security-misc/etc/default/grub.d/40_kernel_hardening.cfg

## Copyright (C) 2019 - 2021 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
## See the file COPYING for copying conditions.

kpkg="linux-image-$(dpkg --print-architecture)" || true
kver="$(dpkg-query --show --showformat='${Version}' "$kpkg")" 2>/dev/null || true
#echo "## kver: $kver"

## Disables the merging of slabs of similar sizes.
## Sometimes a slab can be used in a vulnerable way which an attacker can exploit.
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX slab_nomerge"

if dpkg --compare-versions "$kver" ge "5.3"; then
  ## Enables sanity checks (F) and redzoning (Z).
  GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX slub_debug=FZ"

  #echo "## $kver grater or equal 5.3: yes"
  ## Zero memory at allocation and free time.
  GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX init_on_alloc=1 init_on_free=1"
else
  #echo "## $kver grater or equal 5.3: no"
  ## SLUB poisoning and page poisoning is used if the kernel
  ## does not yet support init_on_{,alloc,free}.
  GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX slub_debug=FZP"

  if command -v "qubesdb-read" >/dev/null 2>&1 ; then
     ## https://github.com/QubesOS/qubes-issues/issues/5212#issuecomment-533873012
     true "skip adding page_poison=1 in Qubes"
  else
     GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX page_poison=1"
  fi
fi

## Makes the kernel panic on uncorrectable errors in ECC memory that an attacker could exploit.
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX mce=0"

## Enables Kernel Page Table Isolation which mitigates Meltdown and improves KASLR.
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX pti=on"

## Vsyscalls are obsolete, are at fixed addresses and are a target for ROP.
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX vsyscall=none"

## Enables page allocator freelist randomization.
if dpkg --compare-versions "${kver}" ge "5.2"; then
  GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX page_alloc.shuffle=1"
fi

## Enables kernel lockdown.
##
## Disabled for now as it enforces module signature verification which breaks
## too many things.
## https://forums.whonix.org/t/enforce-kernel-module-software-signature-verification-module-signing-disallow-kernel-module-loading-by-default/7880
##
#if dpkg --compare-versions "${kver}" ge "5.4"; then
#  GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX lockdown=confidentiality"
#fi

## Gather more entropy during boot.
##
## Requires linux-hardened kernel patch.
## https://github.com/anthraxx/linux-hardened
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX extra_latent_entropy"

## Restrict access to debugfs since it can contain a lot of sensitive information.
## https://lkml.org/lkml/2020/7/16/122
## https://github.com/torvalds/linux/blob/fb1201aececc59990b75ef59fca93ae4aa1e1444/Documentation/admin-guide/kernel-parameters.txt#L835-L848
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX debugfs=off"
copyright 2021-03-17 09:45:21 -04:00			`## Copyright (C) 2019 - 2021 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>`
comments; copyright 2019-11-05 09:55:43 -05:00			`## See the file COPYING for copying conditions.`

fix etc/default/grub.d/40_kernel_hardening.cfg in Qubes if no kernel package is installed 2020-04-08 12:46:11 -04:00			`kpkg="linux-image-$(dpkg --print-architecture)" \|\| true`
			`kver="$(dpkg-query --show --showformat='${Version}' "$kpkg")" 2>/dev/null \|\| true`
comments 2019-12-23 05:00:35 -05:00			`#echo "## kver: $kver"`
More kernel hardening 2019-12-18 15:43:01 -05:00
			`## Disables the merging of slabs of similar sizes.`
			`## Sometimes a slab can be used in a vulnerable way which an attacker can exploit.`
Create 40_kernel_hardening.cfg 2019-05-05 10:42:03 -04:00			`GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX slab_nomerge"`
Update 40_kernel_hardening.cfg 2019-05-05 16:17:33 -04:00
comments 2019-12-23 05:00:35 -05:00			`if dpkg --compare-versions "$kver" ge "5.3"; then`
Use only one slub_debug parameter 2019-12-23 14:44:52 -05:00			`## Enables sanity checks (F) and redzoning (Z).`
			`GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX slub_debug=FZ"`

