diff --git a/CMakeLists.txt b/CMakeLists.txt
index 34693a969..751932e0f 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -242,6 +242,11 @@ KernelCommonFlags(
     -nostdlib -fno-pic -fno-pie
 )
 
+# Disable cloned functions. This is needed for binary verification at -O2.
+if(NOT KernelOptimisationCloneFunctions AND (CMAKE_C_COMPILER_ID STREQUAL "GNU"))
+    KernelCommonFlags(-fno-partial-inlining -fno-ipa-cp -fno-ipa-sra)
+endif()
+
 if(KernelFWholeProgram)
     # KernelFWholeProgram is still an experimental feature and disabled by
     # default. Clarify if the linker step via GCC actually cares about this
diff --git a/config.cmake b/config.cmake
index 4b8d0cec0..b28aa750b 100644
--- a/config.cmake
+++ b/config.cmake
@@ -335,6 +335,15 @@ config_option(
     DEFAULT ON
 )
 
+config_option(
+    KernelBinaryVerificationBuild BINARY_VERIFICATION_BUILD
+    "When enabled, this configuration option restricts the use of other options that would \
+     interfere with binary verification. For example, it will disable some inter-procedural \
+     optimisations. Enabling this options does NOT imply that you are using a verified kernel."
+    DEFAULT OFF
+    DEPENDS "KernelVerificationBuild"
+)
+
 config_option(
     KernelDebugBuild DEBUG_BUILD "Enable debug facilities (symbols and assertions) in the kernel"
     DEFAULT ON
@@ -447,11 +456,26 @@ config_choice(
     "-O3;KernelOptimisationO3;KERNEL_OPT_LEVEL_O3"
 )
 
+config_option(
+    KernelOptimisationCloneFunctions KERNEL_OPTIMISATION_CLONE_FUNCTIONS
+    "If enabled, allow inter-procedural optimisations that can generate cloned or partial \
+     functions, according to the coarse optimisation setting (KernelOptimisation). \
+     By default, these optimisations are present at -O2 and higher. \
+     If disabled, prevent those optimisations, regardless of the coarse optimisation setting. \
+     The main use of this option is to disable cloned and partial functions when performing \
+     binary verification at -O2. \
+     This currently only affects GCC builds."
+    DEFAULT ON
+    DEPENDS "NOT KernelBinaryVerificationBuild"
+    DEFAULT_DISABLED OFF
+)
+
 config_option(
     KernelFWholeProgram KERNEL_FWHOLE_PROGRAM
     "Enable -fwhole-program when linking kernel. This should work modulo gcc bugs, which \
     are not uncommon with -fwhole-program. Consider this feature experimental!"
     DEFAULT OFF
+    DEPENDS "NOT KernelBinaryVerificationBuild"
 )
 
 config_option(