From 9db63d97770e62749c0b602dd9e7d2d4d6a1128b Mon Sep 17 00:00:00 2001 From: raja-grewal Date: Mon, 13 Oct 2025 01:01:14 +0000 Subject: [PATCH 01/16] README: Update KSSP compliance status --- README.md | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/README.md b/README.md index a73f6b0..7bb18f7 100644 --- a/README.md +++ b/README.md @@ -279,23 +279,15 @@ there are a few cases of partial or non-compliance due to technical limitations. More than 30 kernel boot parameters and over 30 sysctl settings are fully aligned with the KSPP's recommendations. -**Partial compliance:** - -1. `sysctl kernel.yama.ptrace_scope=3` - -Completely disables `ptrace()`. Can be enabled easily if needed. - -* [security-misc pull request #242](https://github.com/Kicksecure/security-misc/pull/242) - **Non-compliance:** -2. `sysctl user.max_user_namespaces=0` +1. `sysctl user.max_user_namespaces=0` Disables user namespaces entirely. Not recommended due to the potential for widespread breakages. * [security-misc pull request #263](https://github.com/Kicksecure/security-misc/pull/263) -3. `sysctl fs.binfmt_misc.status=0` +2. `sysctl fs.binfmt_misc.status=0` Disables the registration of interpreters for miscellaneous binary formats. Currently not feasible due to compatibility issues with Firefox. @@ -303,6 +295,14 @@ feasible due to compatibility issues with Firefox. * [security-misc pull request #249](https://github.com/Kicksecure/security-misc/pull/249) * [security-misc issue #267](https://github.com/Kicksecure/security-misc/issues/267) +3. Kernel boot parameter `hash_pointers=always` + +Forces all exposed pointers to be hashed and must be used in combination with already enabled +kernel boot parameter `slab_debug=FZ`. Currently not possible as requires Linux kernel >= 6.17. + +* [security-misc issue #253](https://github.com/Kicksecure/security-misc/issues/253) +* [security-misc pull request #325](https://github.com/Kicksecure/security-misc/pull/325) + ### Kernel Modules #### Kernel Module Signature Verification From f690b58870bd90582018cec51046f4ed67a414d4 Mon Sep 17 00:00:00 2001 From: raja-grewal Date: Mon, 13 Oct 2025 02:08:44 +0000 Subject: [PATCH 02/16] Add docs relating to panic on OOM --- README.md | 7 ++++--- .../990-security-misc.conf#security-misc-shared | 13 ++++++++++--- 2 files changed, 14 insertions(+), 6 deletions(-) diff --git a/README.md b/README.md index 7bb18f7..8d1119a 100644 --- a/README.md +++ b/README.md @@ -52,9 +52,10 @@ configuration file and significant hardening is applied to a myriad of component - Force immediate system reboot on the occurrence of a single kernel panic, reducing the risk and impact of denial of service attacks and both cold and warm boot attacks. -- Force immediate kernel panic on OOM. This is to avoid security features such as the screen - locker, kloak, emerg-shutdown from being arbitrarily terminated when the system starts - running out of memory. +- Force immediate kernel panic on OOM (out of memory) which the above setting will force + an immediate system reboot, as opposed to placing any reliance on the oom_killer to + avoid arbitrarily terminating security features based on their OOM score. Note this creates + the risk of userspace-based denial of service attacks that maliciously fill memory. - Disable the use of legacy TIOCSTI operations which can be used to inject keypresses. diff --git a/usr/lib/sysctl.d/990-security-misc.conf#security-misc-shared b/usr/lib/sysctl.d/990-security-misc.conf#security-misc-shared index d99a580..5faeec0 100644 --- a/usr/lib/sysctl.d/990-security-misc.conf#security-misc-shared +++ b/usr/lib/sysctl.d/990-security-misc.conf#security-misc-shared @@ -199,11 +199,18 @@ kernel.perf_event_paranoid=3 ## #kernel.panic=-1 -## Force immediate kernel panic on OOM. -## This is to avoid security features such as the screen locker, kloak, emerg-shutdown -## from being arbitrarily terminated when the system starts running out of memory. +## Force immediate kernel panic on OOM (out of memory) scenarios. +## Registers a kernel panic whenever the oom_killer is triggered to kill some rouge process based on their OOM score. +## Note that this must be used with kernel.panic=-1 for it to be function as intended. +## This prevents security features such as the screen locker, kloak, and emerg-shutdown from being arbitrarily terminated. +## Enabling these two together creates a risk of userspace-based denial-of-service attacks that maliciously fill memory. +## This opinionated default forces immediate system reboot rather than placing any reliance on the oom_killer. +## +## https://en.wikipedia.org/wiki/Out_of_memory ## https://forums.whonix.org/t/screen-locker-in-security-can-we-disable-these-at-least-4-backdoors/8128/14 +## https://github.com/KSPP/kspp.github.io/issues/9 ## https://github.com/Kicksecure/security-misc/issues/324 +## vm.panic_on_oom=2 ## Disable the use of legacy TIOCSTI operations which can be used to inject keypresses. From 708e1358dfbc21444f2bf39dfa81ea5053f2bb10 Mon Sep 17 00:00:00 2001 From: raja-grewal Date: Fri, 17 Oct 2025 00:48:57 +0000 Subject: [PATCH 03/16] Add docs relating `extra_latent_entropy` --- etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared | 2 ++ 1 file changed, 2 insertions(+) diff --git a/etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared b/etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared index 2eef877..39b04c5 100644 --- a/etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared +++ b/etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared @@ -308,6 +308,8 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX random.trust_cpu=off" ## Obtain more entropy during boot as the runtime memory allocator is being initialized. ## Entropy will be extracted from up to the first 4GB of RAM. +## Note that entropy extracted this way is not cryptographically secure and so is not credited. +## This will increase boot time due to interrupting the boot process. ## Requires the linux-hardened kernel patch. ## ## https://www.kicksecure.com/wiki/Hardened-kernel#linux-hardened From 11d9b9403854ae7cd2638765e8350257580be35f Mon Sep 17 00:00:00 2001 From: raja-grewal Date: Fri, 17 Oct 2025 01:01:28 +0000 Subject: [PATCH 04/16] Add docs on entropy --- .../grub.d/40_kernel_hardening.cfg#security-misc-shared | 3 +++ 1 file changed, 3 insertions(+) diff --git a/etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared b/etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared index 39b04c5..c8209f5 100644 --- a/etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared +++ b/etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared @@ -288,6 +288,7 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX efi=disable_early_pci_dma" ## The RNG seed passed by the bootloader could also potentially be tampered. ## Maximizing the entropy pool at boot is desirable for all cryptographic operations. ## These settings ensure additional entropy is obtained from other sources to initialize the RNG. +## RDSEED instructions also rely on periodic reseeds from the same underlying entropy sources. ## Note that distrusting these (relatively fast) sources of entropy will increase boot time. ## ## https://en.wikipedia.org/wiki/RDRAND#Reception @@ -299,6 +300,8 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX efi=disable_early_pci_dma" ## https://forums.whonix.org/t/entropy-config-random-trust-cpu-yes-or-no-rng-core-default-quality/8566 ## https://github.com/NixOS/nixpkgs/pull/165355 ## https://lkml.org/lkml/2022/6/5/271 +## https://lwn.net/Articles/961121/ +## https://lore.kernel.org/lkml/aPFDn-4Cm6n0_3_e@gourry-fedora-PF4VCD3F/ ## ## KSPP=yes ## KSPP sets CONFIG_RANDOM_TRUST_BOOTLOADER=y and CONFIG_RANDOM_TRUST_CPU=y. From 9f7480e20adf148dcb7dbe80e704f3f79691b657 Mon Sep 17 00:00:00 2001 From: raja-grewal Date: Sun, 19 Oct 2025 01:41:58 +0000 Subject: [PATCH 05/16] Make terminology consistent --- README.md | 4 ++-- .../grub.d/40_kernel_hardening.cfg#security-misc-shared | 2 +- .../sysctl.d/990-security-misc.conf#security-misc-shared | 6 +++--- .../security-misc/panic-on-oops#security-misc-shared | 5 +++-- 4 files changed, 9 insertions(+), 8 deletions(-) diff --git a/README.md b/README.md index 537b72a..3459fc6 100644 --- a/README.md +++ b/README.md @@ -50,12 +50,12 @@ configuration file and significant hardening is applied to a myriad of component and thwart certain kernel exploitation attempts) and kernel warnings in the `WARN()` path. - Force immediate system reboot on the occurrence of a single kernel panic, reducing the - risk and impact of denial of service attacks and both cold and warm boot attacks. + risk and impact of denial-of-service attacks and both cold and warm boot attacks. - Force immediate kernel panic on OOM (out of memory) which the above setting will force an immediate system reboot, as opposed to placing any reliance on the oom_killer to avoid arbitrarily terminating security features based on their OOM score. Note this creates - the risk of userspace-based denial of service attacks that maliciously fill memory. + the risk of userspace-based denial-of-service attacks that maliciously fill memory. - Disable the use of legacy TIOCSTI operations which can be used to inject keypresses. diff --git a/etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared b/etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared index c8209f5..21e2c06 100644 --- a/etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared +++ b/etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared @@ -126,7 +126,7 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX debugfs=off" ## Panics may be due to false-positives such as bad drivers. ## Oopses are serious but non-fatal errors. ## Certain "oopses" can sometimes indicate and thwart potential kernel exploitation attempts. -## Note that by forcing kernel panics on oopses, this exposes the system to targeted denial of service attacks. +## Note that by forcing kernel panics on oopses, this exposes the system to targeted denial-of-service attacks. ## ## https://en.wikipedia.org/wiki/Kernel_panic#Linux ## https://en.wikipedia.org/wiki/Linux_kernel_oops diff --git a/usr/lib/sysctl.d/990-security-misc.conf#security-misc-shared b/usr/lib/sysctl.d/990-security-misc.conf#security-misc-shared index aeb3fe0..4e8625c 100644 --- a/usr/lib/sysctl.d/990-security-misc.conf#security-misc-shared +++ b/usr/lib/sysctl.d/990-security-misc.conf#security-misc-shared @@ -171,7 +171,7 @@ kernel.perf_event_paranoid=3 ## Certain "oopses" can sometimes indicate and thwart potential kernel exploitation attempts. ## Warnings are messages generated by the kernel to indicate unexpected conditions or errors. ## By default, code execution continues regardless of warnings emitted by macros like WARN() and WARN_ON(). -## Note that by forcing kernel panics on oopses and warnings, this exposes the system to targeted denial of service attacks. +## Note that by forcing kernel panics on oopses and warnings, this exposes the system to targeted denial-of-service attacks. ## ## https://en.wikipedia.org/wiki/Kernel_panic#Linux ## https://en.wikipedia.org/wiki/Linux_kernel_oops @@ -188,7 +188,7 @@ kernel.perf_event_paranoid=3 #kernel.warn_limit=1 ## Force immediate system reboots on the occurrence of a single kernel panic. -## Increases resilience and limits impact of denial of service attacks as system automatically restarts. +## Increases resilience and limits impact of denial-of-service attacks as system automatically restarts. ## Ensures the system does not hang forever if a panic occurs, reducing susceptibility to both cold and warm boot attacks. ## Immediate rebooting also prevents persistent information disclosure on panic details that were dumped to screen. ## @@ -531,7 +531,7 @@ net.ipv6.conf.*.accept_source_route=0 ## Do not accept IPv6 router advertisements (RAs) and solicitations. ## RAs are unsecured and unauthenticated and any device on the local link can send and accept them without verification. ## Malicious RAs can activate IPv6 connectivity on dormant hosts leading to unauthorized access. -## Flooding the network with malicious RAs can lead to denial of service attacks. +## Flooding the network with malicious RAs can lead to denial-of-service attacks. ## Rogue RAs can lead to interception of all network traffic by setting the attacker's system as the default gateway. ## ## https://datatracker.ietf.org/doc/html/rfc6104 diff --git a/usr/libexec/security-misc/panic-on-oops#security-misc-shared b/usr/libexec/security-misc/panic-on-oops#security-misc-shared index 54731c9..5e32d02 100755 --- a/usr/libexec/security-misc/panic-on-oops#security-misc-shared +++ b/usr/libexec/security-misc/panic-on-oops#security-misc-shared @@ -24,7 +24,8 @@ sysctl kernel.oops_limit=1 sysctl kernel.warn_limit=1 ## Makes the system immediately reboot on the occurrence of a single -## kernel panic. This reduces the risk and impact of denial of -## service attacks and both cold and warm boot attacks. +## kernel panic. This reduces the risk and impact of denial-of-service +## attacks and both cold and warm boot attacks. +## ## https://docs.kernel.org/admin-guide/sysctl/kernel.html#panic sysctl kernel.panic=-1 From 8f78269949217ac11163cc8b6f17147621fef6eb Mon Sep 17 00:00:00 2001 From: raja-grewal Date: Mon, 20 Oct 2025 05:36:54 +0000 Subject: [PATCH 06/16] Add docs on slab_debug --- README.md | 4 ++-- .../grub.d/40_kernel_hardening.cfg#security-misc-shared | 8 ++++++-- 2 files changed, 8 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index 3459fc6..42220a2 100644 --- a/README.md +++ b/README.md @@ -298,8 +298,8 @@ feasible due to compatibility issues with Firefox. 3. Kernel boot parameter `hash_pointers=always` -Forces all exposed pointers to be hashed and must be used in combination with already enabled -kernel boot parameter `slab_debug=FZ`. Currently not possible as requires Linux kernel >= 6.17. +Force all exposed pointers to be hashed and must be used in combination with the already enabled +`slab_debug=FZ` kernel boot parameter. Currently is not possible as requires Linux kernel >= 6.17. * [security-misc issue #253](https://github.com/Kicksecure/security-misc/issues/253) * [security-misc pull request #325](https://github.com/Kicksecure/security-misc/pull/325) diff --git a/etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared b/etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared index 21e2c06..fac7117 100644 --- a/etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared +++ b/etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared @@ -38,13 +38,17 @@ kver="$(dpkg-query --show --showformat='${Version}' "$kpkg")" 2>/dev/null || tru ## GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX slab_nomerge" -## Enable sanity checks and red zoning of slabs via debugging options to detect corruption. +## Enable sanity checks and red zoning of slabs via debugging options to detect memory corruption. +## Sanity checks force additional verification steps on every memory allocation and free operation. +## Red zoning adds extra metadata to each object to detect writes beyond the object's boundaries. ## As a by product of debugging, this will implicitly disabling kernel pointer hashing unless manually re-enabled. ## Enabling this (for now) will therefore leak exact and all kernel memory addresses to root. -## Has the potential to cause a noticeable performance decrease. +## Introduces a noticeable performance overhead during all memory allocation and deallocation operations. ## ## https://www.kernel.org/doc/html/latest/mm/slub.html +## https://www.kernel.org/doc/Documentation/vm/slub.txt ## https://lore.kernel.org/all/20210601182202.3011020-5-swboyd@chromium.org/T/#u +## https://blogs.oracle.com/linux/post/linux-slub-allocator-internals-and-debugging-2 ## https://gitlab.tails.boum.org/tails/tails/-/issues/19613 ## https://github.com/Kicksecure/security-misc/issues/253 ## From d175d1be525edd8fb6140680c31425c8a89cc244 Mon Sep 17 00:00:00 2001 From: raja-grewal Date: Sun, 2 Nov 2025 15:54:34 +1100 Subject: [PATCH 07/16] Add doc on entropy related failure on AMD Zen 5 CPUs --- etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared | 1 + 1 file changed, 1 insertion(+) diff --git a/etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared b/etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared index fac7117..5af1493 100644 --- a/etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared +++ b/etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared @@ -306,6 +306,7 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX efi=disable_early_pci_dma" ## https://lkml.org/lkml/2022/6/5/271 ## https://lwn.net/Articles/961121/ ## https://lore.kernel.org/lkml/aPFDn-4Cm6n0_3_e@gourry-fedora-PF4VCD3F/ +## https://www.amd.com/en/resources/product-security/bulletin/amd-sb-7055.html ## ## KSPP=yes ## KSPP sets CONFIG_RANDOM_TRUST_BOOTLOADER=y and CONFIG_RANDOM_TRUST_CPU=y. From 019a0cf72c99f9f10fd42afbfed96c283e17e458 Mon Sep 17 00:00:00 2001 From: raja-grewal Date: Wed, 5 Nov 2025 00:03:19 +0000 Subject: [PATCH 08/16] Update docs on entropy --- README.md | 4 +++- .../grub.d/40_kernel_hardening.cfg#security-misc-shared | 8 +++----- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/README.md b/README.md index 578e822..c5e69e6 100644 --- a/README.md +++ b/README.md @@ -250,7 +250,9 @@ Direct memory access: Entropy: - Do not credit the CPU or bootloader as entropy sources at boot in order to - maximize the absolute quantity of entropy in the combined pool. + maximize the absolute quantity of entropy in the combined pool. This is desirable + for all cryptographic operations reliant proprietary on RDRAND and RDSEED CPU + instructions for random number generation that have long history of being defective. - Obtain more entropy at boot from RAM as the runtime memory allocator is being initialized. diff --git a/etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared b/etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared index 5af1493..4894a29 100644 --- a/etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared +++ b/etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared @@ -287,19 +287,17 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX efi=disable_early_pci_dma" ## https://madaidans-insecurities.github.io/guides/linux-hardening.html#rdrand ## Do not credit the CPU or bootloader seeds as entropy sources at boot. -## The RDRAND CPU (RNG) instructions are proprietary and closed-source. -## Numerous implementations of RDRAND have a long history of being defective. +## The RDRAND and RDSEED CPU (RNG) instructions are proprietary and closed-source. +## Numerous implementations of RDRAND and RDSEED have a long history of being defective. ## The RNG seed passed by the bootloader could also potentially be tampered. ## Maximizing the entropy pool at boot is desirable for all cryptographic operations. -## These settings ensure additional entropy is obtained from other sources to initialize the RNG. -## RDSEED instructions also rely on periodic reseeds from the same underlying entropy sources. +## These settings ensure additional entropy is obtained from other sources to initialize the Linux CRNG. ## Note that distrusting these (relatively fast) sources of entropy will increase boot time. ## ## https://en.wikipedia.org/wiki/RDRAND#Reception ## https://systemd.io/RANDOM_SEEDS/ ## https://www.kicksecure.com/wiki/Dev/Entropy#RDRAND ## https://arstechnica.com/gadgets/2019/10/how-a-months-old-amd-microcode-bug-destroyed-my-weekend/ -## https://x.com/pid_eins/status/1149649806056280069 ## https://archive.nytimes.com/www.nytimes.com/interactive/2013/09/05/us/documents-reveal-nsa-campaign-against-encryption.html ## https://forums.whonix.org/t/entropy-config-random-trust-cpu-yes-or-no-rng-core-default-quality/8566 ## https://github.com/NixOS/nixpkgs/pull/165355 From 37b493826ec60397c6019959abb7e0631dd33ed4 Mon Sep 17 00:00:00 2001 From: raja-grewal Date: Wed, 5 Nov 2025 00:03:54 +0000 Subject: [PATCH 09/16] Spit distrusting entropy settings for clarity --- README.md | 12 +++++--- ..._kernel_hardening.cfg#security-misc-shared | 29 +++++++++++++------ 2 files changed, 28 insertions(+), 13 deletions(-) diff --git a/README.md b/README.md index c5e69e6..dc9649d 100644 --- a/README.md +++ b/README.md @@ -249,10 +249,14 @@ Direct memory access: Entropy: -- Do not credit the CPU or bootloader as entropy sources at boot in order to - maximize the absolute quantity of entropy in the combined pool. This is desirable - for all cryptographic operations reliant proprietary on RDRAND and RDSEED CPU - instructions for random number generation that have long history of being defective. +- Do not credit the CPU seeds as an entropy sources at boot in order to maximize the + absolute quantity of entropy in the