On Wed, Sep 03, 2025 at 08:46:42PM -0700, Kees Cook wrote: > The kernel-parameters.txt didn't have a section for the cfi= options. > Add it. > > Signed-off-by: Kees Cook <[email protected]> > ---
Reviewed-by: Nathan Chancellor <[email protected]> > --- > Documentation/admin-guide/kernel-parameters.txt | 17 +++++++++++++++++ > 1 file changed, 17 insertions(+) > > diff --git a/Documentation/admin-guide/kernel-parameters.txt > b/Documentation/admin-guide/kernel-parameters.txt > index 747a55abf494..8bbffbb334ab 100644 > --- a/Documentation/admin-guide/kernel-parameters.txt > +++ b/Documentation/admin-guide/kernel-parameters.txt > @@ -608,6 +608,23 @@ > ccw_timeout_log [S390] > See Documentation/arch/s390/common_io.rst for details. > > + cfi= [X86-64] Set Control Flow Integrity checking features > + when CONFIG_FINEIBT is enabled. > + Format: feature[,feature...] > + Default: auto > + > + auto: Use FineIBT if IBT available, otherwise kCFI. > + Under FineIBT, enable "paranoid" mode when > + FRED is not available. > + off: Turn off CFI checking. > + kcfi: Use kCFI (disable FineIBT). > + fineibt: Use FineIBT (even if IBT not available). > + norand: Do not re-randomize CFI hashes. > + paranoid: Add caller hash checking under FineIBT. > + bhi: Enable register poisoning to stop speculation > + across FineIBT. (Disabled by default.) > + warn: Do not enforce CFI checking: warn only. > + > cgroup_disable= [KNL] Disable a particular controller or optional > feature > Format: {name of the controller(s) or feature(s) to > disable} > The effects of cgroup_disable=foo are: > -- > 2.34.1 >
