2019-11-05 09:55:43 -05:00
|
|
|
## Copyright (C) 2019 - 2019 ENCRYPTED SUPPORT LP <adrelanos@riseup.net>
|
|
|
|
## See the file COPYING for copying conditions.
|
|
|
|
|
2019-12-24 06:00:41 -05:00
|
|
|
kpkg="linux-image-$(dpkg --print-architecture)"
|
|
|
|
kver="$(dpkg-query --show --showformat='${Version}' "$kpkg")"
|
2019-12-23 05:00:35 -05:00
|
|
|
#echo "## kver: $kver"
|
2019-12-18 15:43:01 -05:00
|
|
|
|
|
|
|
## Disables the merging of slabs of similar sizes.
|
|
|
|
## Sometimes a slab can be used in a vulnerable way which an attacker can exploit.
|
2019-05-05 10:42:03 -04:00
|
|
|
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX slab_nomerge"
|
2019-05-05 16:17:33 -04:00
|
|
|
|
2019-12-23 05:00:35 -05:00
|
|
|
if dpkg --compare-versions "$kver" ge "5.3"; then
|
2019-12-23 14:44:52 -05:00
|
|
|
## Enables sanity checks (F) and redzoning (Z).
|
|
|
|
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX slub_debug=FZ"
|
|
|
|
|
2019-12-23 05:00:35 -05:00
|
|
|
#echo "## $kver grater or equal 5.3: yes"
|
2019-12-23 14:44:52 -05:00
|
|
|
## Zero memory at allocation and free time.
|
2019-12-18 15:43:01 -05:00
|
|
|
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX init_on_alloc=1 init_on_free=1"
|
2019-11-05 10:02:55 -05:00
|
|
|
else
|
2019-12-23 05:00:35 -05:00
|
|
|
#echo "## $kver grater or equal 5.3: no"
|
2019-12-18 15:43:01 -05:00
|
|
|
## SLUB poisoning and page poisoning is used if the kernel
|
|
|
|
## does not yet support init_on_{,alloc,free}.
|
2019-12-23 14:44:52 -05:00
|
|
|
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX slub_debug=FZP"
|
2019-12-18 15:43:01 -05:00
|
|
|
|
|
|
|
if command -v "qubesdb-read" >/dev/null 2>&1 ; then
|
|
|
|
## https://github.com/QubesOS/qubes-issues/issues/5212#issuecomment-533873012
|
|
|
|
true "skip adding page_poison=1 in Qubes"
|
|
|
|
else
|
|
|
|
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX page_poison=1"
|
|
|
|
fi
|
2019-11-05 10:02:55 -05:00
|
|
|
fi
|
2019-05-05 16:17:33 -04:00
|
|
|
|
2019-11-05 09:55:43 -05:00
|
|
|
## Makes the kernel panic on uncorrectable errors in ECC memory that an attacker could exploit.
|
2019-05-05 16:17:33 -04:00
|
|
|
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX mce=0"
|
2019-06-23 13:54:34 -04:00
|
|
|
|
2019-11-05 09:55:43 -05:00
|
|
|
## Enables Kernel Page Table Isolation which mitigates Meltdown and improves KASLR.
|
2019-06-23 13:54:34 -04:00
|
|
|
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX pti=on"
|
|
|
|
|
2019-12-18 15:43:01 -05:00
|
|
|
## Vsyscalls are obsolete, are at fixed addresses and are a target for ROP.
|
|
|
|
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX vsyscall=none"
|
|
|
|
|
|
|
|
## Enables page allocator freelist randomization.
|
|
|
|
if dpkg --compare-versions "${kver}" ge "5.2"; then
|
|
|
|
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX page_alloc.shuffle=1"
|
|
|
|
fi
|
|
|
|
|
|
|
|
## Enables kernel lockdown.
|
2019-12-23 03:41:54 -05:00
|
|
|
##
|
|
|
|
## Disabled for now as it enforces module signature verification which breaks
|
|
|
|
## too many things.
|
2019-12-23 03:46:02 -05:00
|
|
|
## https://forums.whonix.org/t/enforce-kernel-module-software-signature-verification-module-signing-disallow-kernel-module-loading-by-default/7880
|
2019-12-23 03:41:54 -05:00
|
|
|
##
|
|
|
|
#if dpkg --compare-versions "${kver}" ge "5.4"; then
|
|
|
|
# GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX lockdown=confidentiality"
|
|
|
|
#fi
|
2020-02-16 14:51:32 -05:00
|
|
|
|
|
|
|
## Gather more entropy during boot.
|
|
|
|
##
|
|
|
|
## Requires linux-hardened kernel patch.
|
|
|
|
## https://github.com/anthraxx/linux-hardened
|
|
|
|
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX extra_latent_entropy"
|