combined pool. This is desirable for all + cryptographic operations reliant proprietary on RDRAND and RDSEED CPU instructions + for random number generation that have long history of being defective. + +- Do not credit the bootloader seeds as an entropy sources at boot to maximize the + absolute quantity of entropy in the combined pool. This is desirable for all + cryptographic operations as seeds passed by the bootloader could be tampered. - Obtain more entropy at boot from RAM as the runtime memory allocator is being initialized. diff --git a/etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared b/etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared index 4894a29..2b7d217 100644 --- a/etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared +++ b/etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared @@ -286,31 +286,42 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX efi=disable_early_pci_dma" ## ## https://madaidans-insecurities.github.io/guides/linux-hardening.html#rdrand -## Do not credit the CPU or bootloader seeds as entropy sources at boot. +## Do not credit the CPU seeds as an entropy sources at boot. ## The RDRAND and RDSEED CPU (RNG) instructions are proprietary and closed-source. ## Numerous implementations of RDRAND and RDSEED have a long history of being defective. -## The RNG seed passed by the bootloader could also potentially be tampered. ## Maximizing the entropy pool at boot is desirable for all cryptographic operations. -## These settings ensure additional entropy is obtained from other sources to initialize the Linux CRNG. -## Note that distrusting these (relatively fast) sources of entropy will increase boot time. +## This ensures additional entropy is obtained from other sources to initialize the Linux CRNG. +## Note that distrusting this (relatively fast) source of entropy will increase boot time. ## -## https://en.wikipedia.org/wiki/RDRAND#Reception +## https://en.wikipedia.org/wiki/RDRAND ## https://systemd.io/RANDOM_SEEDS/ ## https://www.kicksecure.com/wiki/Dev/Entropy#RDRAND -## https://arstechnica.com/gadgets/2019/10/how-a-months-old-amd-microcode-bug-destroyed-my-weekend/ ## https://archive.nytimes.com/www.nytimes.com/interactive/2013/09/05/us/documents-reveal-nsa-campaign-against-encryption.html ## https://forums.whonix.org/t/entropy-config-random-trust-cpu-yes-or-no-rng-core-default-quality/8566 -## https://github.com/NixOS/nixpkgs/pull/165355 ## https://lkml.org/lkml/2022/6/5/271 ## https://lwn.net/Articles/961121/ ## https://lore.kernel.org/lkml/aPFDn-4Cm6n0_3_e@gourry-fedora-PF4VCD3F/ ## https://www.amd.com/en/resources/product-security/bulletin/amd-sb-7055.html ## ## KSPP=yes -## KSPP sets CONFIG_RANDOM_TRUST_BOOTLOADER=y and CONFIG_RANDOM_TRUST_CPU=y. +## KSPP sets CONFIG_RANDOM_TRUST_CPU=y. +## +GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX random.trust_cpu=off" + +## Do not credit the bootloader seeds as an entropy source at boot. +## The RNG seed passed by the bootloader could potentially be tampered. +## Maximizing the entropy pool at boot is desirable for all cryptographic operations. +## This ensures additional entropy is obtained from other sources to initialize the Linux CRNG. +## Note that distrusting this (relatively fast) source of entropy will increase boot time. +## +## https://systemd.io/RANDOM_SEEDS/ +## https://github.com/NixOS/nixpkgs/pull/165355 +## https://lkml.org/lkml/2022/6/5/271 +## +## KSPP=yes +## KSPP sets CONFIG_RANDOM_TRUST_BOOTLOADER=y. ## GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX random.trust_bootloader=off" -GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX random.trust_cpu=off" ## Obtain more entropy during boot as the runtime memory allocator is being initialized. ## Entropy will be extracted from up to the first 4GB of RAM. From a46f678c7f8715fd1cedd1102f9815b9d845ccb3 Mon Sep 17 00:00:00 2001 From: raja-grewal Date: Wed, 5 Nov 2025 00:05:17 +0000 Subject: [PATCH 10/16] Update docs on latent entropy --- README.md | 3 +++ .../grub.d/40_kernel_hardening.cfg#security-misc-shared | 3 ++- 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index dc9649d..35005e7 100644 --- a/README.md +++ b/README.md @@ -261,6 +261,9 @@ Entropy: - Obtain more entropy at boot from RAM as the runtime memory allocator is being initialized. +- Obtain more entropy at boot from RAM as the runtime memory allocator is being + initialized to maximize the absolute quantity of entropy in the combined pool. + Networking: - Optional - Disable the entire IPv6 stack to reduce attack surface. diff --git a/etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared b/etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared index 2b7d217..db65fea 100644 --- a/etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared +++ b/etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared @@ -324,8 +324,9 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX random.trust_cpu=off" GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX random.trust_bootloader=off" ## Obtain more entropy during boot as the runtime memory allocator is being initialized. -## Entropy will be extracted from up to the first 4GB of RAM. +## Entropy will be extracted