From e89c7ae0254d41ac1696e23f8b2d4a425413d888 Mon Sep 17 00:00:00 2001
From: raja-grewal <rg_public@proton.me>
Date: Wed, 8 Oct 2025 02:39:20 +0000
Subject: [PATCH] Update docs on `slab_debug` for future improvements

---
 README.md                                              |  1 +
 .../40_kernel_hardening.cfg#security-misc-shared       | 10 +++++++---
 2 files changed, 8 insertions(+), 3 deletions(-)

diff --git a/README.md b/README.md
index f784bbf..9ec1250 100644
--- a/README.md
+++ b/README.md
@@ -193,6 +193,7 @@ Kernel space:
 
 - Enable sanity checks and red zoning via slab debugging. This will implicitly
   disable kernel pointer hashing, leaking very sensitive information to root.
+  Re-enabling hashed pointers will be possible when using Linux kernel >= 6.17.
 
 - Enable memory zeroing at both allocation and free time, which mitigates some
   use-after-free vulnerabilities by erasing sensitive information in memory.
diff --git a/etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared b/etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared
index c4c8457..0629366 100644
--- a/etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared
+++ b/etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared
@@ -39,8 +39,8 @@ kver="$(dpkg-query --show --showformat='${Version}' "$kpkg")" 2>/dev/null || tru
 GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX slab_nomerge"
 
 ## Enable sanity checks and red zoning of slabs via debugging options to detect corruption.
-## As a by product of debugging, this will implicitly disabling kernel pointer hashing.
-## Enabling will therefore leak exact and all kernel memory addresses to root.
+## As a by product of debugging, this will implicitly disabling kernel pointer hashing unless manually re-enabled.
+## Enabling this (for now) will therefore leak exact and all kernel memory addresses to root.
 ## Has the potential to cause a noticeable performance decrease.
 ##
 ## https://www.kernel.org/doc/html/latest/mm/slub.html
@@ -48,9 +48,13 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX slab_nomerge"
 ## https://gitlab.tails.boum.org/tails/tails/-/issues/19613
 ## https://github.com/Kicksecure/security-misc/issues/253
 ##
-## KSPP=yes
+## KSPP=partial
 ## KSPP sets the kernel parameters and CONFIG_SLUB_DEBUG.
 ##
+## TODO: Debian 14
+## The first parameter is applicable when using Linux kernel >= 6.17 (retained here for future-proofing and completeness).
+##
+#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX hash_pointers=always"
 GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX slab_debug=FZ"
 
 ## Zero memory at allocation time and free time.