From 1135d34ab334c9b39e51a147dc94df568f982512 Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Wed, 24 Jul 2024 23:33:36 +1000 Subject: [PATCH] Reword description of `cfi=kcfi` kerenel parameter --- etc/default/grub.d/40_kernel_hardening.cfg | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/etc/default/grub.d/40_kernel_hardening.cfg b/etc/default/grub.d/40_kernel_hardening.cfg index 5709f52..9c179b2 100644 --- a/etc/default/grub.d/40_kernel_hardening.cfg +++ b/etc/default/grub.d/40_kernel_hardening.cfg @@ -113,14 +113,14 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX debugfs=off" #GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX quiet" ## Switch (back) to using kCFI as the default Control Flow Integrity (CFI) implementation. -## As of Linux kernel 6.2, FineIBT has been the default implementation. -## The Intel-developed IBT (Indirect Branch Tracking) is only used if there support by the CPU. +## As of Linux kernel 6.2, FineIBT has been selected to be the default implementation. +## The Intel-developed IBT (Indirect Branch Tracking) is only used if there is support by the CPU. ## kCFI is software-only while FineIBT is a hybrid software/hardware implementation. -## FineIBT may result in performance benefits as it only performs checking at destinations. -## FineIBT is weaker against attacks that can write arbitrary executable in memory. +## FineIBT may result in some performance benefits as it only performs checking at destinations. +## FineIBT is considered weaker against attacks that can write arbitrary executable in memory. ## Upstream hardening has given users the ability to disable FineIBT based on requests. -## Choice of CFI implementation is dependent on user threat model as there are pros/cons to both. -## Do not modify this parameter if unsure of implications. +## Choice of CFI implementation is highly dependent on user threat model as there are pros/cons to both. +## Do not modify from default if unsure of implications. ## ## https://lore.kernel.org/all/20221027092842.699804264@infradead.org/ ## https://lore.kernel.org/lkml/202210010918.4918F847C4@keescook/T/#u