security-misc/etc/default/grub.d/40_kernel_hardening.cfg

225 lines
10 KiB
INI
Raw Normal View History

2024-05-10 23:18:36 -04:00
## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
2019-11-05 09:55:43 -05:00
## See the file COPYING for copying conditions.
kpkg="linux-image-$(dpkg --print-architecture)" || true
kver="$(dpkg-query --show --showformat='${Version}' "$kpkg")" 2>/dev/null || true
2019-12-23 05:00:35 -05:00
#echo "## kver: $kver"
2019-12-18 15:43:01 -05:00
2024-07-19 04:30:42 -04:00
## This configuration file is split into 4 sections:
## 1. Kernel Space
## 2. Direct Memory Access
## 3. Entropy
## 4. Networking
2019-05-05 16:17:33 -04:00
2024-07-17 11:52:29 -04:00
## See the documentation below for details on the majority of the selected commands:
## https://www.kernel.org/doc/html/latest/admin-guide/kernel-parameters.html
## https://wiki.archlinux.org/title/Kernel_parameters#GRUB
2019-12-23 14:44:52 -05:00
## 1. Kernel Space:
##
## https://madaidans-insecurities.github.io/guides/linux-hardening.html#boot-parameters
2019-05-05 16:17:33 -04:00
## Disable merging of slabs with similar size.
## Reduces the risk of triggering heap overflows.
## Prevents overwriting objects from merged caches and limits influencing slab cache layout.
##
## https://www.openwall.com/lists/kernel-hardening/2017/06/19/33
## https://www.openwall.com/lists/kernel-hardening/2017/06/20/10
##
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX slab_nomerge"
2019-06-23 13:54:34 -04:00
## Zero memory at allocation time and free time.
## Fills newly allocated pages, freed pages, and heap objects with zeros.
## Mitigates use-after-free exploits by erasing sensitive information in memory.
##
## https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=6471384af2a6530696fc0203bafe4de41a23c9ef
##
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX init_on_alloc=1"
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX init_on_free=1"
2019-12-18 15:43:01 -05:00
2024-07-17 11:52:29 -04:00
## Enable the kernel page allocator to randomize free lists.
## During early boot, the page allocator has predictable FIFO behavior for physical pages.
## Limits some data exfiltration and ROP attacks that rely on inferring sensitive data location.
2024-07-17 11:52:29 -04:00
## Also improves performance by optimizing memory-side cache utilization.
##
## https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=e900a918b0984ec8f2eb150b8477a47b75d17692
## https://en.wikipedia.org/wiki/Return-oriented_programming#Attacks
##
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX page_alloc.shuffle=1"
2019-12-18 15:43:01 -05:00
## Enable kernel page table isolation to harden against kernel ASLR (KASLR) bypasses.
## Mitigates the Meltdown CPU vulnerability.
##
## https://en.wikipedia.org/wiki/Kernel_page-table_isolation
##
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX pti=on"
2024-07-17 11:52:29 -04:00
## Enable randomization of the kernel stack offset on syscall entries.
## Hardens against memory corruption attacks due to increased entropy.
## Limits attacks relying on deterministic stack addresses or cross-syscall address exposure.
##
2022-07-12 14:34:35 -04:00
## https://lkml.org/lkml/2019/3/18/246
## https://a13xp0p0v.github.io/2020/02/15/CVE-2019-18683.html
##
2022-07-12 14:34:35 -04:00
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX randomize_kstack_offset=on"
## Disable vsyscalls to reduce attack surface as they have been replaced by vDSO.
## Vulnerable to ROP attacks as vsyscalls are located at fixed addresses in memory.
##
## https://lwn.net/Articles/446528/
## https://en.wikipedia.org/wiki/VDSO
##
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX vsyscall=none"
