Merge remote-tracking branch 'raja/trixie_docs' into arraybolt3/trixie

README.md

@@ -223,7 +223,8 @@ Kernel space:
 - Use kCFI as the default CFI implementation as it is more resilient to attacks that are
   able to write arbitrary executables into memory omitting the necessary hash validation.
 
-- Optional - Disable support for all 32-bit x86 processes and syscalls to reduce attack surface.
+- Optional - Disable support for all x86 processes and syscalls (when using Linux kernel >= 6.7)
+  to reduce attack surface.
 
 - Disable the EFI persistent storage feature which prevents the kernel from writing crash logs
   and other persistent data to either the UEFI variable storage or ACPI ERST backends.

etc/default/grub.d/40_kernel_hardening.cfg

@@ -206,7 +206,7 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX vdso32=0"
 ##
 GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX cfi=kcfi"
 
-## Disable support for all 32-bit x86 processes and syscalls.
+## Disable support for x86 processes and syscalls.
 ## Unconditionally disables IA32 emulation to substantially reduce attack surface.
 ##
 ## https://lore.kernel.org/all/20230623111409.3047467-7-nik.borisov@suse.com/
@@ -214,6 +214,9 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX cfi=kcfi"
 ## KSPP=yes
 ## KSPP does not set CONFIG_COMPAT, CONFIG_IA32_EMULATION, CONFIG_X86_X32, CONFIG_X86_X32_ABI, and CONFIG_MODIFY_LDT_SYSCALL.
 ##
+## TODO: Debian 13 Trixie
+## Applicable when using Linux kernel >= 6.7 (retained here for future-proofing and completeness).
+##
 #GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX ia32_emulation=0"
 
 ## Disable EFI persistent storage feature.