Git-Mirrors/security-misc
1
0
Fork 0
mirror of https://github.com/Kicksecure/security-misc.git synced 2025-11-27 22:30:23 -05:00
Code Issues Projects Releases Packages Wiki Activity

Enable cfi=kcfi

Browse source
This commit is contained in:
raja-grewal 2025-08-06 01:48:47 +00:00 committed by GitHub
parent c2690efcac
commit 1f7525722e
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
2 changed files with 7 additions and 12 deletions
Download patch file Download diff file Expand all files Collapse all files

5
README.md
View file

@ -221,9 +221,8 @@ Kernel space:
- Disable 32-bit vDSO mappings as they are a legacy compatibility feature. - Disable 32-bit vDSO mappings as they are a legacy compatibility feature.
- Optional - Use kCFI as the default CFI implementation (when using Linux kernel >= 6.2) - Use kCFI as the default CFI implementation as it is more resilient to attacks that able
since it may be slightly more resilient to attacks that are able to write to write arbitrary executables into memory omitting the necessary hash validation.
arbitrary executables in memory.
- Optional - Disable support for all x86 processes and syscalls (when using Linux kernel >= 6.7) - Optional - Disable support for all x86 processes and syscalls (when using Linux kernel >= 6.7)
to reduce attack surface. to reduce attack surface.

14
etc/default/grub.d/40_kernel_hardening.cfg
View file

@ -186,15 +186,14 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX vdso32=0"
## The default implementation is FineIBT as of Linux kernel 6.2. ## The default implementation is FineIBT as of Linux kernel 6.2.
## The Intel-developed IBT (Indirect Branch Tracking) is only used if supported by the CPU. ## The Intel-developed IBT (Indirect Branch Tracking) is only used if supported by the CPU.
## kCFI is software-only while FineIBT is a hybrid software/hardware implementation. ## kCFI is software-only while FineIBT is a hybrid software/hardware implementation.
## FineIBT may result in some performance benefits as it only performs checking at destinations. ## FineIBT may result in some performance benefits as it only performs hash checks at the destinations.
## kCFI mandates hash validation at the source (which is randomized), making it more difficult to bypass.
## FineIBT is considered weaker against attacks that can write arbitrary executables into memory. ## FineIBT is considered weaker against attacks that can write arbitrary executables into memory.
## Upstream hardening work has provided users the ability to disable FineIBT based on requests.
## Choice of CFI implementation is highly dependent on user threat model as there are pros/cons to both.
## Do not modify from the default setting if unsure of implications.
## ##
## https://lore.kernel.org/all/20221027092842.699804264@infradead.org/ ## https://lwn.net/Articles/891976/
## https://lore.kernel.org/lkml/202210010918.4918F847C4@keescook/T/#u ## https://lore.kernel.org/lkml/202210010918.4918F847C4@keescook/T/#u
## https://lore.kernel.org/lkml/202210182217.486CBA50@keescook/T/ ## https://lore.kernel.org/lkml/202210182217.486CBA50@keescook/T/
## https://lore.kernel.org/all/20221027092842.699804264@infradead.org/
## https://lore.kernel.org/lkml/202407150933.E1871BE@keescook/ ## https://lore.kernel.org/lkml/202407150933.E1871BE@keescook/
## https://isopenbsdsecu.re/mitigations/forward_edge_cfi/ ## https://isopenbsdsecu.re/mitigations/forward_edge_cfi/
## https://docs.kernel.org/next/x86/shstk.html ## https://docs.kernel.org/next/x86/shstk.html
@ -205,10 +204,7 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX vdso32=0"
## KSPP=yes ## KSPP=yes
## KSPP sets the kernel parameter. ## KSPP sets the kernel parameter.
## ##
## TODO: Debian 13 Trixie GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX cfi=kcfi"
## Applicable when using Linux kernel >= 6.2 (retained here for future-proofing and completeness).
##
#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX cfi=kcfi"
## Disable support for x86 processes and syscalls. ## Disable support for x86 processes and syscalls.
## Unconditionally disables IA32 emulation to substantially reduce attack surface. ## Unconditionally disables IA32 emulation to substantially reduce attack surface.