from up to the first 4GB of RAM as another source. ## Note that entropy extracted this way is not cryptographically secure and so is not credited. +## Maximizing the entropy pool at boot is desirable for all cryptographic operations. ## This will increase boot time due to interrupting the boot process. ## Requires the linux-hardened kernel patch. ## From a3830db09e3f567237caefb687ef2da877573b03 Mon Sep 17 00:00:00 2001 From: raja-grewal Date: Sun, 9 Nov 2025 13:42:31 +0000 Subject: [PATCH 11/16] Update docs relating to panic on OOM --- README.md | 7 ++++--- .../sysctl.d/990-security-misc.conf#security-misc-shared | 5 +++-- 2 files changed, 7 insertions(+), 5 deletions(-) diff --git a/README.md b/README.md index 8111c5f..0acc17b 100644 --- a/README.md +++ b/README.md @@ -52,9 +52,10 @@ configuration file and significant hardening is applied to a myriad of component - Force immediate system reboot on the occurrence of a single kernel panic, reducing the risk and impact of denial-of-service attacks and both cold and warm boot attacks. -- Optional - Force immediate kernel panic on OOM. This is to avoid security features such as the screen - locker, kloak, emerg-shutdown from being arbitrarily terminated when the system starts - running out of memory. +- Optional - Force immediate kernel panic on OOM (out of memory) which with the above setting + will force an immediate system reboot as opposed to placing any reliance on the oom_killer + to avoid arbitrarily terminating security features based on their OOM score. Note this + creates the risk of userspace-based denial-of-service attacks that maliciously fill memory. - Disable the use of legacy TIOCSTI operations which can be used to inject keypresses. diff --git a/usr/lib/sysctl.d/990-security-misc.conf#security-misc-shared b/usr/lib/sysctl.d/990-security-misc.conf#security-misc-shared index 9f2220d..84c038d 100644 --- a/usr/lib/sysctl.d/990-security-misc.conf#security-misc-shared +++ b/usr/lib/sysctl.d/990-security-misc.conf#security-misc-shared @@ -204,13 +204,14 @@ kernel.perf_event_paranoid=3 ## Note that this must be used with kernel.panic=-1 for it to be function as intended. ## This prevents security features such as the screen locker, kloak, and emerg-shutdown from being arbitrarily terminated. ## Enabling these two together creates a risk of userspace-based denial-of-service attacks that maliciously fill memory. -## This opinionated default forces immediate system reboot rather than placing any reliance on the oom_killer. +## This forces immediate system reboot rather than placing any reliance on the oom_killer. +## Known to cause extreme user experience problems with certain applications as the Tor Browser. +## Enabling by default requires improved upstream handling of user space OOM better accounting for desktop users. ## ## https://en.wikipedia.org/wiki/Out_of_memory ## https://forums.whonix.org/t/screen-locker-in-security-can-we-disable-these-at-least-4-backdoors/8128/14 ## https://github.com/KSPP/kspp.github.io/issues/9 ## https://github.com/Kicksecure/security-misc/issues/324 -## Needs more work. ## #vm.panic_on_oom=2 From b89aaea61e83aea6b23ea34a01dbb1e6bce1e2df Mon Sep 17 00:00:00 2001 From: raja-grewal Date: Mon, 10 Nov 2025 06:03:33 +0000 Subject: [PATCH 12/16] Add docs on logging martian packets --- usr/lib/sysctl.d/990-security-misc.conf#security-misc-shared | 2 ++ 1 file changed, 2 insertions(+) diff --git a/usr/lib/sysctl.d/990-security-misc.conf#security-misc-shared b/usr/lib/sysctl.d/990-security-misc.conf#security-misc-shared index 84c038d..594ea33 100644 --- a/usr/lib/sysctl.d/990-security-misc.conf#security-misc-shared +++ b/usr/lib/sysctl.d/990-security-misc.conf#security-misc-shared @@ -579,6 +579,8 @@ net.ipv4.tcp_timestamps=0 ## Known to cause performance issues, especially on systems with multiple interfaces. ## ## https://wiki.archlinux.org/title/Sysctl#Log_martian_packets +## https://www.cyberciti.biz/faq/linux-log-suspicious-martian-packets-un-routable-source-addresses/ +## https://support.scc.suse.com/s/kb/Martian-sources-errors-showing-in-messages-log?language=en_US ## https://github.com/Kicksecure/security-misc/issues/214 ## ## The logging of martian packets is currently disabled. From 0b9b9ffb1e87850e3296d0420c305062b66868d5 Mon Sep 17 00:00:00 2001 From: raja-grewal Date: Tue, 11 Nov 2025 11:32:47 +0000 Subject: [PATCH 13/16] Improve clarity for panic on OOM --- usr/lib/sysctl.d/990-security-misc.conf#security-misc-shared | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/usr/lib/sysctl.d/990-security-misc.conf#security-misc-shared b/usr/lib/sysctl.d/990-security-misc.conf#security-misc-shared index 594ea33..121ee5c 100644 --- a/usr/lib/sysctl.d/990-security-misc.conf#security-misc-shared +++ b/usr/lib/sysctl.d/990-security-misc.conf#security-misc-shared @@ -201,7 +201,6 @@ kernel.perf_event_paranoid=3 ## Force immediate kernel panic on OOM (out of memory) scenarios. ## Registers a kernel panic whenever the oom_killer is triggered to kill some rouge process based on their OOM score. -## Note that this must be used with kernel.panic=-1 for it to be function as intended. ## This prevents security features such as the screen