Securing Linux® with CHERI

CHERI is a hardware approach to memory safety that improves system security at runtime by extending established ISAs, such as ARM, RISC-V, and x86, with new architectural features. This cross-architecture project adapts the Linux Kernel and userspace software to benefit from CHERI’s memory protection and software compartmentalization features.

Features

Spatial memory safety for userspace and the Kernel
Userspace and Kernel debugger support for memory-safe and memory-unsafe code
Runs on Morello boards, Morello FVP, QEMU, and RISC-V FPGA platforms
Monthly News Update: June 2026

Linux on CHERI with Debian user space, CVA6 support, CHERI-Enabled Linux v7.1
by Paul Metzger and Hesham Almatary

As usual, Codasip kept pace with recent Linux kernel releases and published v7.1 of Linux on CHERI. The company also contributed its RVY adaptation of the Linux Test Project (LTP) to the CHERI …

Monthly News Update: May 2026

CHERI-Enabled Linux 7.0 Released, Platform Support and Toolchain Improvements
by Paul Metzger

As in the previous month, working group members have been busy with a range of Linux kernel and user space-related endeavours. Notably, Codasip has released a CHERI-enabled Linux v7.0 kernel, making a …

Accelerating Adoption

Extensive research and development activity has gone into porting a version of FreeBSD, called CheriBSD, to use CHERI’s features, and in particular explore and evaluate the sizeable design space of potential CHERI integrations with a general-purpose, MMU-based operating system. This work has been highly successful, with memory-safe ports of the FreeBSD kernel and userlevel, and over 10,000 open source packages using a CHERI-adapted LLVM toolchain. With a clear set of abstractions defined, and existing prototypes evaluated at scale, efforts to port Linux will be substantially less work.
Our strategy is to maximize portability of CHERI protection, language integration, and APIs across architectures (e.g., Arm’s Morello, CHERI-RISC-V), tools (e.g., LLVM, QEMU, Yocto), and operating systems (e.g., FreeBSD, Linux). This minimizes developer burden in adapting application-level code, ensures that lessons learned in any of these can be broadly benefited from in all, and helps reinforce the message to upstream communities that CHERI protection is a well defined, portable, and consistently implemented model, and sufficiently mature to adopt.