Tracking Issue for Kernel Control Flow Integrity (KCFI) Support for Rust #123479

rcvalle · 2024-04-04T22:15:23Z

This is a tracking issue for the Kernel Control Flow Integrity (KCFI) Support for Rust project.

Steps

The Kernel Control Flow Integrity (KCFI) Support for Rust project shares most of its implementation with the LLVM Control Flow Integrity (CFI) Support for Rust project (see #89653), with some key differences:

KCFI perform type tests differently and are implemented as different LLVM passes than CFI to not require LTO.
KCFI has the limitation that a function or method may have one type id assigned only.

KCFI support for Rust work will be implemented in these steps:

Add support for emitting KCFI type metadata and checks to the Rust compiler code generation (i.e., add support for emitting KCFI operand bundles).
Fixing (or temporarily working around) the limitations listed above in KCFI.

Unresolved Questions

Because of limitation listed above (2), the current KCFI implementation (not CFI) does reifying of types (i.e., adds shims/trampolines for indirect calls in these cases¹) for:

Supporting casting between function items, closures, and Fn trait objects
Supporting methods being cast as function pointers.

There may be possible costs of these added levels of indirections for KCFI for cache coherence/locality and performance, possible introduction of gadgets or KCFI bypasses, and increased artifact/binary sizes, which haven't been looked at yet.

Implementation history

These are the most relevant PRs for Kernel Control Flow Integrity (KCFI) Support for Rust project:

Add LLVM KCFI support to the Rust compiler #105109
Add documentation for LLVM KCFI support rustc-dev-guide#1529
CFI: Fix fn items, closures, and Fn trait objects, and more #116404 (original PR that fixed casting between function items, closures, and Fn trait objects, methods being cast as function pointers, and other remaining CFI bugs)
CFI: Fix many vtable-related problems #121962 [proposal to add shims/trampolines to all virtual calls in the Rust compiler to work around the KCFI limitation (2)--see the CfiShims design doc]
CFI: Repair vtables without altering types #122573 [second proposal to add shims/trampolines to a subset of virtual calls in the Rust compiler to work around the KCFI limitation (2)]
CFI: Fix methods as function pointer cast #123071 (actual fix for methods being cast as function pointers for CFI)
CFI: Fix fn items, closures, and Fn trait objects #123082 (proposal to fix casting between function items, closures, and Fn trait objects for both CFI and KCFI without requiring reifying types for KCFI)
CFI: Abstract Closures and Coroutines #123106 (actual fix/work around for casting between function items, closures, and Fn trait objects, which is a variant of CFI: Fix fn items, closures, and Fn trait objects #123082, originally implemented on CFI: Fix fn items, closures, and Fn trait objects, and more #116404, and which unlike CFI: Fix fn items, closures, and Fn trait objects #123082 requires reifying of types for KCFI)
CFI: Support function pointers for trait methods #123052 (work around for methods being cast as function pointers for KCFI, which requires reifying of types for KCFI)

It also unnecessarily adds shims/trampolines to indirect calls to methods that are cast into function pointers from traits that are not object safe. ↩

On RISC-V and arm64, and presumably x86, if CFI_CLANG is enabled, loading a rust module will trigger a kernel panic. Support for sanitisers, including kcfi (CFI_CLANG), is in the works, but for now they're nightly-only options in rustc. Make RUST depend on !CFI_CLANG to prevent configuring a kernel without symmetrical support for kfi. [ Matthew Maurer writes [1]: This patch is fine by me - the last patch needed for KCFI to be functional in Rust just landed upstream last night, so we should revisit this (in the form of enabling it) once we move to `rustc-1.79.0` or later. Ramon de C Valle also gave feedback [2] on the status of KCFI for Rust and created a tracking issue [3] in upstream Rust. - Miguel ] Fixes: 2f7ab12 ("Kbuild: add Rust support") Cc: stable@vger.kernel.org Signed-off-by: Conor Dooley <conor.dooley@microchip.com> Acked-by: Nathan Chancellor <nathan@kernel.org> Link: https://lore.kernel.org/rust-for-linux/CAGSQo024u1gHJgzsO38Xg3c4or+JupoPABQx_+0BLEpPg0cOEA@mail.gmail.com/ [1] Link: https://lore.kernel.org/rust-for-linux/CAOcBZOS2kPyH0Dm7Fuh4GC3=v7nZhyzBj_-dKu3PfAnrHZvaxg@mail.gmail.com/ [2] Link: rust-lang/rust#123479 [3] Link: https://lore.kernel.org/r/20240404-providing-emporium-e652e359c711@spud [ Added feedback from the list, links, and used Cc for the tag. ] Signed-off-by: Miguel Ojeda <ojeda@kernel.org>