locker, kloak, and emerg-shutdown from being arbitrarily terminated. ## Enabling these two together creates a risk of userspace-based denial-of-service attacks that maliciously fill memory. ## This forces immediate system reboot rather than placing any reliance on the oom_killer. @@ -213,6 +212,8 @@ kernel.perf_event_paranoid=3 ## https://github.com/KSPP/kspp.github.io/issues/9 ## https://github.com/Kicksecure/security-misc/issues/324 ## +## Note that this must be used with kernel.panic=-1 for it to function as intended. +## #vm.panic_on_oom=2 ## Disable the use of legacy TIOCSTI operations which can be used to inject keypresses. From b6fe1a5a6e164c7a7505b5e27ece582a1b928d82 Mon Sep 17 00:00:00 2001 From: raja-grewal Date: Sat, 15 Nov 2025 04:51:01 +0000 Subject: [PATCH 14/16] Make panic related settings consistent Ensures the `sysctl` and boot parameters are equivalent in settings and in description. This should prevent future questions regarding having omitted boot parameters that were actually redundant. --- README.md | 7 +++-- ..._kernel_hardening.cfg#security-misc-shared | 26 ++++++++++++++++--- 2 files changed, 27 insertions(+), 6 deletions(-) diff --git a/README.md b/README.md index 0acc17b..9d069d5 100644 --- a/README.md +++ b/README.md @@ -219,8 +219,11 @@ Kernel space: - Restrict access to debugfs by not registering the file system since it can contain sensitive information. -- Force kernel panics on "oopses" to potentially indicate and thwart certain - kernel exploitation attempts. +- Force the kernel to immediately panic on both "oopses" (which can potentially indicate + and thwart certain kernel exploitation attempts) and kernel warnings in the `WARN()` path. + +- Force immediate system reboot on the occurrence of a single kernel panic, reducing the + risk and impact of denial-of-service attacks and both cold and warm boot attacks. - Optional - Modify the machine check exception handler. diff --git a/etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared b/etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared index db65fea..f67c6c3 100644 --- a/etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared +++ b/etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared @@ -126,22 +126,40 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX vsyscall=none" ## GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX debugfs=off" -## Force the kernel to immediately panic on "oopses". +## Force the kernel to immediately panic on "oopses" and kernel warnings in the WARN() path. ## Panics may be due to false-positives such as bad drivers. +## Both allowed limits are set to one so that panics occur on the single first instance of either scenario. ## Oopses are serious but non-fatal errors. ## Certain "oopses" can sometimes indicate and thwart potential kernel exploitation attempts. -## Note that by forcing kernel panics on oopses, this exposes the system to targeted denial-of-service attacks. +## Warnings are messages generated by the kernel to indicate unexpected conditions or errors. +## By default, code execution continues regardless of warnings emitted by macros like WARN() and WARN_ON(). +## Note that by forcing kernel panics on oopses and warnings, this exposes the system to targeted denial of service attacks. ## ## https://en.wikipedia.org/wiki/Kernel_panic#Linux ## https://en.wikipedia.org/wiki/Linux_kernel_oops -## https://forums.whonix.org/t/set-oops-panic-kernel-parameter-or-kernel-panic-on-oops-1-sysctl-for-better-security/7713 +## https://lwn.net/Articles/876209/ +## https://git.sr.ht/~gregkh/presentation-security/tree/3fdaf81a2f8b2c8d64cdb2f529cc714624868aa8/item/security-stuff.pdf +## https://forums.whonix.org/t/set-oops-panic-kernel-parameter-or-kernel-panisc-on-oops-1-sysctl-for-better-security/7713 ## ## KSPP=yes -## KSPP sets CONFIG_PANIC_ON_OOPS=y and CONFIG_PANIC_TIMEOUT=-1. +## KSPP sets CONFIG_PANIC_ON_OOPS=y. ## ## See /usr/libexec/security-misc/panic-on-oops for implementation. ## #GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX oops=panic" +#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX panic_on_warn=1" + +## Force immediate system reboots on the occurrence of a single kernel panic. +## Increases resilience and limits impact of denial of service attacks as system automatically restarts. +## Ensures the system does not hang forever if a panic occurs, reducing susceptibility to both cold and warm boot attacks. +## Immediate rebooting also prevents persistent information disclosure on panic details that were dumped to screen. +## +## KSPP=yes +## KSPP sets CONFIG_PANIC_TIMEOUT=-1. +## +## See /usr/libexec/security-misc/panic-on-oops for implementation. +## +#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX panic=-1" ## Modify machine check exception handler. ## Can decide whether the system should panic or not based on the occurrence of an exception. From 9f897c5ccda781d010077446abb3d176cf929c94 Mon Sep 17 00:00:00 2001 From: raja-grewal Date: Sat, 15 Nov 2025 05:48:33 +0000 Subject: [PATCH 15/16] Update docs on reducing the MCE tolerance level --- README.md | 3 ++- .../40_kernel_hardening.cfg#security-misc-shared | 16 ++++++++++++---- 2 files changed, 14 insertions(+), 