Starting March 27, 2025, we recommend using android-latest-release instead of aosp-main to build and contribute to AOSP. For more information, see Changes to AOSP.
Kernel control flow integrity
Stay organized with collections
Save and categorize content based on your preferences.
Control flow
integrity (CFI) is a security mechanism that disallows changes to the
original control flow graph of a compiled binary, making it significantly harder
to perform such attacks.
In Android 9, we enabled LLVM's implementation of CFI in more components and
also in the kernel. System CFI is on by
default, but you need to enable kernel CFI.
LLVM's CFI requires compiling with Link-Time Optimization
(LTO). LTO preserves the LLVM bitcode representation of object files until
link-time, which allows the compiler to better reason about what optimizations
can be performed. Enabling LTO reduces the size of the final binary and improves
performance, but increases compile time. In testing on Android, the combination
of LTO and CFI results in negligible overhead to code size and performance; in a
few cases both improved.
For more technical details about CFI and how other forward-control checks are
handled, see the LLVM design
documentation.
Implementation
The kCFI patches are in all supported Android kernel versions. The CONFIG_CFI_CLANG
option enables kCFI and is set by default in GKI.
Troubleshooting
After enabling, work through any type mismatch errors that may exist with their
drivers. An indirect function call through an incompatible function pointer
trips CFI. When a CFI failure is detected, the kernel prints out a warning that
includes both the function that was called and the stacktrace that led to the
failure. Correct this by ensuring function pointers always have the same type as
the function that's called.
To assist in debugging CFI failures, enable CONFIG_CFI_PERMISSIVE,
which prints out a warning instead of causing a kernel panic. Permissive mode
must not be used in production.
Validation
Currently, there are no CTS test specifically for CFI. Instead, make sure that
CTS tests pass with and without CFI enabled to verify that CFI isn't impacting
the device.
Content and code samples on this page are subject to the licenses described in the Content License. Java and OpenJDK are trademarks or registered trademarks of Oracle and/or its affiliates.
Last updated 2025-01-22 UTC.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Missing the information I need","missingTheInformationINeed","thumb-down"],["Too complicated / too many steps","tooComplicatedTooManySteps","thumb-down"],["Out of date","outOfDate","thumb-down"],["Samples / code issue","samplesCodeIssue","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-01-22 UTC."],[],[],null,["# Kernel control flow integrity\n\n[Control flow\nintegrity](https://clang.llvm.org/docs/ControlFlowIntegrity.html) (CFI) is a security mechanism that disallows changes to the\noriginal control flow graph of a compiled binary, making it significantly harder\nto perform such attacks.\n\n\nIn Android 9, we enabled LLVM's implementation of CFI in more components and\nalso in the kernel. [System CFI](/docs/security/test/cfi) is on by\ndefault, but you need to enable kernel CFI.\n\n\nLLVM's CFI requires compiling with [Link-Time Optimization\n(LTO)](https://llvm.org/docs/LinkTimeOptimization.html). LTO preserves the LLVM bitcode representation of object files until\nlink-time, which allows the compiler to better reason about what optimizations\ncan be performed. Enabling LTO reduces the size of the final binary and improves\nperformance, but increases compile time. In testing on Android, the combination\nof LTO and CFI results in negligible overhead to code size and performance; in a\nfew cases both improved.\n\n\nFor more technical details about CFI and how other forward-control checks are\nhandled, see the [LLVM design\ndocumentation](https://clang.llvm.org/docs/ControlFlowIntegrityDesign.html).\n\nImplementation\n--------------\n\n\nThe kCFI patches are in all supported Android kernel versions. The `CONFIG_CFI_CLANG `\noption enables kCFI and is set by default in GKI.\n\n### Troubleshooting\n\n\nAfter enabling, work through any type mismatch errors that may exist with their\ndrivers. An indirect function call through an incompatible function pointer\ntrips CFI. When a CFI failure is detected, the kernel prints out a warning that\nincludes both the function that was called and the stacktrace that led to the\nfailure. Correct this by ensuring function pointers always have the same type as\nthe function that's called.\n\n\nTo assist in debugging CFI failures, enable `CONFIG_CFI_PERMISSIVE`,\nwhich prints out a warning instead of causing a kernel panic. Permissive mode\nmust not be used in production.\n\nValidation\n----------\n\n\nCurrently, there are no CTS test specifically for CFI. Instead, make sure that\nCTS tests pass with and without CFI enabled to verify that CFI isn't impacting\nthe device."]]
