mirror of
https://github.com/Kicksecure/security-misc.git
synced 2025-01-21 03:21:02 -05:00
Merge pull request #246 from raja-grewal/cfi
Provide the option to change the default CFI implementation in the future
This commit is contained in:
Patrick Schleizer
GitHub
commit
0318f577ab
@ -137,6 +137,10 @@ configuration file.
|
|||||||
|
|
||||||
- Provide the option to modify machine check exception handler.
|
- Provide the option to modify machine check exception handler.
|
||||||
|
|
||||||
|
- Provide the option to use kCFI as the default CFI implementation since it may be
|
||||||
|
slightly more resilient to attacks that are able to write arbitrary executables
|
||||||
|
in memory (when using Linux kernel version >= 6.2).
|
||||||
|
|
||||||
- Provide the option to disable support for all x86 processes and syscalls to reduce
|
- Provide the option to disable support for all x86 processes and syscalls to reduce
|
||||||
attack surface (when using Linux kernel version >= 6.7).
|
attack surface (when using Linux kernel version >= 6.7).
|
||||||
|
|
||||||
|
|||||||
@ -112,6 +112,31 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX debugfs=off"
|
|||||||
#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX loglevel=0"
|
#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX loglevel=0"
|
||||||
#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX quiet"
|
#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX quiet"
|
||||||
|
|
||||||
|
## Switch (back) to using kCFI as the default Control Flow Integrity (CFI) implementation.
|
||||||
|
## The default implementation is FIneIBT as of Linux kernel 6.2.
|
||||||
|
## The Intel-developed IBT (Indirect Branch Tracking) is only used if supported by the CPU.
|
||||||
|
## kCFI is software-only while FineIBT is a hybrid software/hardware implementation.
|
||||||
|
## FineIBT may result in some performance benefits as it only performs checking at destinations.
|
||||||
|
## FineIBT is considered weaker against attacks that can write arbitrary executables into memory.
|
||||||
|
## Upstream hardening work has provided users the ability to disable FineIBT based on requests.
|
||||||
|
## Choice of CFI implementation is highly dependent on user threat model as there are pros/cons to both.
|
||||||
|
## Do not modify from the default setting if unsure of implications.
|
||||||
|
##
|
||||||
|
## https://lore.kernel.org/all/20221027092842.699804264@infradead.org/
|
||||||
|
## https://lore.kernel.org/lkml/202210010918.4918F847C4@keescook/T/#u
|
||||||
|
## https://lore.kernel.org/lkml/202210182217.486CBA50@keescook/T/
|
||||||
|
## https://lore.kernel.org/lkml/202407150933.E1871BE@keescook/
|
||||||
|
## https://isopenbsdsecu.re/mitigations/forward_edge_cfi/
|
||||||
|
## https://docs.kernel.org/next/x86/shstk.html
|
||||||
|
## https://source.android.com/docs/security/test/kcfi
|
||||||
|
## https://lpc.events/event/16/contributions/1315/attachments/1067/2169/cfi.pdf
|
||||||
|
## https://forums.whonix.org/t/kernel-hardening-security-misc/7296/561
|
||||||
|
##
|
||||||
|
## TODO: Debian 13 Trixie
|
||||||
|
## Applicable when using Linux kernel >= 6.2 (retained here for future-proofing and completeness).
|
||||||
|
##
|
||||||
|
#cfi=kcfi
|
||||||
|
|
||||||
## Disable support for x86 processes and syscalls.
|
## Disable support for x86 processes and syscalls.
|
||||||
## Unconditionally disables IA32 emulation to substantially reduce attack surface.
|
## Unconditionally disables IA32 emulation to substantially reduce attack surface.
|
||||||
##
|
##
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user