Reword description of cfi=kcfi kerenel parameter

2025-01-22 10:41:02 -05:00 · 2024-07-24 23:33:36 +10:00 · 2024-07-24 23:33:36 +10:00 · 1135d34ab3
commit 1135d34ab3
parent fb494c2ba5
1 changed files with 6 additions and 6 deletions
--- a/etc/default/grub.d/40_kernel_hardening.cfg
+++ b/etc/default/grub.d/40_kernel_hardening.cfg
@ -113,14 +113,14 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX debugfs=off"
 #GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX quiet"

 ## Switch (back) to using kCFI as the default Control Flow Integrity (CFI) implementation.
-## As of Linux kernel 6.2, FineIBT has been the default implementation.
-## The Intel-developed IBT (Indirect Branch Tracking) is only used if there support by the CPU.
+## As of Linux kernel 6.2, FineIBT has been selected to be the default implementation.
+## The Intel-developed IBT (Indirect Branch Tracking) is only used if there is support by the CPU.
 ## kCFI is software-only while FineIBT is a hybrid software/hardware implementation.
-## FineIBT may result in performance benefits as it only performs checking at destinations.
-## FineIBT is weaker against attacks that can write arbitrary executable in memory.
+## FineIBT may result in some performance benefits as it only performs checking at destinations.
+## FineIBT is considered weaker against attacks that can write arbitrary executable in memory.
 ## Upstream hardening has given users the ability to disable FineIBT based on requests.
-## Choice of CFI implementation is dependent on user threat model as there are pros/cons to both.
-## Do not modify this parameter if unsure of implications.
+## Choice of CFI implementation is highly dependent on user threat model as there are pros/cons to both.
+## Do not modify from default if unsure of implications.
 ##
 ## https://lore.kernel.org/all/20221027092842.699804264@infradead.org/
 ## https://lore.kernel.org/lkml/202210010918.4918F847C4@keescook/T/#u