Add option to switch (back) to using kCFI in the future

2025-07-25 05:45:23 -04:00 · 2024-07-22 17:26:00 +10:00 · 2024-07-22 17:26:00 +10:00 · d6fc71dba7
commit d6fc71dba7
parent d2563ed923
2 changed files with 23 additions and 0 deletions
--- a/etc/default/grub.d/40_kernel_hardening.cfg
+++ b/etc/default/grub.d/40_kernel_hardening.cfg
@ -112,6 +112,25 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX debugfs=off"
 #GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX loglevel=0"
 #GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX quiet"

+## Switch (back) to using kCFI as the default Control Flow Integrity (CFI) implementation.
+## As of Linux kernel 6.2, FineIBT has been the default implementation.
+## Intel-developed IBT (Indirect Branch Tracking) is only used if there support by the CPU.
+## kCFI is software-only while FineIBT is a hybrid software/hardware implementation.
+## FineIBT may result in performance benefits as it only performs checking at destinations.
+## FineIBT is weaker against attacks that can construct arbitrary executable memory contents.
+## Choice of this parameter is dependant on user threat model as there are pros/cons to both.
+##
+## https://docs.kernel.org/next/x86/shstk.html
+## https://lore.kernel.org/lkml/202210010918.4918F847C4@keescook/T/#u
+## https://lore.kernel.org/lkml/202210182217.486CBA50@keescook/T/
+## https://lore.kernel.org/lkml/202407150933.E1871BE@keescook/
+## https://isopenbsdsecu.re/mitigations/forward_edge_cfi/
+## https://source.android.com/docs/security/test/kcfi
+##
+## Applicable when using Linux kernel >= 6.5 (retained here for future-proofing and completeness).
+##
+#cfi=kcfi
+
 ## Disable support for x86 processes and syscalls.
 ## Unconditionally disables IA32 emulation to substantially reduce attack surface.
 ##