From d6fc71dba78a9c871015ebdde3bef61943369b47 Mon Sep 17 00:00:00 2001
From: Raja Grewal <rg_public@proton.me>
Date: Mon, 22 Jul 2024 17:26:00 +1000
Subject: [PATCH] Add option to switch (back) to using kCFI in the future

---
 README.md                                  |  4 ++++
 etc/default/grub.d/40_kernel_hardening.cfg | 19 +++++++++++++++++++
 2 files changed, 23 insertions(+)

diff --git a/README.md b/README.md
index 5e029c8..7bac0c4 100644
--- a/README.md
+++ b/README.md
@@ -137,6 +137,10 @@ configuration file.
 
 - Provide the option to modify machine check exception handler.
 
+- Provide the option to use kCFI as the default CFI implementation as it may be
+  slightly more resilient to attacks that can construct arbitrary executable
+  memory contents (when using Linux kernel version >= 6.5).
+
 - Provide the option to disable support for all x86 processes and syscalls to reduce
   attack surface (when using Linux kernel version >= 6.7).
 
diff --git a/etc/default/grub.d/40_kernel_hardening.cfg b/etc/default/grub.d/40_kernel_hardening.cfg
index 2bc07b5..ef9ed1f 100644
--- a/etc/default/grub.d/40_kernel_hardening.cfg
+++ b/etc/default/grub.d/40_kernel_hardening.cfg
@@ -112,6 +112,25 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX debugfs=off"
 #GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX loglevel=0"
 #GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX quiet"
 
+## Switch (back) to using kCFI as the default Control Flow Integrity (CFI) implementation.
+## As of Linux kernel 6.2, FineIBT has been the default implementation.
+## Intel-developed IBT (Indirect Branch Tracking) is only used if there support by the CPU.
+## kCFI is software-only while FineIBT is a hybrid software/hardware implementation.
+## FineIBT may result in performance benefits as it only performs checking at destinations.
+## FineIBT is weaker against attacks that can construct arbitrary executable memory contents.
+## Choice of this parameter is dependant on user threat model as there are pros/cons to both.
+##
+## https://docs.kernel.org/next/x86/shstk.html
+## https://lore.kernel.org/lkml/202210010918.4918F847C4@keescook/T/#u
+## https://lore.kernel.org/lkml/202210182217.486CBA50@keescook/T/
+## https://lore.kernel.org/lkml/202407150933.E1871BE@keescook/
+## https://isopenbsdsecu.re/mitigations/forward_edge_cfi/
+## https://source.android.com/docs/security/test/kcfi
+##
+## Applicable when using Linux kernel >= 6.5 (retained here for future-proofing and completeness).
+##
+#cfi=kcfi
+
 ## Disable support for x86 processes and syscalls.
 ## Unconditionally disables IA32 emulation to substantially reduce attack surface.
 ##