From d6fc71dba78a9c871015ebdde3bef61943369b47 Mon Sep 17 00:00:00 2001
From: Raja Grewal <rg_public@proton.me>
Date: Mon, 22 Jul 2024 17:26:00 +1000
Subject: [PATCH 1/4] Add option to switch (back) to using kCFI in the future

---
 README.md                                  |  4 ++++
 etc/default/grub.d/40_kernel_hardening.cfg | 19 +++++++++++++++++++
 2 files changed, 23 insertions(+)

diff --git a/README.md b/README.md
index 5e029c8..7bac0c4 100644
--- a/README.md
+++ b/README.md
@@ -137,6 +137,10 @@ configuration file.
 
 - Provide the option to modify machine check exception handler.
 
+- Provide the option to use kCFI as the default CFI implementation as it may be
+  slightly more resilient to attacks that can construct arbitrary executable
+  memory contents (when using Linux kernel version >= 6.5).
+
 - Provide the option to disable support for all x86 processes and syscalls to reduce
   attack surface (when using Linux kernel version >= 6.7).
 
diff --git a/etc/default/grub.d/40_kernel_hardening.cfg b/etc/default/grub.d/40_kernel_hardening.cfg
index 2bc07b5..ef9ed1f 100644
--- a/etc/default/grub.d/40_kernel_hardening.cfg
+++ b/etc/default/grub.d/40_kernel_hardening.cfg
@@ -112,6 +112,25 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX debugfs=off"
 #GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX loglevel=0"
 #GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX quiet"
 
+## Switch (back) to using kCFI as the default Control Flow Integrity (CFI) implementation.
+## As of Linux kernel 6.2, FineIBT has been the default implementation.
+## Intel-developed IBT (Indirect Branch Tracking) is only used if there support by the CPU.
+## kCFI is software-only while FineIBT is a hybrid software/hardware implementation.
+## FineIBT may result in performance benefits as it only performs checking at destinations.
+## FineIBT is weaker against attacks that can construct arbitrary executable memory contents.
+## Choice of this parameter is dependant on user threat model as there are pros/cons to both.
+##
+## https://docs.kernel.org/next/x86/shstk.html
+## https://lore.kernel.org/lkml/202210010918.4918F847C4@keescook/T/#u
+## https://lore.kernel.org/lkml/202210182217.486CBA50@keescook/T/
+## https://lore.kernel.org/lkml/202407150933.E1871BE@keescook/
+## https://isopenbsdsecu.re/mitigations/forward_edge_cfi/
+## https://source.android.com/docs/security/test/kcfi
+##
+## Applicable when using Linux kernel >= 6.5 (retained here for future-proofing and completeness).
+##
+#cfi=kcfi
+
 ## Disable support for x86 processes and syscalls.
 ## Unconditionally disables IA32 emulation to substantially reduce attack surface.
 ##

From fb494c2ba5b7fd0f864a59896710d9cddf92b458 Mon Sep 17 00:00:00 2001
From: Raja Grewal <rg_public@proton.me>
Date: Tue, 23 Jul 2024 13:12:13 +1000
Subject: [PATCH 2/4] Update docs relating to the `cfi=kcfi` kernel parameter

---
 README.md                                  |  6 +++---
 etc/default/grub.d/40_kernel_hardening.cfg | 15 ++++++++++-----
 2 files changed, 13 insertions(+), 8 deletions(-)

diff --git a/README.md b/README.md
index 7bac0c4..71ae57c 100644
--- a/README.md
+++ b/README.md
@@ -137,9 +137,9 @@ configuration file.
 
 - Provide the option to modify machine check exception handler.
 
-- Provide the option to use kCFI as the default CFI implementation as it may be
-  slightly more resilient to attacks that can construct arbitrary executable
-  memory contents (when using Linux kernel version >= 6.5).
+- Provide the option to use kCFI as the default CFI implementation since it may be
+  slightly more resilient to attacks that are able to write arbitrary executables
+  in memory (when using Linux kernel version >= 6.2).
 
 - Provide the option to disable support for all x86 processes and syscalls to reduce
   attack surface (when using Linux kernel version >= 6.7).
diff --git a/etc/default/grub.d/40_kernel_hardening.cfg b/etc/default/grub.d/40_kernel_hardening.cfg
index ef9ed1f..5709f52 100644
--- a/etc/default/grub.d/40_kernel_hardening.cfg
+++ b/etc/default/grub.d/40_kernel_hardening.cfg
@@ -114,20 +114,25 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX debugfs=off"
 
 ## Switch (back) to using kCFI as the default Control Flow Integrity (CFI) implementation.
 ## As of Linux kernel 6.2, FineIBT has been the default implementation.
-## Intel-developed IBT (Indirect Branch Tracking) is only used if there support by the CPU.
+## The Intel-developed IBT (Indirect Branch Tracking) is only used if there support by the CPU.
 ## kCFI is software-only while FineIBT is a hybrid software/hardware implementation.
 ## FineIBT may result in performance benefits as it only performs checking at destinations.
-## FineIBT is weaker against attacks that can construct arbitrary executable memory contents.
-## Choice of this parameter is dependant on user threat model as there are pros/cons to both.
+## FineIBT is weaker against attacks that can write arbitrary executable in memory.
+## Upstream hardening has given users the ability to disable FineIBT based on requests.
+## Choice of CFI implementation is dependent on user threat model as there are pros/cons to both.
+## Do not modify this parameter if unsure of implications.
 ##
-## https://docs.kernel.org/next/x86/shstk.html
+## https://lore.kernel.org/all/20221027092842.699804264@infradead.org/
 ## https://lore.kernel.org/lkml/202210010918.4918F847C4@keescook/T/#u
 ## https://lore.kernel.org/lkml/202210182217.486CBA50@keescook/T/
 ## https://lore.kernel.org/lkml/202407150933.E1871BE@keescook/
 ## https://isopenbsdsecu.re/mitigations/forward_edge_cfi/
+## https://docs.kernel.org/next/x86/shstk.html
 ## https://source.android.com/docs/security/test/kcfi
+## https://lpc.events/event/16/contributions/1315/attachments/1067/2169/cfi.pdf
+## https://forums.whonix.org/t/kernel-hardening-security-misc/7296/561
 ##
-## Applicable when using Linux kernel >= 6.5 (retained here for future-proofing and completeness).
+## Applicable when using Linux kernel >= 6.2 (retained here for future-proofing and completeness).
 ##
 #cfi=kcfi
 

