Control Flow Integrity for forward edges
In the BSD-land, HardenedBSD has non-cross-DSO clang CFI since 2017.
Unlike the current CFI schemes implemented in LLVM, KCFI does not require LTO, does not alter function references to point to a jump table, and never breaks function address equality. KCFI is intended to be used in low-level code, such as operating system kernels, where the existing schemes can cause undue complications because of the aforementioned properties. However, unlike the existing schemes, KCFI is limited to validating only function pointers and is not compatible with executable-only memory.
This forward-edge control flow integrity scheme for indirect calls is type-based, and does look like a subset of PaX’ RAP.
In 2022, OpenBSD doesn’t have any forward-edge CFI.
Control Flow Integrity for backward edges
PaX’ RAP provides backward-edge protection, by keeping the secret used to encrypt the return address into a register, meaning that two leaks are needed. Moreover, the cookie is regularly changing in kernel-land, making it even harder to get it.
In OpenBSD, backward edges are covered by RETGUARD, which is bypassable with arbitrary reads.