ANDROID: KVM: arm64: Disable CFI only for nVHE hyp object

This patch effectively reverts 2df99b6397 ("ANDROID: KVM: arm64: disable
CFI for hypervisor code") now that the arm64 KVM hypervisor code builds
correctly with LTO enabled, which is also the case upstream. CFI remains
disabled, but only for the nVHE hyp object at EL2.

Cc: Sami Tolvanen <samitolvanen@google.com>
Signed-off-by: Will Deacon <willdeacon@google.com>
Bug: 145210207
Change-Id: I5084f880576dd6a23b8e15eec840f666f36bd2b1

arch/arm64/kvm/Makefile

@@ -4,7 +4,6 @@
 #
 
 ccflags-y += -I $(srctree)/$(src)
-CFLAGS_REMOVE_debug.o += $(CC_FLAGS_CFI)
 
 KVM=../../../virt/kvm
 

arch/arm64/kvm/hyp/Makefile

@@ -11,6 +11,3 @@ subdir-ccflags-y := -I$(incdir)				\
 		    $(DISABLE_STACKLEAK_PLUGIN)
 
 obj-$(CONFIG_KVM) += vhe/ nvhe/ pgtable.o
-
-# Disable LTO+CFI for the files in this directory
-KBUILD_CFLAGS := $(filter-out $(CC_FLAGS_LTO), $(KBUILD_CFLAGS))

arch/arm64/kvm/hyp/nvhe/Makefile

@@ -75,9 +75,9 @@ quiet_cmd_hyprel = HYPREL  $@
 quiet_cmd_hypcopy = HYPCOPY $@
       cmd_hypcopy = $(OBJCOPY) --prefix-symbols=__kvm_nvhe_ $< $@
 
-# Remove ftrace and Shadow Call Stack CFLAGS.
-# This is equivalent to the 'notrace' and '__noscs' annotations.
-KBUILD_CFLAGS := $(filter-out $(CC_FLAGS_FTRACE) $(CC_FLAGS_SCS), $(KBUILD_CFLAGS))
+# Remove ftrace, Shadow Call Stack and CFI CFLAGS.
+# This is equivalent to the 'notrace', '__noscs' and '__nocfi' annotations.
+KBUILD_CFLAGS := $(filter-out $(CC_FLAGS_FTRACE) $(CC_FLAGS_SCS) $(CC_FLAGS_CFI), $(KBUILD_CFLAGS))
 
 # KVM nVHE code is run at a different exception code with a different map, so
 # compiler instrumentation that inserts callbacks or checks into the code may