Control flow integrity (CFI) is a security mechanism that disallows changes to the original control flow graph of a compiled binary, making it significantly harder to perform such attacks.
Starting with Android 9, you can enable CFI in the kernel.
The Linux kernel has had two different implementations of CFI:
- for Linux 6.0 and lower, Clang CFI, which relies on Clang LTO
- for Linux 6.1 and higher, Clang KCFI
Clang CFI requires compiling with Link Time Optimization (LTO). LTO preserves the LLVM bitcode representation of object files until link time, which allows the compiler to better reason about what optimizations can be performed. In testing on Android, the combination of LTO and CFI resulted in negligible overhead to code size and performance. However, enabling LTO increases kernel build time significantly.
Clang KCFI doesn't require LTO, so more recent Android kernels get the benefit of CFI without the build-time overhead of LTO.
Implementation
CFI is controlled by the CONFIG_CFI_CLANG option, which enables
either Clang CFI or Clang KCFI.
For more technical details about CFI and how other forward-control checks are
handled, see the LLVM design
documentation. KCFI is referred to there as -fsanitize=kcfi.
Troubleshooting
After enabling, work through any type mismatch errors that may exist with their drivers. An indirect function call through an incompatible function pointer trips CFI. When a CFI failure is detected, the kernel prints out a warning that includes both the function that was called and the stacktrace that led to the failure. Correct this by ensuring function pointers always have the same type as the function that's called.
To assist in debugging CFI failures, enable CONFIG_CFI_PERMISSIVE,
which prints out a warning instead of causing a kernel panic. Permissive mode
must not be used in production.
Validation
Currently, there are no CTS test specifically for CFI. Instead, make sure that CTS tests pass with and without CFI enabled to verify that CFI isn't impacting the device.