2020-02-16 14:51:32 -05:00
## Restrict access to debugfs by not registering the file system.
## Deactivated since the file system can contain sensitive information.
2020-02-16 14:51:32 -05:00
##
2020-09-28 15:21:20 -04:00
## https://lkml.org/lkml/2020/7/16/122
##
2020-09-28 15:21:20 -04:00
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX debugfs=off"
2022-07-19 14:06:35 -04:00
## Force the kernel to panic on "oopses".
## Can sometimes potentially indicate and thwart certain kernel exploitation attempts.
## Also cause panics on machine check exceptions.
## Panics may be due to false-positives such as bad drivers.
2024-07-17 08:39:20 -04:00
##
## https://forums.whonix.org/t/set-oops-panic-kernel-parameter-or-kernel-panic-on-oops-1-sysctl-for-better-security/7713
##
## See /usr/libexec/security-misc/panic-on-oops for implementation.
##
#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX oops=panic"
## Modify machine check exception handler.
## Can decide whether the system should panic or not based on the occurrence of an exception.
##
## https://www.kernel.org/doc/html/latest/arch/x86/x86_64/machinecheck.html
## https://www.kernel.org/doc/html/latest/arch/x86/x86_64/boot-options.html#machine-check
## https://forums.whonix.org/t/kernel-hardening/7296/494
##
2024-07-17 11:52:29 -04:00
## The default kernel setting will be utilized until provided sufficient evidence to modify.
##
#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX mce=0"
## Prevent sensitive kernel information leaks in the console during boot.
## Must be used in combination with the kernel.printk sysctl.
## See /usr/lib/sysctl.d/30_silent-kernel-printk.conf for implementation.
##
2024-07-15 00:50:29 -04:00
## https://www.kernel.org/doc/html/latest/core-api/printk-basics.html
## https://wiki.archlinux.org/title/silent_boot
##
## See /etc/default/grub.d/41_quiet_boot.cfg for implementation.
##
#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX loglevel=0"
#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX quiet"
