The introduction of W^X memory policies and the subsequent mitigation of return-to-user attacks, tackled the efficiency of code injection techniques on the exploitation of kernel-level vulnerabilities, rendering return-oriented programming (ROP) into one of the most prominent adversaries for system security. Control-Flow Integrity (CFI) is an effective defense against ROP, but despite its many refinements during the past decade and its recent deployment for the protection of user-space applications, it has received significantly less attention for the kernel setting. The few existing kernel-level CFI proposals either apply an overly permissible coarse-grained policy, which can be easily bypassed by sophisticated ROP attacks, or do not support dynamically loadable kernel modules.We present the design and implementation of kCFI, a pure CFI implementation with fine granularity for commodity operating systems (OS), and the first of its kind capable of fully supporting the Linux kernel. By combining static analysis at both the source code and binary level, kCFI generates a more restrictive CFI policy when compared to previous proposals. By injecting control flow checks to kernel binaries during compilation time, kCFI enforces this policy without harming any OS feature. Also, kCFI does not rely on memory secrecy for enforcing its policies, being effective even in the presence of memory disclosure attacks. The observed overheads are of 8% and 2% for micro and macro benchmarks, respectively.