Git-Mirrors/security-misc
1
0
Fork 0
mirror of https://github.com/Kicksecure/security-misc.git synced 2025-03-13 12:26:28 -04:00
Code Issues Packages Projects Releases Wiki Activity

Merge remote-tracking branch 'github-kicksecure/master'

Browse Source
This commit is contained in:
Patrick Schleizer 2025-01-29 09:36:28 -05:00
commit 10508cb580
No known key found for this signature in database
GPG Key ID: CB8D50BB77BB3C48
2 changed files with 45 additions and 3 deletions

41
README.md

@ -138,9 +138,44 @@ configuration file and significant hardening is applied to a myriad of component
Mitigations for known CPU vulnerabilities are enabled in their strictest form Mitigations for known CPU vulnerabilities are enabled in their strictest form
and simultaneous multithreading (SMT) is disabled. See the and simultaneous multithreading (SMT) is disabled. See the
`/etc/default/grub.d/40_cpu_mitigations.cfg` configuration file. Note, to achieve `/etc/default/grub.d/40_cpu_mitigations.cfg` configuration file.
complete protection for known CPU vulnerabilities, the latest security microcode
(BIOS/UEFI) updates must also be installed on the system. Note, to achieve complete protection for known CPU vulnerabilities, the latest
security microcode (BIOS/UEFI) updates must be installed on the system. Furthermore,
if using Secure Boot, the Secure Boot Forbidden Signature Database (DBX) must be kept
up to date through [UEFI Revocation List](https://uefi.org/revocationlistfile) updates.
CPU mitigations:
- Disable Simultaneous Multithreading (SMT)
- Spectre Side Channels (BTI and BHI)
- Speculative Store Bypass (SSB)
- L1 Terminal Fault (L1TF)
- Microarchitectural Data Sampling (MDS)
- TSX Asynchronous Abort (TAA)
- iTLB Multihit
- Special Register Buffer Data Sampling (SRBDS)
- L1D Flushing
- Processor MMIO Stale Data
- Arbitrary Speculative Code Execution with Return Instructions (Retbleed)
- Cross-Thread Return Address Predictions
- Speculative Return Stack Overflow (SRSO)
- Gather Data Sampling (GDS)
- Register File Data Sampling (RFDS)
Boot parameters relating to kernel hardening, DMA mitigations, and entropy Boot parameters relating to kernel hardening, DMA mitigations, and entropy
generation are outlined in the `/etc/default/grub.d/40_kernel_hardening.cfg` generation are outlined in the `/etc/default/grub.d/40_kernel_hardening.cfg`

7
etc/default/grub.d/40_cpu_mitigations.cfg

@ -26,6 +26,13 @@
## Note that incorrectly performing system BIOS/UEFI updates can potentially lead to serious functionality issues. ## Note that incorrectly performing system BIOS/UEFI updates can potentially lead to serious functionality issues.
## The parameters below only provide (partial) protection at both the kernel and user space level. ## The parameters below only provide (partial) protection at both the kernel and user space level.
## If using Secure Boot, users must also ensure the Secure Boot Forbidden Signature Database (DBX) is up to date.
## The UEFI Revocation List contains signatures of now revoked firmware and software used in booting systems.
## If using compatible hardware, the database can be updated directly in user space using fwupd.
## Note that incorrectly performing DBX updates can potentially lead to serious functionality issues.
## https://uefi.org/revocationlistfile
## https://github.com/fwupd/fwupd
## Enable a subset of known mitigations for some CPU vulnerabilities and disable SMT. ## Enable a subset of known mitigations for some CPU vulnerabilities and disable SMT.
## ##
## KSPP=yes ## KSPP=yes