As I've mentioned before, Android uses Clang's forward-edge Control Flow Integrity (CFI) for the Linux kernel on the Pixel 3 to protect indirect calls from control flow hijacking:
android-developers.googleblog.com/2018/10/contro
This includes support for cross-DSO CFI to support dynamic kernel modules.
Conversation
It was used to build the Pixel 2 kernel too. It has the best support for building it on arm64, which is also the architecture with the most focus on Linux kernel hardening. A lot of the hardening is done by ARM compared to x86 where Intel has barely any involvement in most of it.
github.com/ClangBuiltLinu is a tracker of the remaining issues with it. Only a few patches are generally needed on arm64, which is often the case when using a new GCC version anyway. Using LTO in order to have CFI is more involved, but it's still a quite reasonably sized patch set.
1
1
2
Google got tired of dealing with GCC and never bothered porting MSan, CFI or SafeStack to it. The code and development / contribution process for the GNU toolchain is awful. Google froze GCC at 4.9 permanently which made migrating to Clang more urgent and GCC itself is purged.
1
Show replies
Are they reasonably confident that the kernel isn't relying on UB that makes it unsafe to compile outside of GCC?
1
It relies on UB broken with GCC anyway. They have UBSan and KASan for the kernel and part of the advantage to Clang is being able to have a much more robust UBSan along with other sanitizers unavailable for GCC like MSan: github.com/google/kmsan (+ CFI/SafeStack/ShadowCallStack).
1
1
Show replies