From 1135d34ab334c9b39e51a147dc94df568f982512 Mon Sep 17 00:00:00 2001
From: Raja Grewal <rg_public@proton.me>
Date: Wed, 24 Jul 2024 23:33:36 +1000
Subject: [PATCH 3/4] Reword description of `cfi=kcfi` kerenel parameter

---
 etc/default/grub.d/40_kernel_hardening.cfg | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/etc/default/grub.d/40_kernel_hardening.cfg b/etc/default/grub.d/40_kernel_hardening.cfg
index 5709f52..9c179b2 100644
--- a/etc/default/grub.d/40_kernel_hardening.cfg
+++ b/etc/default/grub.d/40_kernel_hardening.cfg
@@ -113,14 +113,14 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX debugfs=off"
 #GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX quiet"
 
 ## Switch (back) to using kCFI as the default Control Flow Integrity (CFI) implementation.
-## As of Linux kernel 6.2, FineIBT has been the default implementation.
-## The Intel-developed IBT (Indirect Branch Tracking) is only used if there support by the CPU.
+## As of Linux kernel 6.2, FineIBT has been selected to be the default implementation.
+## The Intel-developed IBT (Indirect Branch Tracking) is only used if there is support by the CPU.
 ## kCFI is software-only while FineIBT is a hybrid software/hardware implementation.
-## FineIBT may result in performance benefits as it only performs checking at destinations.
-## FineIBT is weaker against attacks that can write arbitrary executable in memory.
+## FineIBT may result in some performance benefits as it only performs checking at destinations.
+## FineIBT is considered weaker against attacks that can write arbitrary executable in memory.
 ## Upstream hardening has given users the ability to disable FineIBT based on requests.
-## Choice of CFI implementation is dependent on user threat model as there are pros/cons to both.
-## Do not modify this parameter if unsure of implications.
+## Choice of CFI implementation is highly dependent on user threat model as there are pros/cons to both.
+## Do not modify from default if unsure of implications.
 ##
 ## https://lore.kernel.org/all/20221027092842.699804264@infradead.org/
 ## https://lore.kernel.org/lkml/202210010918.4918F847C4@keescook/T/#u

From 4397de0138dac47aee66570fcfe4ef38c8179321 Mon Sep 17 00:00:00 2001
From: Raja Grewal <rg_public@proton.me>
Date: Fri, 26 Jul 2024 11:30:46 +1000
Subject: [PATCH 4/4] Update description of `cfi=kcfi` kerenel parameter

---
 etc/default/grub.d/40_kernel_hardening.cfg | 11 ++++++-----
 1 file changed, 6 insertions(+), 5 deletions(-)

diff --git a/etc/default/grub.d/40_kernel_hardening.cfg b/etc/default/grub.d/40_kernel_hardening.cfg
index 9c179b2..172c3c8 100644
--- a/etc/default/grub.d/40_kernel_hardening.cfg
+++ b/etc/default/grub.d/40_kernel_hardening.cfg
@@ -113,14 +113,14 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX debugfs=off"
 #GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX quiet"
 
 ## Switch (back) to using kCFI as the default Control Flow Integrity (CFI) implementation.
-## As of Linux kernel 6.2, FineIBT has been selected to be the default implementation.
-## The Intel-developed IBT (Indirect Branch Tracking) is only used if there is support by the CPU.
+## The default implementation is FIneIBT as of Linux kernel 6.2.
+## The Intel-developed IBT (Indirect Branch Tracking) is only used if supported by the CPU.
 ## kCFI is software-only while FineIBT is a hybrid software/hardware implementation.
 ## FineIBT may result in some performance benefits as it only performs checking at destinations.
-## FineIBT is considered weaker against attacks that can write arbitrary executable in memory.
-## Upstream hardening has given users the ability to disable FineIBT based on requests.
+## FineIBT is considered weaker against attacks that can write arbitrary executables into memory.
+## Upstream hardening work has provided users the ability to disable FineIBT based on requests.
 ## Choice of CFI implementation is highly dependent on user threat model as there are pros/cons to both.
-## Do not modify from default if unsure of implications.
+## Do not modify from the default setting if unsure of implications.
 ##
 ## https://lore.kernel.org/all/20221027092842.699804264@infradead.org/
 ## https://lore.kernel.org/lkml/202210010918.4918F847C4@keescook/T/#u
@@ -132,6 +132,7 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX debugfs=off"
 ## https://lpc.events/event/16/contributions/1315/attachments/1067/2169/cfi.pdf
 ## https://forums.whonix.org/t/kernel-hardening-security-misc/7296/561
 ##
+## TODO: Debian 13 Trixie
 ## Applicable when using Linux kernel >= 6.2 (retained here for future-proofing and completeness).
 ##
 #cfi=kcfi