ANDROID: add support for Clang's Control Flow Integrity (CFI)
This change adds the CONFIG_CFI_CLANG option, CFI error handling,
and a faster look-up table for cross module CFI checks.
Bug: 145210207
Change-Id: I118303de50114ca6f85d89a7d69c5cbc47e2f5c0
Signed-off-by: Sami Tolvanen <samitolvanen@google.com>
diff --git a/Makefile b/Makefile
index 3f0530e..111b2a9 100644
--- a/Makefile
+++ b/Makefile
@@ -882,6 +882,25 @@
export CC_FLAGS_LTO
endif
+ifdef CONFIG_CFI_CLANG
+CC_FLAGS_CFI := -fsanitize=cfi \
+ -fno-sanitize-cfi-canonical-jump-tables
+
+ifdef CONFIG_MODULES
+CC_FLAGS_CFI += -fsanitize-cfi-cross-dso
+endif
+
+ifdef CONFIG_CFI_PERMISSIVE
+CC_FLAGS_CFI += -fsanitize-recover=cfi \
+ -fno-sanitize-trap=cfi
+endif
+
+# If LTO flags are filtered out, we must also filter out CFI.
+CC_FLAGS_LTO += $(CC_FLAGS_CFI)
+KBUILD_CFLAGS += $(CC_FLAGS_CFI)
+export CC_FLAGS_CFI
+endif
+
# arch Makefile may override CC so keep this after arch Makefile is included
NOSTDINC_FLAGS += -nostdinc -isystem $(shell $(CC) -print-file-name=include)