2019-11-05 09:55:43 -05:00
|
|
|
## Copyright (C) 2019 - 2019 ENCRYPTED SUPPORT LP <adrelanos@riseup.net>
|
|
|
|
|
## See the file COPYING for copying conditions.
|
|
|
|
|
|
|
|
|
|
## Disables the merging of slabs of similar sizes. Sometimes a slab can be used in a vulnerable way which an attacker can exploit.
|
2019-05-05 10:42:03 -04:00
|
|
|
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX slab_nomerge"
|
2019-05-05 16:17:33 -04:00
|
|
|
|
2019-11-05 09:55:43 -05:00
|
|
|
## Enables sanity checks (F), redzoning (Z) and poisoning (P).
|
2019-09-07 16:08:56 -04:00
|
|
|
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX slub_debug=FZP"
|
2019-05-05 16:17:33 -04:00
|
|
|
|
2019-11-05 10:02:55 -05:00
|
|
|
if command -v "qubesdb-read" >/dev/null 2>&1 ; then
|
|
|
|
|
## https://github.com/QubesOS/qubes-issues/issues/5212#issuecomment-533873012
|
|
|
|
|
true "skip adding page_poison=1 in Qubes"
|
|
|
|
|
else
|
|
|
|
|
## Wipes free memory so it can't leak in various ways and prevents some use-after-free vulnerabilites.
|
|
|
|
|
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX page_poison=1"
|
|
|
|
|
fi
|
2019-05-05 16:17:33 -04:00
|
|
|
|
2019-11-05 09:55:43 -05:00
|
|
|
## Makes the kernel panic on uncorrectable errors in ECC memory that an attacker could exploit.
|
2019-05-05 16:17:33 -04:00
|
|
|
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX mce=0"
|
2019-06-23 13:54:34 -04:00
|
|
|
|
2019-11-05 09:55:43 -05:00
|
|
|
## Enables Kernel Page Table Isolation which mitigates Meltdown and improves KASLR.
|
2019-06-23 13:54:34 -04:00
|
|
|
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX pti=on"
|
|
|
|
|
|
2019-11-05 09:55:43 -05:00
|
|
|
## Enables all mitigations for the MDS vulnerability.
|
|
|
|
|
## Disables smt which can be used to exploit the MDS vulnerability.
|
2019-06-23 14:46:52 -04:00
|
|
|
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX mds=full,nosmt"
|