5 deletions(-) diff --git a/README.md b/README.md index 9d069d5..4ee2d0b 100644 --- a/README.md +++ b/README.md @@ -225,7 +225,8 @@ Kernel space: - Force immediate system reboot on the occurrence of a single kernel panic, reducing the risk and impact of denial-of-service attacks and both cold and warm boot attacks. -- Optional - Modify the machine check exception handler. +- Optional - Reduce the the Machine Check Exception (MCE) handler tolerance level to + always force kernel panics on any uncorrected hardware errors detected by the CPU. - Prevent sensitive kernel information leaks in the console during boot. diff --git a/etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared b/etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared index f67c6c3..da6b63a 100644 --- a/etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared +++ b/etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared @@ -161,14 +161,22 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX debugfs=off" ## #GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX panic=-1" -## Modify machine check exception handler. -## Can decide whether the system should panic or not based on the occurrence of an exception. +## Reduce the Machine Check Exception (MCE) handler tolerance level. +## Machine checks report internal hardware error conditions detected by the CPU. +## Force the kernel to always panic on any uncorrected errors. +## Improves security using ECC memory against vulnerabilities like Rowhammer. +## Note current x86 CPUs generally do not allow recovery from MCEs. +## Must first be tested to ensure there are no pre-existing issues on user hardware. +## The default kernel setting should be utilized until provided sufficient evidence to modify. ## ## https://www.kernel.org/doc/html/latest/arch/x86/x86_64/machinecheck.html -## https://www.kernel.org/doc/html/latest/arch/x86/x86_64/boot-options.html#machine-check +## https://www.kernel.org/doc/Documentation/x86/x86_64/boot-options.txt +## https://www.kernel.org/doc/Documentation/x86/x86_64/machinecheck +## https://en.wikipedia.org/wiki/Machine-check_exception#Linux +## https://groups.google.com/g/rowhammer-discuss/c/9Vgso6u2GP0 ## https://forums.whonix.org/t/kernel-hardening/7296/494 ## -## The default kernel setting will be utilized until provided sufficient evidence to modify. +## Note that this must be used with panic=-1 for it to function as intended. ## #GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX mce=0" From 29176d2ed29b07c4da9b9c0df1eefd2bda70b984 Mon Sep 17 00:00:00 2001 From: raja-grewal Date: Sat, 15 Nov 2025 06:30:11 +0000 Subject: [PATCH 16/16] Remove the option to reduce the MCE tolerance level --- README.md | 3 --- ..._kernel_hardening.cfg#security-misc-shared | 19 ------------------- 2 files changed, 22 deletions(-) diff --git a/README.md b/README.md index 4ee2d0b..112ab3b 100644 --- a/README.md +++ b/README.md @@ -225,9 +225,6 @@ Kernel space: - Force immediate system reboot on the occurrence of a single kernel panic, reducing the risk and impact of denial-of-service attacks and both cold and warm boot attacks. -- Optional - Reduce the the Machine Check Exception (MCE) handler tolerance level to - always force kernel panics on any uncorrected hardware errors detected by the CPU. - - Prevent sensitive kernel information leaks in the console during boot. - Enable the kernel Electric-Fence sampling-based memory safety error detector diff --git a/etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared b/etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared index da6b63a..7ab1e46 100644 --- a/etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared +++ b/etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared @@ -161,25 +161,6 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX debugfs=off" ## #GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX panic=-1" -## Reduce the Machine Check Exception (MCE) handler tolerance level. -## Machine checks report internal hardware error conditions detected by the CPU. -## Force the kernel to always panic on any uncorrected errors. -## Improves security using ECC memory against vulnerabilities like Rowhammer. -## Note current x86 CPUs generally do not allow recovery from MCEs. -## Must first be tested to ensure there are no pre-existing issues on user hardware. -## The default kernel setting should be utilized until provided sufficient evidence to modify. -## -## https://www.kernel.org/doc/html/latest/arch/x86/x86_64/machinecheck.html -## https://www.kernel.org/doc/Documentation/x86/x86_64/boot-options.txt -## https://www.kernel.org/doc/Documentation/x86/x86_64/machinecheck -## https://en.wikipedia.org/wiki/Machine-check_exception#Linux -## https://groups.google.com/g/rowhammer-discuss/c/9Vgso6u2GP0 -## https://forums.whonix.org/t/kernel-hardening/7296/494 -## -## Note that this must be used with panic=-1 for it to function as intended. -## -#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX mce=0" - ## Prevent sensitive kernel information leaks in the console during boot. ## Must be used in combination with the kernel.printk sysctl. ## See /usr/lib/sysctl.d/30_silent-kernel-printk.conf for implementation.