These docs are under active development and cover the v0.20 Kobicha security model.
Peios Learn

Process mitigations

Concept
Process mitigations

A mitigation is a per-process security hardening flag stored on the PSB. Each flag enables a specific kernel-enforced restriction — what may be made executable, how code is laid out, what control flow is permitted. Mitigations are one-way (they can be tightened but never loosened) and survive exec. This page covers the model and how mitigations differ from access control.

 Concept
Catalog

Peios defines eight active process mitigations in v0.20 — LSV, WXP, TLP, CFIF, CFIB, PIE, SML, NO_CHILD — plus a reserved UI_ACCESS slot. This page covers each one in turn — what it does, which kernel surface it gates, what it blocks, and when to enable it.

 Concept
Applying and lifecycle

Mitigations are set via kacs_set_psb. The call can target the calling process (free, anyone can do it) or another process (requires PROCESS_SET_INFORMATION plus PIP dominance). Once set, a mitigation persists through fork and exec and cannot be cleared. This page covers the syscall, the privileges, and the full lifecycle.