Git-Mirrors/security-misc
1
0
Fork 0
mirror of https://github.com/Kicksecure/security-misc.git synced 2024-10-01 08:25:45 -04:00
Code Issues Packages Projects Releases Wiki Activity

Update docs relating to the cfi=kcfi kernel parameter

Browse Source
This commit is contained in:
Raja Grewal 2024-07-23 13:12:13 +10:00
parent d6fc71dba7
commit fb494c2ba5
No known key found for this signature in database
GPG Key ID: 92CA473C156B64C4
2 changed files with 13 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
README.md
View File

@ -137,9 +137,9 @@ configuration file.
- Provide the option to modify machine check exception handler.
- Provide the option to use kCFI as the default CFI implementation as it may be
slightly more resilient to attacks that can construct arbitrary executable
memory contents (when using Linux kernel version >= 6.5).
- Provide the option to use kCFI as the default CFI implementation since it may be
slightly more resilient to attacks that are able to write arbitrary executables
in memory (when using Linux kernel version >= 6.2).
- Provide the option to disable support for all x86 processes and syscalls to reduce
attack surface (when using Linux kernel version >= 6.7).

15
etc/default/grub.d/40_kernel_hardening.cfg
View File

@ -114,20 +114,25 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX debugfs=off"
## Switch (back) to using kCFI as the default Control Flow Integrity (CFI) implementation.
## As of Linux kernel 6.2, FineIBT has been the default implementation.
## Intel-developed IBT (Indirect Branch Tracking) is only used if there support by the CPU.
## The Intel-developed IBT (Indirect Branch Tracking) is only used if there support by the CPU.
## kCFI is software-only while FineIBT is a hybrid software/hardware implementation.
## FineIBT may result in performance benefits as it only performs checking at destinations.
## FineIBT is weaker against attacks that can construct arbitrary executable memory contents.
## Choice of this parameter is dependant on user threat model as there are pros/cons to both.
## FineIBT is weaker against attacks that can write arbitrary executable in memory.
## Upstream hardening has given users the ability to disable FineIBT based on requests.
## Choice of CFI implementation is dependent on user threat model as there are pros/cons to both.
## Do not modify this parameter if unsure of implications.
##
## https://docs.kernel.org/next/x86/shstk.html
## https://lore.kernel.org/all/20221027092842.699804264@infradead.org/
## https://lore.kernel.org/lkml/202210010918.4918F847C4@keescook/T/#u
## https://lore.kernel.org/lkml/202210182217.486CBA50@keescook/T/
## https://lore.kernel.org/lkml/202407150933.E1871BE@keescook/
## https://isopenbsdsecu.re/mitigations/forward_edge_cfi/
## https://docs.kernel.org/next/x86/shstk.html
## https://source.android.com/docs/security/test/kcfi
## https://lpc.events/event/16/contributions/1315/attachments/1067/2169/cfi.pdf
## https://forums.whonix.org/t/kernel-hardening-security-misc/7296/561
##
## Applicable when using Linux kernel >= 6.5 (retained here for future-proofing and completeness).
## Applicable when using Linux kernel >= 6.2 (retained here for future-proofing and completeness).
##
#cfi=kcfi