Tracking Issue for Kernel Control Flow Integrity (KCFI) Support for Rust

This is a tracking issue for the Kernel Control Flow Integrity (KCFI) Support for Rust project.



### Steps




The Kernel Control Flow Integrity (KCFI) Support for Rust project shares most of its implementation with the LLVM Control Flow Integrity (CFI) Support for Rust project (see #89653), with some key differences:

1. KCFI perform type tests differently and are implemented as different LLVM passes than CFI to not require LTO.
2. KCFI has the limitation that a function or method may have one type id assigned only.

KCFI support for Rust work will be implemented in these steps:

* Add support for emitting KCFI type metadata and checks to the Rust compiler code generation (i.e., add support for emitting KCFI operand bundles).
* Fixing (or temporarily working around) the limitations listed above in KCFI.

[stabilization-guide]: https://rustc-dev-guide.rust-lang.org/stabilization_guide.html#stabilization-pr
[doc-guide]: https://rustc-dev-guide.rust-lang.org/stabilization_guide.html#documentation-prs
[nightly-style-procedure]: https://github.com/rust-lang/style-team/blob/master/nightly-style-procedure.md 
[Style Guide]: https://github.com/rust-lang/rust/tree/master/src/doc/style-guide

### Unresolved Questions




Because of limitation listed above (2), the current KCFI implementation (not CFI) does reifying of types (i.e., adds shims/trampolines for indirect calls in these cases[^1]) for:

1. Supporting casting between function items, closures, and Fn trait objects
3. Supporting methods being cast as function pointers.

There may be possible costs of these added levels of indirections for KCFI for cache coherence/locality and performance, possible introduction of gadgets or KCFI bypasses, and increased artifact/binary sizes, which haven't been looked at yet.

[^1]: It also unnecessarily adds shims/trampolines to indirect calls to methods that are cast into function pointers from traits that are not object safe.

### Implementation history



These are the most relevant PRs for Kernel Control Flow Integrity (KCFI) Support for Rust project: 

- [X] #105109
- [X] rust-lang/rustc-dev-guide#1529
- [ ] #116404 (original PR that fixed casting between function items, closures, and Fn trait objects, methods being cast as function pointers, and other remaining CFI bugs)
- [ ] #121962 [proposal to add shims/trampolines to all virtual calls in the Rust compiler to work around the KCFI limitation (2)--see the [CfiShims design doc](https://hackmd.io/6U7gB9SkQBWV9l4iIsp3Jg)]
- [ ] #122573 [second proposal to add shims/trampolines to a subset of virtual calls in the Rust compiler to work around the KCFI limitation (2)]
- [X] #123071 (actual fix for methods being cast as function pointers for CFI)
- [ ] #123082 (proposal to fix casting between function items, closures, and Fn trait objects for both CFI and KCFI without requiring reifying types for KCFI)
- [X] #123106 (actual fix/work around for casting between function items, closures, and Fn trait objects, which is a variant of #123082, originally implemented on #116404, and which unlike #123082 requires reifying of types for KCFI)
- [X] #123052 (work around for methods being cast as function pointers for KCFI, which requires reifying of types for KCFI)

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Tracking Issue for Kernel Control Flow Integrity (KCFI) Support for Rust #123479

Steps

Unresolved Questions

Implementation history

Metadata

Assignees

Labels

Type

Fields

Projects

Milestone

Relationships

Development

Uh oh!

Tracking Issue for Kernel Control Flow Integrity (KCFI) Support for Rust #123479

Description

Steps

Unresolved Questions

Implementation history

Footnotes

Metadata

Metadata

Assignees

Labels

Type

Fields

Projects

Milestone

Relationships

Development

Issue actions