Securing Linux® with CHERI
CHERI is a hardware approach to memory safety that improves system security at runtime by extending established ISAs, such as ARM, RISC-V, and x86, with new architectural features. This cross-architecture project adapts the Linux Kernel and userspace software to benefit from CHERI’s memory protection and software compartmentalization features.
Features
Spatial memory safety for userspace and the Kernel
Userspace and Kernel debugger support for memory-safe and memory-unsafe code
Runs on Morello boards, Morello FVP, QEMU, and RISC-V FPGA platforms
Monthly News Update: April 2026
Kernel, User Space, and Portability Updates
by Paul Metzger
This is the first in a series of monthly news updates that we will be publishing going forward.
Work on porting the Linux Kernel to CHERI is progressing in several areas. Codasip continues to track …
Accelerating Adoption
Extensive research and development activity has gone into porting a version of FreeBSD, called CheriBSD, to use CHERI’s features, and in particular explore and evaluate the sizeable design space of potential CHERI integrations with a general-purpose, MMU-based operating system. This work has been highly successful, with memory-safe ports of the FreeBSD kernel and userlevel, and over 10,000 open source packages using a CHERI-adapted LLVM toolchain. With a clear set of abstractions defined, and existing prototypes evaluated at scale, efforts to port Linux will be substantially less work.
Our strategy is to maximize portability of CHERI protection, language integration, and APIs across architectures (e.g., Arm’s Morello, CHERI-RISC-V), tools (e.g., LLVM, QEMU, Yocto), and operating systems (e.g., FreeBSD, Linux). This minimizes developer burden in adapting application-level code, ensures that lessons learned in any of these can be broadly benefited from in all, and helps reinforce the message to upstream communities that CHERI protection is a well defined, portable, and consistently implemented model, and sufficiently mature to adopt.