As I've mentioned before, Android uses Clang's forward-edge Control Flow Integrity (CFI) for the Linux kernel on the Pixel 3 to protect indirect calls from control flow hijacking:
android-developers.googleblog.com/2018/10/contro
This includes support for cross-DSO CFI to support dynamic kernel modules.
Conversation
It was used to build the Pixel 2 kernel too. It has the best support for building it on arm64, which is also the architecture with the most focus on Linux kernel hardening. A lot of the hardening is done by ARM compared to x86 where Intel has barely any involvement in most of it.
2
2
Are they reasonably confident that the kernel isn't relying on UB that makes it unsafe to compile outside of GCC?
1
It relies on UB broken with GCC anyway. They have UBSan and KASan for the kernel and part of the advantage to Clang is being able to have a much more robust UBSan along with other sanitizers unavailable for GCC like MSan: github.com/google/kmsan (+ CFI/SafeStack/ShadowCallStack).
1
1
It's definitely safer to use Clang rather than GCC on the Pixel 2 and Pixel 3 because it's what they heavily tested. Google also closely tracks Clang releases, while for GCC they froze it at 4.9 forever because it was problematic and they didn't want to invest resources in it.