diff --git a/Makefile b/Makefile
index ceb23eed4dce2b..7a6d88b827f211 100644
--- a/Makefile
+++ b/Makefile
@@ -976,8 +976,19 @@ export CC_FLAGS_LTO
 endif
 
 ifdef CONFIG_CFI_CLANG
-CC_FLAGS_CFI	:= -fsanitize=kcfi
-KBUILD_CFLAGS	+= $(CC_FLAGS_CFI)
+CC_FLAGS_CFI   := -fsanitize=kcfi
+ifdef CONFIG_RUST
+# If Rust is enabled, this flag is required to support cross-language
+# integer types.
+# This addresses the problem that on e.g. i686, int != long, and Rust
+# maps both to i32.
+# See https://rcvalle.com/docs/rust-cfi-design-doc.pdf for details.
+CC_FLAGS_CFI   += -fsanitize-cfi-icall-experimental-normalize-integers
+RS_FLAGS_CFI   := -Zsanitizer=kcfi -Zsanitizer-cfi-normalize-integers
+KBUILD_RSFLAGS += RS_FLAGS_CFI
+export RS_FLAGS_CFI
+endif
+KBUILD_CFLAGS  += $(CC_FLAGS_CFI)
 export CC_FLAGS_CFI
 endif
 
diff --git a/arch/x86/Makefile b/arch/x86/Makefile
index 5bfe5caaa444b3..941f7abf6dbfc1 100644
--- a/arch/x86/Makefile
+++ b/arch/x86/Makefile
@@ -81,6 +81,7 @@ ifeq ($(CONFIG_X86_KERNEL_IBT),y)
 #   https://gcc.gnu.org/bugzilla/show_bug.cgi?id=104816
 #
 KBUILD_CFLAGS += $(call cc-option,-fcf-protection=branch -fno-jump-tables)
+KBUILD_RUSTFLAGS += -Zcf-protection=branch -Zno-jump-tables
 else
 KBUILD_CFLAGS += $(call cc-option,-fcf-protection=none)
 endif
diff --git a/init/Kconfig b/init/Kconfig
index 6d35728b94b2b3..0ec954bd6607c9 100644
--- a/init/Kconfig
+++ b/init/Kconfig
@@ -1889,6 +1889,7 @@ config RUST
 	depends on !GCC_PLUGINS
 	depends on !RANDSTRUCT
 	depends on !DEBUG_INFO_BTF || PAHOLE_HAS_LANG_EXCLUDE
+	depends on !CFI_CLANG || $(cc-option,-fsanitize=kcfi,-fsanitize-cfi-icall-experimental-normalize-integers)
 	select CONSTRUCTORS
 	help
 	  Enables Rust support in the kernel.
diff --git a/rust/Makefile b/rust/Makefile
index 87958e864be025..989fdd963e39d4 100644
--- a/rust/Makefile
+++ b/rust/Makefile
@@ -365,6 +365,7 @@ quiet_cmd_exports = EXPORTS $@
       cmd_exports = \
 	$(NM) -p --defined-only $< \
 		| grep -E ' (T|R|D) ' | cut -d ' ' -f 3 \
+		| grep -v ^__cfi \
 		| xargs -Isymbol \
 		echo 'EXPORT_SYMBOL_RUST_GPL(symbol);' > $@
 
diff --git a/scripts/generate_rust_target.rs b/scripts/generate_rust_target.rs
index a85797c18d6c1f..bd9fc2c5171795 100644
--- a/scripts/generate_rust_target.rs
+++ b/scripts/generate_rust_target.rs
@@ -178,6 +178,7 @@ fn main() {
         }
         ts.push("features", features);
         ts.push("llvm-target", "x86_64-linux-gnu");
+        ts.push("supported-sanitizers", ["kcfi"]);
         ts.push("target-pointer-width", "64");
     } else {
         panic!("Unsupported architecture");