As I've mentioned before, Android uses Clang's forward-edge Control Flow Integrity (CFI) for the Linux kernel on the Pixel 3 to protect indirect calls from control flow hijacking:
android-developers.googleblog.com/2018/10/contro
This includes support for cross-DSO CFI to support dynamic kernel modules.
Conversation
It was used to build the Pixel 2 kernel too. It has the best support for building it on arm64, which is also the architecture with the most focus on Linux kernel hardening. A lot of the hardening is done by ARM compared to x86 where Intel has barely any involvement in most of it.
2
2
github.com/ClangBuiltLinu is a tracker of the remaining issues with it. Only a few patches are generally needed on arm64, which is often the case when using a new GCC version anyway. Using LTO in order to have CFI is more involved, but it's still a quite reasonably sized patch set.
1
1
2
Google got tired of dealing with GCC and never bothered porting MSan, CFI or SafeStack to it. The code and development / contribution process for the GNU toolchain is awful. Google froze GCC at 4.9 permanently which made migrating to Clang more urgent and GCC itself is purged.
1
ChromeOS has moved to Clang as the compiler for userspace and more recently the kernel too. Not really surprising since it's still Google, and they share a lot of the work between them, especially since ChromeOS includes Android's kernel changes and bundles it in a container.
There are other Linux distributions using Clang for most userspace packages, but I'm not sure if any use it for the kernel. The primary advantages are being able to use CFI, ShadowCallStack, MSan, robust UBSan and other tooling. It'd mostly interest security-oriented projects.
1
Show replies