## Switch (back) to using kCFI as the default Control Flow Integrity (CFI) implementation.
## As of Linux kernel 6.2, FineIBT has been the default implementation.
## The Intel-developed IBT (Indirect Branch Tracking) is only used if there support by the CPU.
## kCFI is software-only while FineIBT is a hybrid software/hardware implementation.
## FineIBT may result in performance benefits as it only performs checking at destinations.
## FineIBT is weaker against attacks that can write arbitrary executable in memory.
## Upstream hardening has given users the ability to disable FineIBT based on requests.
## Choice of CFI implementation is dependent on user threat model as there are pros/cons to both.
## Do not modify this parameter if unsure of implications.
##
## https://lore.kernel.org/all/20221027092842.699804264@infradead.org/
## https://lore.kernel.org/lkml/202210010918.4918F847C4@keescook/T/#u
## https://lore.kernel.org/lkml/202210182217.486CBA50@keescook/T/
## https://lore.kernel.org/lkml/202407150933.E1871BE@keescook/
## https://isopenbsdsecu.re/mitigations/forward_edge_cfi/
## https://docs.kernel.org/next/x86/shstk.html
## https://source.android.com/docs/security/test/kcfi
## https://lpc.events/event/16/contributions/1315/attachments/1067/2169/cfi.pdf
## https://forums.whonix.org/t/kernel-hardening-security-misc/7296/561
##
## Applicable when using Linux kernel >= 6.2 (retained here for future-proofing and completeness).
##
#cfi=kcfi
## Disable support for x86 processes and syscalls.
## Unconditionally disables IA32 emulation to substantially reduce attack surface.
##
## https://lore.kernel.org/all/20230623111409.3047467-7-nik.borisov@suse.com/
##
## Applicable when using Linux kernel >= 6.7 (retained here for future-proofing and completeness).
##
#ia32_emulation=0
## 2. Direct Memory Access:
##
## https://madaidans-insecurities.github.io/guides/linux-hardening.html#dma-attacks
## Enable CPU manufacturer-specific IOMMU drivers to protect against DMA attacks.
##
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX amd_iommu=force_isolation"
2024-07-15 11:03:41 -04:00
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX intel_iommu=on"
## Enable and force use of IOMMU translation to protect against DMA attacks.
## Strictly force DMA unmap operations to synchronously invalidate IOMMU hardware TLBs.
## Ensures devices will never be able to access stale data contents.
##
## https://en.wikipedia.org/wiki/Input%E2%80%93output_memory_management_unit
## https://en.wikipedia.org/wiki/DMA_attack
## https://lenovopress.lenovo.com/lp1467.pdf
##
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX iommu=force"
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX iommu.passthrough=0"
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX iommu.strict=1"
## Disable the busmaster bit on all PCI bridges during the early boot process.
2024-07-17 11:52:29 -04:00
## Patches weak points in some existing IOMMU implementations.
## May lead to issues such as complete system boot failure on certain devices.
##
## https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=4444f8541dad16fefd9b8807ad1451e806ef1d94
## https://mjg59.dreamwidth.org/54433.html
##
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX efi=disable_early_pci_dma"
## 3. Entropy:
##
## https://madaidans-insecurities.github.io/guides/linux-hardening.html#rdrand
## Do not credit the CPU or bootloader seeds as entropy sources at boot.
## The RDRAND CPU (RNG) instructions are proprietary and closed-source.
2024-07-17 08:39:20 -04:00
## Numerous implementations of RDRAND have a long history of being defective.
## The RNG seed passed by the bootloader could also potentially be tampered.
2024-07-17 11:52:29 -04:00
## Maximizing the entropy pool at boot is desirable for all cryptographic operations.
## These settings ensure additional entropy is obtained from other sources to initialize the RNG.
## Note that distrusting these (relatively fast) sources of entropy will increase boot time.
##
## https://en.wikipedia.org/wiki/RDRAND#Reception
## https://systemd.io/RANDOM_SEEDS/
## https://arstechnica.com/gadgets/2019/10/how-a-months-old-amd-microcode-bug-destroyed-my-weekend/
## https://x.com/pid_eins/status/1149649806056280069
## https://archive.nytimes.com/www.nytimes.com/interactive/2013/09/05/us/documents-reveal-nsa-campaign-against-encryption.html
## https://forums.whonix.org/t/entropy-config-random-trust-cpu-yes-or-no-rng-core-default-quality/8566
## https://github.com/NixOS/nixpkgs/pull/165355
## https://lkml.org/lkml/2022/6/5/271
##
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX random.trust_bootloader=off"
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX random.trust_cpu=off"
2024-07-17 11:52:29 -04:00
## Obtain more entropy during boot as the runtime memory allocator is being initialized.
## Entropy will be extracted from up to the first 4GB of RAM.
## Requires the linux-hardened kernel patch.
##
## https://www.kicksecure.com/wiki/Hardened-kernel#linux-hardened
## https://github.com/anthraxx/linux-hardened/commit/c3e7df1dba1eb8105d6d5143079a6a0ad9e9ebc7
## https://github.com/anthraxx/linux-hardened/commit/a04458f97fe1f7e95888c77c0165b646375db9c4
##
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX extra_latent_entropy"
## 4. Networking
##
## https://madaidans-insecurities.github.io/guides/linux-hardening.html#kasr-boot-parameters
## Disable the entire IPv6 stack functionality.
## Removes attack surface associated with the IPv6 module.
2024-07-17 08:39:20 -04:00
##
## https://www.kernel.org/doc/html/latest/networking/ipv6.html
## https://wiki.archlinux.org/title/IPv6#Disable_IPv6
##
2024-07-17 22:19:27 -04:00
## Enabling makes redundant many network hardening sysctl's in /usr/lib/sysctl.d/990-security-misc.conf.
##
2024-07-17 08:39:20 -04:00
#ipv6.disable=1