comments 2019-12-23 05:00:35 -05:00			`#echo "## $kver grater or equal 5.3: yes"`
Use only one slub_debug parameter 2019-12-23 14:44:52 -05:00			`## Zero memory at allocation and free time.`
More kernel hardening 2019-12-18 15:43:01 -05:00			`GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX init_on_alloc=1 init_on_free=1"`
do not set kernel boot parameter page_poison=1 in Qubes since does not work https://github.com/QubesOS/qubes-issues/issues/5212#issuecomment-533873012 2019-11-05 10:02:55 -05:00			`else`
comments 2019-12-23 05:00:35 -05:00			`#echo "## $kver grater or equal 5.3: no"`
More kernel hardening 2019-12-18 15:43:01 -05:00			`## SLUB poisoning and page poisoning is used if the kernel`
			`## does not yet support init_on_{,alloc,free}.`
Use only one slub_debug parameter 2019-12-23 14:44:52 -05:00			`GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX slub_debug=FZP"`
More kernel hardening 2019-12-18 15:43:01 -05:00
			`if command -v "qubesdb-read" >/dev/null 2>&1 ; then`
			`## https://github.com/QubesOS/qubes-issues/issues/5212#issuecomment-533873012`
			`true "skip adding page_poison=1 in Qubes"`
			`else`
			`GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX page_poison=1"`
			`fi`
do not set kernel boot parameter page_poison=1 in Qubes since does not work https://github.com/QubesOS/qubes-issues/issues/5212#issuecomment-533873012 2019-11-05 10:02:55 -05:00			`fi`
Update 40_kernel_hardening.cfg 2019-05-05 16:17:33 -04:00
comments; copyright 2019-11-05 09:55:43 -05:00			`## Makes the kernel panic on uncorrectable errors in ECC memory that an attacker could exploit.`
Update 40_kernel_hardening.cfg 2019-05-05 16:17:33 -04:00			`GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX mce=0"`
Add more kernel hardening parameters 2019-06-23 13:54:34 -04:00
comments; copyright 2019-11-05 09:55:43 -05:00			`## Enables Kernel Page Table Isolation which mitigates Meltdown and improves KASLR.`
Add more kernel hardening parameters 2019-06-23 13:54:34 -04:00			`GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX pti=on"`

More kernel hardening 2019-12-18 15:43:01 -05:00			`## Vsyscalls are obsolete, are at fixed addresses and are a target for ROP.`
			`GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX vsyscall=none"`

			`## Enables page allocator freelist randomization.`
			`if dpkg --compare-versions "${kver}" ge "5.2"; then`
			`GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX page_alloc.shuffle=1"`
			`fi`

			`## Enables kernel lockdown.`
disable lockdown for now due to module loading 2019-12-23 03:41:54 -05:00			`##`
			`## Disabled for now as it enforces module signature verification which breaks`
			`## too many things.`
comment 2019-12-23 03:46:02 -05:00			`## https://forums.whonix.org/t/enforce-kernel-module-software-signature-verification-module-signing-disallow-kernel-module-loading-by-default/7880`
disable lockdown for now due to module loading 2019-12-23 03:41:54 -05:00			`##`
			`#if dpkg --compare-versions "${kver}" ge "5.4"; then`
			`# GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX lockdown=confidentiality"`
			`#fi`
Gather more entropy during boot 2020-02-16 14:51:32 -05:00
			`## Gather more entropy during boot.`
			`##`
			`## Requires linux-hardened kernel patch.`
			`## https://github.com/anthraxx/linux-hardened`
			`GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX extra_latent_entropy"`
Prevent kernel info leaks in console during boot. add kernel parameter `quiet loglevel=0` https://phabricator.whonix.org/T950 2020-04-23 12:26:31 -04:00
Restrict access to debugfs 2020-09-28 15:21:20 -04:00			`## Restrict access to debugfs since it can contain a lot of sensitive information.`
			`## https://lkml.org/lkml/2020/7/16/122`
			`## https://github.com/torvalds/linux/blob/fb1201aececc59990b75ef59fca93ae4aa1e1444/Documentation/admin-guide/kernel-parameters.txt#L835-L848`
			`GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX debugfs=off"`