From 9099ecce8ae12352f2b739d3d7adf6069488ff49 Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Sat, 3 Aug 2024 00:12:50 +1000 Subject: [PATCH] Provide option to enable the kernel Electric-Fence --- README.md | 4 ++++ etc/default/grub.d/40_kernel_hardening.cfg | 9 +++++++++ 2 files changed, 13 insertions(+) diff --git a/README.md b/README.md index b6a6c60..b23f852 100644 --- a/README.md +++ b/README.md @@ -141,6 +141,10 @@ configuration file. - Provide the option to modify machine check exception handler. +- Provide the option to enable the kernel Electric-Fence sampling-based memory + safety error detector which can identify heap out-of-bounds access, use-after-free, + and invalid-free errors. + - Provide the option to use kCFI as the default CFI implementation since it may be slightly more resilient to attacks that are able to write arbitrary executables in memory (when using Linux kernel version >= 6.2). diff --git a/etc/default/grub.d/40_kernel_hardening.cfg b/etc/default/grub.d/40_kernel_hardening.cfg index b1b3055..390f75b 100644 --- a/etc/default/grub.d/40_kernel_hardening.cfg +++ b/etc/default/grub.d/40_kernel_hardening.cfg @@ -113,6 +113,15 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX debugfs=off" #GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX loglevel=0" #GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX quiet" +## Enable the kernel "Electric-Fence" sampling-based memory safety error detector. +## KFENCE detects heap out-of-bounds access, use-after-free, and invalid-free errors. +## Aims to have very low processing overhead at each sampling interval +## Sampling interval is set to occur every 100 milliseconds as per KSPP recommendation. +## +## https://www.kernel.org/doc/html/latest/dev-tools/kfence.html +## +#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX kfence.sample_interval=100" + ## Switch (back) to using kCFI as the default Control Flow Integrity (CFI) implementation. ## The default implementation is FIneIBT as of Linux kernel 6.2. ## The Intel-developed IBT (Indirect Branch Tracking) is only used if supported by the CPU.