On August 28, 2025 4:19:15 PM EDT, Nathan Chancellor <nathan@xxxxxxxxxx> wrote: >On Thu, Aug 28, 2025 at 02:11:51PM +0200, Miguel Ojeda wrote: >> On Wed, Aug 27, 2025 at 9:38 PM Nathan Chancellor <nathan@xxxxxxxxxx> wrote: >> > Another idea I had to avoid this is introducing CONFIG_CFI_GCC as a user >> > selectable symbol and making CONFIG_CFI the hidden symbol that both >> > compiler symbols select. After a couple of releases (or maybe the next >> > LTS), both CONFIG_CFI_CLANG and CONFIG_CFI_GCC could be eliminated with >> > CONFIG_CFI becoming user selectable, which would keep things working >> > since CONFIG_CFI=y will be present in the previous configuration. >> >> If we are OK with something like this (i.e. waiting a few releases), >> then isn't it simpler the `def_bool` approach I mentioned? i.e. it >> means one less symbol and one less rename later, right? > >Ah yes, I reread your suggestion and that would probably be the best >course of action, as it does avoid the extra symbol (although I am not >sure what you mean by one less rename?). As I understand it: > > config CFI_CLANG > bool "Use Kernel Control Flow Integrity (kCFI)" > depends on ARCH_SUPPORTS_CFI > depends on $(cc-option,-fsanitize=kcfi) > help > <generic help text> > > config CFI > def_bool CFI_CLANG Oh! Keep CFI_CLANG the visible option? Will the later rename work right? I'll give it a try. -Kees -- Kees Cook
