security-misc/usr/lib/sysctl.d/30_security-misc_kexec-disable.conf

## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
## See the file COPYING for copying conditions.

## Definitions:
## KSPP=yes: compliant with recommendations by the KSPP
## KSPP=partial: partially compliant with recommendations by the KSPP

## NOTE:
## This configuration is in a dedicated file because the ram-wipe package
## requires kexec. However, ram-wipe cannot ship a config file
## /etc/sysctl.d/40_ram-wipe.conf that sets 'kernel.kexec_load_disabled=0'.
## Once systemd-sysctl.service has set 'kernel.kexec_load_disabled=1',
## it cannot be undone without a reboot. This is an upstream Linux security feature.
## Instead, ram-wipe will config-package-dev 'hide' this file.

## Disables kexec, which can be used to replace the running kernel.
## Useful for live kernel patching without rebooting.
##
## https://en.wikipedia.org/wiki/Kexec
##
## KSPP=yes
## KSPP sets the sysctl and does not set CONFIG_KEXEC.
##
kernel.kexec_load_disabled=1
Update Copyright (C) to 2024 2024-05-10 23:18:36 -04:00			`## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>`
move kexec disabling to dedicated file `/etc/sysctl.d/30_security-misc_kexec-disable.conf` so ram-wipe can `config-package-dev` `hide` this config file 2023-01-25 15:13:19 -05:00			`## See the file COPYING for copying conditions.`

Add KSPP notice definitions 2024-08-25 21:34:12 -04:00			`## Definitions:`
			`## KSPP=yes: compliant with recommendations by the KSPP`
			`## KSPP=partial: partially compliant with recommendations by the KSPP`

Minor documentation changes and fixes 2024-07-13 11:21:24 -04:00			`## NOTE:`
spelling 2024-07-17 10:55:12 -04:00			`## This configuration is in a dedicated file because the ram-wipe package`
			`## requires kexec. However, ram-wipe cannot ship a config file`
			`## /etc/sysctl.d/40_ram-wipe.conf that sets 'kernel.kexec_load_disabled=0'.`
			`## Once systemd-sysctl.service has set 'kernel.kexec_load_disabled=1',`
			`## it cannot be undone without a reboot. This is an upstream Linux security feature.`
comment 2024-07-17 10:56:14 -04:00			`## Instead, ram-wipe will config-package-dev 'hide' this file.`
Minor documentation changes and fixes 2024-07-13 11:21:24 -04:00
spelling 2024-07-17 10:55:12 -04:00			`## Disables kexec, which can be used to replace the running kernel.`
Consistent formating 2024-08-16 00:55:22 -04:00			`## Useful for live kernel patching without rebooting.`
move kexec disabling to dedicated file `/etc/sysctl.d/30_security-misc_kexec-disable.conf` so ram-wipe can `config-package-dev` `hide` this config file 2023-01-25 15:13:19 -05:00			`##`
Refactor existing sysctl for clarity 2024-07-13 08:41:40 -04:00			`## https://en.wikipedia.org/wiki/Kexec`
move kexec disabling to dedicated file `/etc/sysctl.d/30_security-misc_kexec-disable.conf` so ram-wipe can `config-package-dev` `hide` this config file 2023-01-25 15:13:19 -05:00			`##`
Include KSPP compliance notices 2024-08-16 11:06:21 -04:00			`## KSPP=yes`
			`## KSPP sets the sysctl and does not set CONFIG_KEXEC.`
			`##`
move kexec disabling to dedicated file `/etc/sysctl.d/30_security-misc_kexec-disable.conf` so ram-wipe can `config-package-dev` `hide` this config file 2023-01-25 15:13:19 -05:00			`kernel.kexec_load_disabled=1`