Provide option to enable the kernel Electric-Fence

2025-07-25 05:15:18 -04:00 · 2024-08-03 00:12:50 +10:00 · 2024-08-03 00:12:50 +10:00 · 9099ecce8a
commit 9099ecce8a
parent f6a16258a1
2 changed files with 13 additions and 0 deletions
--- a/etc/default/grub.d/40_kernel_hardening.cfg
+++ b/etc/default/grub.d/40_kernel_hardening.cfg
@ -113,6 +113,15 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX debugfs=off"
 #GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX loglevel=0"
 #GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX quiet"

+## Enable the kernel "Electric-Fence" sampling-based memory safety error detector.
+## KFENCE detects heap out-of-bounds access, use-after-free, and invalid-free errors.
+## Aims to have very low processing overhead at each sampling interval
+## Sampling interval is set to occur every 100 milliseconds as per KSPP recommendation.
+##
+## https://www.kernel.org/doc/html/latest/dev-tools/kfence.html
+##
+#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX kfence.sample_interval=100"
+
 ## Switch (back) to using kCFI as the default Control Flow Integrity (CFI) implementation.
 ## The default implementation is FIneIBT as of Linux kernel 6.2.
 ## The Intel-developed IBT (Indirect Branch Tracking) is only used if supported by the CPU.