Add option to switch (back) to using kCFI in the future

README.md

@@ -137,6 +137,10 @@ configuration file.
 
 - Provide the option to modify machine check exception handler.
 
+- Provide the option to use kCFI as the default CFI implementation as it may be
+  slightly more resilient to attacks that can construct arbitrary executable
+  memory contents (when using Linux kernel version >= 6.5).
+
 - Provide the option to disable support for all x86 processes and syscalls to reduce
   attack surface (when using Linux kernel version >= 6.7).
 

etc/default/grub.d/40_kernel_hardening.cfg

@@ -112,6 +112,25 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX debugfs=off"
 #GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX loglevel=0"
 #GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX quiet"
 
+## Switch (back) to using kCFI as the default Control Flow Integrity (CFI) implementation.
+## As of Linux kernel 6.2, FineIBT has been the default implementation.
+## Intel-developed IBT (Indirect Branch Tracking) is only used if there support by the CPU.
+## kCFI is software-only while FineIBT is a hybrid software/hardware implementation.
+## FineIBT may result in performance benefits as it only performs checking at destinations.
+## FineIBT is weaker against attacks that can construct arbitrary executable memory contents.
+## Choice of this parameter is dependant on user threat model as there are pros/cons to both.
+##
+## https://docs.kernel.org/next/x86/shstk.html
+## https://lore.kernel.org/lkml/202210010918.4918F847C4@keescook/T/#u
+## https://lore.kernel.org/lkml/202210182217.486CBA50@keescook/T/
+## https://lore.kernel.org/lkml/202407150933.E1871BE@keescook/
+## https://isopenbsdsecu.re/mitigations/forward_edge_cfi/
+## https://source.android.com/docs/security/test/kcfi
+##
+## Applicable when using Linux kernel >= 6.5 (retained here for future-proofing and completeness).
+##
+#cfi=kcfi
+
 ## Disable support for x86 processes and syscalls.
 ## Unconditionally disables IA32 emulation to substantially reduce attack surface.
 ##