security-misc/etc/default/grub.d/40_kernel_hardening.cfg

63 lines
2.8 KiB
INI
Raw Normal View History

2024-05-10 23:18:36 -04:00
## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
2019-11-05 09:55:43 -05:00
## See the file COPYING for copying conditions.
kpkg="linux-image-$(dpkg --print-architecture)" || true
kver="$(dpkg-query --show --showformat='${Version}' "$kpkg")" 2>/dev/null || true
2019-12-23 05:00:35 -05:00
#echo "## kver: $kver"
2019-12-18 15:43:01 -05:00
## Disables the merging of slabs of similar sizes.
## Sometimes a slab can be used in a vulnerable way which an attacker can exploit.
2019-05-05 10:42:03 -04:00
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX slab_nomerge"
2019-05-05 16:17:33 -04:00
## Enables sanity checks (F) and redzoning (Z).
2022-07-12 14:32:03 -04:00
## Disabled due to kernel deciding to implicitly disable kernel pointer hashing
## https://github.com/torvalds/linux/commit/792702911f581f7793962fbeb99d5c3a1b28f4c3
#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX slub_debug=FZ"
2019-12-23 14:44:52 -05:00
## Zero memory at allocation and free time.
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX init_on_alloc=1 init_on_free=1"
2019-05-05 16:17:33 -04:00
2022-08-21 09:02:44 -04:00
## Machine check exception handler decides whether the system should panic or not based on the exception that happened.
## https://forums.whonix.org/t/kernel-hardening/7296/494
#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX mce=0"
2019-06-23 13:54:34 -04:00
2019-11-05 09:55:43 -05:00
## Enables Kernel Page Table Isolation which mitigates Meltdown and improves KASLR.
2019-06-23 13:54:34 -04:00
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX pti=on"
2019-12-18 15:43:01 -05:00
## Vsyscalls are obsolete, are at fixed addresses and are a target for ROP.
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX vsyscall=none"
## Enables page allocator freelist randomization.
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX page_alloc.shuffle=1"
2019-12-18 15:43:01 -05:00
2022-07-12 14:34:35 -04:00
## Enables randomisation of the kernel stack offset on syscall entries (introduced in kernel 5.13).
## https://lkml.org/lkml/2019/3/18/246
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX randomize_kstack_offset=on"
2019-12-18 15:43:01 -05:00
## Enables kernel lockdown.
##
## Disabled for now as it enforces module signature verification which breaks
## too many things.
2019-12-23 03:46:02 -05:00
## https://forums.whonix.org/t/enforce-kernel-module-software-signature-verification-module-signing-disallow-kernel-module-loading-by-default/7880
##
#if dpkg --compare-versions "${kver}" ge "5.4"; then
# GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX lockdown=confidentiality"
#fi
2020-02-16 14:51:32 -05:00
## Gather more entropy during boot.
##
## Requires linux-hardened kernel patch.
## https://github.com/anthraxx/linux-hardened
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX extra_latent_entropy"
2020-09-28 15:21:20 -04:00
## Restrict access to debugfs since it can contain a lot of sensitive information.
## https://lkml.org/lkml/2020/7/16/122
## https://github.com/torvalds/linux/blob/fb1201aececc59990b75ef59fca93ae4aa1e1444/Documentation/admin-guide/kernel-parameters.txt#L835-L848
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX debugfs=off"
2022-07-19 14:06:35 -04:00
## Force the kernel to panic on "oopses" (which may be due to false positives)
## https://forums.whonix.org/t/set-oops-panic-kernel-parameter-or-kernel-panic-on-oops-1-sysctl-for-better-security/7713
## Implemented differently:
## /usr/libexec/security-misc/panic-on-oops
#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX oops=panic"