Jules-Bertholet · 2024-04-08T04:22:17Z

@rustbot label A-sanitizers

On RISC-V and arm64, and presumably x86, if CFI_CLANG is enabled, loading a rust module will trigger a kernel panic. Support for sanitisers, including kcfi (CFI_CLANG), is in the works, but for now they're nightly-only options in rustc. Make RUST depend on !CFI_CLANG to prevent configuring a kernel without symmetrical support for kfi. [ Matthew Maurer writes [1]: This patch is fine by me - the last patch needed for KCFI to be functional in Rust just landed upstream last night, so we should revisit this (in the form of enabling it) once we move to `rustc-1.79.0` or later. Ramon de C Valle also gave feedback [2] on the status of KCFI for Rust and created a tracking issue [3] in upstream Rust. - Miguel ] Fixes: 2f7ab12 ("Kbuild: add Rust support") Cc: stable@vger.kernel.org Signed-off-by: Conor Dooley <conor.dooley@microchip.com> Acked-by: Nathan Chancellor <nathan@kernel.org> Link: https://lore.kernel.org/rust-for-linux/CAGSQo024u1gHJgzsO38Xg3c4or+JupoPABQx_+0BLEpPg0cOEA@mail.gmail.com/ [1] Link: https://lore.kernel.org/rust-for-linux/CAOcBZOS2kPyH0Dm7Fuh4GC3=v7nZhyzBj_-dKu3PfAnrHZvaxg@mail.gmail.com/ [2] Link: rust-lang/rust#123479 [3] Link: https://lore.kernel.org/r/20240404-providing-emporium-e652e359c711@spud [ Added feedback from the list, links, and used Cc for the tag. ] Signed-off-by: Miguel Ojeda <ojeda@kernel.org>

commit 8933cf4 upstream. On RISC-V and arm64, and presumably x86, if CFI_CLANG is enabled, loading a rust module will trigger a kernel panic. Support for sanitisers, including kcfi (CFI_CLANG), is in the works, but for now they're nightly-only options in rustc. Make RUST depend on !CFI_CLANG to prevent configuring a kernel without symmetrical support for kfi. [ Matthew Maurer writes [1]: This patch is fine by me - the last patch needed for KCFI to be functional in Rust just landed upstream last night, so we should revisit this (in the form of enabling it) once we move to `rustc-1.79.0` or later. Ramon de C Valle also gave feedback [2] on the status of KCFI for Rust and created a tracking issue [3] in upstream Rust. - Miguel ] Fixes: 2f7ab12 ("Kbuild: add Rust support") Cc: stable@vger.kernel.org Signed-off-by: Conor Dooley <conor.dooley@microchip.com> Acked-by: Nathan Chancellor <nathan@kernel.org> Link: https://lore.kernel.org/rust-for-linux/CAGSQo024u1gHJgzsO38Xg3c4or+JupoPABQx_+0BLEpPg0cOEA@mail.gmail.com/ [1] Link: https://lore.kernel.org/rust-for-linux/CAOcBZOS2kPyH0Dm7Fuh4GC3=v7nZhyzBj_-dKu3PfAnrHZvaxg@mail.gmail.com/ [2] Link: rust-lang/rust#123479 [3] Link: https://lore.kernel.org/r/20240404-providing-emporium-e652e359c711@spud [ Added feedback from the list, links, and used Cc for the tag. ] Signed-off-by: Miguel Ojeda <ojeda@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

stable inclusion from stable-v6.6.30 commit 3a9337459645c189a692be0c78bc8a6e5649b7d2 bugzilla: https://gitee.com/openeuler/kernel/issues/I9MPZ8 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=3a9337459645c189a692be0c78bc8a6e5649b7d2 -------------------------------- commit 8933cf4651e02853ca679be7b2d978dfcdcc5e0c upstream. On RISC-V and arm64, and presumably x86, if CFI_CLANG is enabled, loading a rust module will trigger a kernel panic. Support for sanitisers, including kcfi (CFI_CLANG), is in the works, but for now they're nightly-only options in rustc. Make RUST depend on !CFI_CLANG to prevent configuring a kernel without symmetrical support for kfi. [ Matthew Maurer writes [1]: This patch is fine by me - the last patch needed for KCFI to be functional in Rust just landed upstream last night, so we should revisit this (in the form of enabling it) once we move to `rustc-1.79.0` or later. Ramon de C Valle also gave feedback [2] on the status of KCFI for Rust and created a tracking issue [3] in upstream Rust. - Miguel ] Fixes: 2f7ab12 ("Kbuild: add Rust support") Cc: stable@vger.kernel.org Signed-off-by: Conor Dooley <conor.dooley@microchip.com> Acked-by: Nathan Chancellor <nathan@kernel.org> Link: https://lore.kernel.org/rust-for-linux/CAGSQo024u1gHJgzsO38Xg3c4or+JupoPABQx_+0BLEpPg0cOEA@mail.gmail.com/ [1] Link: https://lore.kernel.org/rust-for-linux/CAOcBZOS2kPyH0Dm7Fuh4GC3=v7nZhyzBj_-dKu3PfAnrHZvaxg@mail.gmail.com/ [2] Link: rust-lang/rust#123479 [3] Link: https://lore.kernel.org/r/20240404-providing-emporium-e652e359c711@spud [ Added feedback from the list, links, and used Cc for the tag. ] Signed-off-by: Miguel Ojeda <ojeda@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: ZhangPeng <zhangpeng362@huawei.com>

