Git-Mirrors/security-misc
1
0
Fork 0
mirror of https://github.com/Kicksecure/security-misc.git synced 2025-11-27 21:10:25 -05:00
Code Issues Projects Releases Packages Wiki Activity

Enable cfi=kcfi

Browse source
This commit is contained in:
raja-grewal 2025-08-06 01:48:47 +00:00 committed by GitHub
parent c2690efcac
commit 1f7525722e
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
2 changed files with 7 additions and 12 deletions
Download patch file Download diff file Expand all files Collapse all files

5
README.md
View file

@ -221,9 +221,8 @@ Kernel space:
- Disable 32-bit vDSO mappings as they are a legacy compatibility feature.
- Optional - Use kCFI as the default CFI implementation (when using Linux kernel >= 6.2)
since it may be slightly more resilient to attacks that are able to write
arbitrary executables in memory.
- Use kCFI as the default CFI implementation as it is more resilient to attacks that able
to write arbitrary executables into memory omitting the necessary hash validation.
- Optional - Disable support for all x86 processes and syscalls (when using Linux kernel >= 6.7)
to reduce attack surface.

14
etc/default/grub.d/40_kernel_hardening.cfg
View file

@ -186,15 +186,14 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX vdso32=0"
## The default implementation is FineIBT as of Linux kernel 6.2.
## The Intel-developed IBT (Indirect Branch Tracking) is only used if supported by the CPU.
## kCFI is software-only while FineIBT is a hybrid software/hardware implementation.
## FineIBT may result in some performance benefits as it only performs checking at destinations.
## FineIBT may result in some performance benefits as it only performs hash checks at the destinations.
## kCFI mandates hash validation at the source (which is randomized), making it more difficult to bypass.
## FineIBT is considered weaker against attacks that can write arbitrary executables into memory.
## Upstream hardening work has provided users the ability to disable FineIBT based on requests.
## Choice of CFI implementation is highly dependent on user threat model as there are pros/cons to both.
## Do not modify from the default setting if unsure of implications.
##
## https://lore.kernel.org/all/20221027092842.699804264@infradead.org/
## https://lwn.net/Articles/891976/
## https://lore.kernel.org/lkml/202210010918.4918F847C4@keescook/T/#u
## https://lore.kernel.org/lkml/202210182217.486CBA50@keescook/T/
## https://lore.kernel.org/all/20221027092842.699804264@infradead.org/
## https://lore.kernel.org/lkml/202407150933.E1871BE@keescook/
## https://isopenbsdsecu.re/mitigations/forward_edge_cfi/
## https://docs.kernel.org/next/x86/shstk.html
@ -205,10 +204,7 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX vdso32=0"
## KSPP=yes
## KSPP sets the kernel parameter.
##
## TODO: Debian 13 Trixie
## Applicable when using Linux kernel >= 6.2 (retained here for future-proofing and completeness).
##
#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX cfi=kcfi"
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX cfi=kcfi"
## Disable support for x86 processes and syscalls.
## Unconditionally disables IA32 emulation to substantially reduce attack surface.