Tracking Issue for Kernel Control Flow Integrity (KCFI) Support for Rust

[rcvalle]

This is a tracking issue for the Kernel Control Flow Integrity (KCFI) Support for Rust project.

Steps

The Kernel Control Flow Integrity (KCFI) Support for Rust project shares most of its implementation with the LLVM Control Flow Integrity (CFI) Support for Rust project (see #89653), with some key differences:

1. KCFI perform type tests differently and are implemented as different LLVM passes than CFI to not require LTO.
2. KCFI has the limitation that a function or method may have one type id assigned only.

KCFI support for Rust work will be implemented in these steps:

• Add support for emitting KCFI type metadata and checks to the Rust compiler code generation (i.e., add support for emitting KCFI operand bundles).
• Fixing (or temporarily working around) the limitations listed above in KCFI.

Unresolved Questions

Because of limitation listed above (2), the current KCFI implementation (not CFI) does reifying of types (i.e., adds shims/trampolines for indirect calls in these cases¹) for:

1. Supporting casting between function items, closures, and Fn trait objects
2. Supporting methods being cast as function pointers.

There may be possible costs of these added levels of indirections for KCFI for cache coherence/locality and performance, possible introduction of gadgets or KCFI bypasses, and increased artifact/binary sizes, which haven't been looked at yet.

Implementation history

These are the most relevant PRs for Kernel Control Flow Integrity (KCFI) Support for Rust project:

• Add LLVM KCFI support to the Rust compiler #105109
• Add documentation for LLVM KCFI support rustc-dev-guide#1529
• CFI: Fix fn items, closures, and Fn trait objects, and more #116404 (original PR that fixed casting between function items, closures, and Fn trait objects, methods being cast as function pointers, and other remaining CFI bugs)
• CFI: Fix many vtable-related problems #121962 [proposal to add shims/trampolines to all virtual calls in the Rust compiler to work around the KCFI limitation (2)--see the CfiShims design doc]
• CFI: Repair vtables without altering types #122573 [second proposal to add shims/trampolines to a subset of virtual calls in the Rust compiler to work around the KCFI limitation (2)]
• CFI: Fix methods as function pointer cast #123071 (actual fix for methods being cast as function pointers for CFI)
• CFI: Fix fn items, closures, and Fn trait objects #123082 (proposal to fix casting between function items, closures, and Fn trait objects for both CFI and KCFI without requiring reifying types for KCFI)
• CFI: Abstract Closures and Coroutines #123106 (actual fix/work around for casting between function items, closures, and Fn trait objects, which is a variant of CFI: Fix fn items, closures, and Fn trait objects #123082, originally implemented on CFI: Fix fn items, closures, and Fn trait objects, and more #116404, and which unlike CFI: Fix fn items, closures, and Fn trait objects #123082 requires reifying of types for KCFI)
• CFI: Support function pointers for trait methods #123052 (work around for methods being cast as function pointers for KCFI, which requires reifying of types for KCFI)

Footnotes

1. It also unnecessarily adds shims/trampolines to indirect calls to methods that are cast into function pointers from traits that are not object safe. ↩

[Jules-Bertholet]

@rustbot label A-sanitizers A-control-flow-integrity