BugLink: https://bugs.launchpad.net/bugs/2070337 commit 8933cf4651e02853ca679be7b2d978dfcdcc5e0c upstream. On RISC-V and arm64, and presumably x86, if CFI_CLANG is enabled, loading a rust module will trigger a kernel panic. Support for sanitisers, including kcfi (CFI_CLANG), is in the works, but for now they're nightly-only options in rustc. Make RUST depend on !CFI_CLANG to prevent configuring a kernel without symmetrical support for kfi. [ Matthew Maurer writes [1]: This patch is fine by me - the last patch needed for KCFI to be functional in Rust just landed upstream last night, so we should revisit this (in the form of enabling it) once we move to `rustc-1.79.0` or later. Ramon de C Valle also gave feedback [2] on the status of KCFI for Rust and created a tracking issue [3] in upstream Rust. - Miguel ] Fixes: 2f7ab12 ("Kbuild: add Rust support") Cc: stable@vger.kernel.org Signed-off-by: Conor Dooley <conor.dooley@microchip.com> Acked-by: Nathan Chancellor <nathan@kernel.org> Link: https://lore.kernel.org/rust-for-linux/CAGSQo024u1gHJgzsO38Xg3c4or+JupoPABQx_+0BLEpPg0cOEA@mail.gmail.com/ [1] Link: https://lore.kernel.org/rust-for-linux/CAOcBZOS2kPyH0Dm7Fuh4GC3=v7nZhyzBj_-dKu3PfAnrHZvaxg@mail.gmail.com/ [2] Link: rust-lang/rust#123479 [3] Link: https://lore.kernel.org/r/20240404-providing-emporium-e652e359c711@spud [ Added feedback from the list, links, and used Cc for the tag. ] Signed-off-by: Miguel Ojeda <ojeda@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: Manuel Diewald <manuel.diewald@canonical.com>

BugLink: https://bugs.launchpad.net/bugs/2070337 commit 8933cf4651e02853ca679be7b2d978dfcdcc5e0c upstream. On RISC-V and arm64, and presumably x86, if CFI_CLANG is enabled, loading a rust module will trigger a kernel panic. Support for sanitisers, including kcfi (CFI_CLANG), is in the works, but for now they're nightly-only options in rustc. Make RUST depend on !CFI_CLANG to prevent configuring a kernel without symmetrical support for kfi. [ Matthew Maurer writes [1]: This patch is fine by me - the last patch needed for KCFI to be functional in Rust just landed upstream last night, so we should revisit this (in the form of enabling it) once we move to `rustc-1.79.0` or later. Ramon de C Valle also gave feedback [2] on the status of KCFI for Rust and created a tracking issue [3] in upstream Rust. - Miguel ] Fixes: 2f7ab12 ("Kbuild: add Rust support") Cc: stable@vger.kernel.org Signed-off-by: Conor Dooley <conor.dooley@microchip.com> Acked-by: Nathan Chancellor <nathan@kernel.org> Link: https://lore.kernel.org/rust-for-linux/CAGSQo024u1gHJgzsO38Xg3c4or+JupoPABQx_+0BLEpPg0cOEA@mail.gmail.com/ [1] Link: https://lore.kernel.org/rust-for-linux/CAOcBZOS2kPyH0Dm7Fuh4GC3=v7nZhyzBj_-dKu3PfAnrHZvaxg@mail.gmail.com/ [2] Link: rust-lang/rust#123479 [3] Link: https://lore.kernel.org/r/20240404-providing-emporium-e652e359c711@spud [ Added feedback from the list, links, and used Cc for the tag. ] Signed-off-by: Miguel Ojeda <ojeda@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: Manuel Diewald <manuel.diewald@canonical.com> Signed-off-by: Stefan Bader <stefan.bader@canonical.com>

rcvalle added the C-tracking-issue Category: An issue tracking the progress of sth. like the implementation of an RFC label Apr 4, 2024

fmease added the T-compiler Relevant to the compiler team, which will review and decide on the PR/issue. label Apr 4, 2024

jieyouxu added the PG-exploit-mitigations Project group: Exploit mitigations label Apr 4, 2024

ojeda mentioned this issue Apr 5, 2024

Rust unstable features needed for the kernel Rust-for-Linux/linux#2

Open

90 tasks

rustbot added the A-sanitizers Area: Sanitizers for correctness and code quality label Apr 8, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Tracking Issue for Kernel Control Flow Integrity (KCFI) Support for Rust #123479

Tracking Issue for Kernel Control Flow Integrity (KCFI) Support for Rust #123479

rcvalle commented Apr 4, 2024 •

edited

Loading

Jules-Bertholet commented Apr 8, 2024

Tracking Issue for Kernel Control Flow Integrity (KCFI) Support for Rust #123479

Tracking Issue for Kernel Control Flow Integrity (KCFI) Support for Rust #123479

Comments

rcvalle commented Apr 4, 2024 • edited Loading

Steps

Unresolved Questions

Implementation history

Footnotes

Jules-Bertholet commented Apr 8, 2024

rcvalle commented Apr 4, 2024 •

edited

Loading