Linux Plumbers Conference 2025

Security Features status update

11 Dec 2025, 15:00

20m

"Hall B2 (63)" (Toranomon Hills Mori Tower)

Toolchains MC Toolchains MC

Speakers

Justin Stitt (Google) Kees Cook (Google)

Description

Another year of work is behind us, with lots of progress across GCC, Clang, and Rust to provide the Linux kernel with a variety of security features. Let's review and discuss where we are with parity between toolchains, approaches to solving open problems, and exploring new features.

Parity reached since last year:

• arbitrary stack protector guard location (Clang: RISC-V, PowerPC)
• counted_by attribute for Pointer Members (GCC, Clang)

Compiler-specific features landed since last year:

• improved diagnostics for -Warray-bounds and related warnings (GCC)
• kcfi hash salt attribute (Clang)

In progress:

• -fbounds-safety language extension (Clang)
• arithmetic overflow protection via Overflow Behavior Types and __strong typedef (Clang)
• forward edge Control Flow Integrity (GCC: KCFI)

Stalled, needs driving:

• Link Time Optimization (Kernel support for GCC)
• backward edge Control Flow Integrity (x86 CET Shadow Stack in kernel mode)