> okay with the kconfig changes, I'll take it via hardening.

I haven't had time to take a proper look, test it etc., so I didn't
reply, sorry -- but I am following the thread and I am glad if we have
something to easily/properly support this, so thanks for this.

(And sorry for having triggered all this discussion/work -- at least
if we get this done it will have been worth it :)

I will leave a quick message about the commit message.

Cheers,
Miguel