Merge pull request #246 from raja-grewal/cfi

Provide the option to change the default CFI implementation in the future

etc/default/grub.d/40_kernel_hardening.cfg

@@ -112,6 +112,31 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX debugfs=off"
 #GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX loglevel=0"
 #GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX quiet"
 
+## Switch (back) to using kCFI as the default Control Flow Integrity (CFI) implementation.
+## The default implementation is FIneIBT as of Linux kernel 6.2.
+## The Intel-developed IBT (Indirect Branch Tracking) is only used if supported by the CPU.
+## kCFI is software-only while FineIBT is a hybrid software/hardware implementation.
+## FineIBT may result in some performance benefits as it only performs checking at destinations.
+## FineIBT is considered weaker against attacks that can write arbitrary executables into memory.
+## Upstream hardening work has provided users the ability to disable FineIBT based on requests.
+## Choice of CFI implementation is highly dependent on user threat model as there are pros/cons to both.
+## Do not modify from the default setting if unsure of implications.
+##
+## https://lore.kernel.org/all/20221027092842.699804264@infradead.org/
+## https://lore.kernel.org/lkml/202210010918.4918F847C4@keescook/T/#u
+## https://lore.kernel.org/lkml/202210182217.486CBA50@keescook/T/
+## https://lore.kernel.org/lkml/202407150933.E1871BE@keescook/
+## https://isopenbsdsecu.re/mitigations/forward_edge_cfi/
+## https://docs.kernel.org/next/x86/shstk.html
+## https://source.android.com/docs/security/test/kcfi
+## https://lpc.events/event/16/contributions/1315/attachments/1067/2169/cfi.pdf
+## https://forums.whonix.org/t/kernel-hardening-security-misc/7296/561
+##
+## TODO: Debian 13 Trixie
+## Applicable when using Linux kernel >= 6.2 (retained here for future-proofing and completeness).
+##
+#cfi=kcfi
+
 ## Disable support for x86 processes and syscalls.
 ## Unconditionally disables IA32 emulation to substantially reduce attack surface.
 ##