Include KSPP compliance notices

etc/default/grub.d/40_cpu_mitigations.cfg

@@ -13,6 +13,9 @@
 
 ## Enable a subset of known mitigations for CPU vulnerabilities and disable SMT.
 ##
+## KSPP=yes
+## KSPP sets the kernel parameters.
+##
 GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX mitigations=auto,nosmt"
 
 ## Disable SMT as it has been the cause of and amplified numerous CPU exploits.
@@ -24,6 +27,9 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX mitigations=auto,nosmt"
 ## https://forums.whonix.org/t/should-all-kernel-patches-for-cpu-bugs-be-unconditionally-enabled-vs-performance-vs-applicability/7647/17
 ## https://github.com/anthraxx/linux-hardened/issues/37#issuecomment-619597365
 ##
+## KSPP=yes
+## KSPP sets the kernel parameter.
+##
 GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX nosmt=force"
 
 ## Enable mitigations for both Spectre Variant 2 (indirect branch speculation)

etc/default/grub.d/40_kernel_hardening.cfg

@@ -27,6 +27,9 @@ kver="$(dpkg-query --show --showformat='${Version}' "$kpkg")" 2>/dev/null || tru
 ## https://www.openwall.com/lists/kernel-hardening/2017/06/19/33
 ## https://www.openwall.com/lists/kernel-hardening/2017/06/20/10
 ##
+## KSPP=yes
+## KSPP sets the kernel parameter and does not set CONFIG_SLAB_MERGE_DEFAULT.
+##
 GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX slab_nomerge"
 
 ## Enable sanity checks and red zoning of slabs via debugging options to detect corruption.
@@ -39,6 +42,9 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX slab_nomerge"
 ## https://gitlab.tails.boum.org/tails/tails/-/issues/19613
 ## https://github.com/Kicksecure/security-misc/issues/253
 ##
+## KSPP=yes
+## KSPP sets the kernel parameters and CONFIG_SLUB_DEBUG.
+##
 GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX slab_debug=FZ"
 
 ## Zero memory at allocation time and free time.
@@ -47,6 +53,9 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX slab_debug=FZ"
 ##
 ## https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=6471384af2a6530696fc0203bafe4de41a23c9ef
 ##
+## KSPP=yes
+## KSPP sets the kernel parameters, CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y, and CONFIG_INIT_ON_FREE_DEFAULT_ON=y.
+##
 GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX init_on_alloc=1"
 GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX init_on_free=1"
 
@@ -58,6 +67,9 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX init_on_free=1"
 ## https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=e900a918b0984ec8f2eb150b8477a47b75d17692
 ## https://en.wikipedia.org/wiki/Return-oriented_programming#Attacks
 ##
+## KSPP=yes
+## KSPP sets the kernel parameter and CONFIG_SHUFFLE_PAGE_ALLOCATOR=y.
+##
 GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX page_alloc.shuffle=1"
 
 ## Enable kernel page table isolation to harden against kernel ASLR (KASLR) bypasses.
@@ -65,6 +77,9 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX page_alloc.shuffle=1"
 ##
 ## https://en.wikipedia.org/wiki/Kernel_page-table_isolation
 ##
+## KSPP=yes
+## KSPP sets the kernel parameter and CONFIG_MITIGATION_PAGE_TABLE_ISOLATION=y.
+##
 GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX pti=on"
 
 ## Enable randomization of the kernel stack offset on syscall entries.
@@ -74,6 +89,9 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX pti=on"
 ## https://lkml.org/lkml/2019/3/18/246
 ## https://a13xp0p0v.github.io/2020/02/15/CVE-2019-18683.html
 ##
+## KSPP=yes
+## KSPP sets the kernel parameter and CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT=y.
+##
 GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX randomize_kstack_offset=on"
 
 ## Disable vsyscalls to reduce attack surface as they have been replaced by vDSO.
@@ -82,6 +100,9 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX randomize_kstack_offset=on"
 ## https://lwn.net/Articles/446528/
 ## https://en.wikipedia.org/wiki/VDSO
 ##
+## KSPP=yes
+## KSPP sets the kernel parameter, CONFIG_LEGACY_VSYSCALL_NONE=y and does not set CONFIG_X86_VSYSCALL_EMULATION.
+##
 GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX vsyscall=none"
 
 ## Restrict access to debugfs by not registering the file system.
@@ -98,6 +119,9 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX debugfs=off"
 ##
 ## https://forums.whonix.org/t/set-oops-panic-kernel-parameter-or-kernel-panic-on-oops-1-sysctl-for-better-security/7713
 ##
+## KSPP=yes
+## KSPP sets CONFIG_PANIC_ON_OOPS=y and CONFIG_PANIC_TIMEOUT=-1.
+##
 ## See /usr/libexec/security-misc/panic-on-oops for implementation.
 ##
 #GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX oops=panic"
@@ -135,6 +159,9 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX debugfs=off"
 ## https://blogs.oracle.com/linux/post/linux-slub-allocator-internals-and-debugging-4
 ## https://lwn.net/Articles/835542/
 ##
+## KSPP=yes
+## KSPP sets the kernel parameter, CONFIG_KFENCE=y, and CONFIG_KFENCE_SAMPLE_INTERVAL=100.
+##
 GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX kfence.sample_interval=100"
 
 ## Disable 32-bit Virtual Dynamic Shared Object (vDSO) mappings.
@@ -143,6 +170,9 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX kfence.sample_interval=100"
 ## https://lore.kernel.org/lkml/20080409082927.BD59E26F992@magilla.localdomain/T/
 ## https://lists.openwall.net/linux-kernel/2014/03/11/3
 ##
+## KSPP=yes
+## KSPP sets the kernel parameter and does not set CONFIG_COMPAT_VDSO.
+##
 GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX vdso32=0"
 
 ## Switch (back) to using kCFI as the default Control Flow Integrity (CFI) implementation.
@@ -165,6 +195,9 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX vdso32=0"
 ## https://lpc.events/event/16/contributions/1315/attachments/1067/2169/cfi.pdf
 ## https://forums.whonix.org/t/kernel-hardening-security-misc/7296/561
 ##
+## KSPP=yes
+## KSPP sets the kernel parameter.
+##
 ## TODO: Debian 13 Trixie
 ## Applicable when using Linux kernel >= 6.2 (retained here for future-proofing and completeness).
 ##
@@ -175,6 +208,9 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX vdso32=0"
 ##
 ## https://lore.kernel.org/all/20230623111409.3047467-7-nik.borisov@suse.com/
 ##
+## KSPP=yes
+## KSPP does not set CONFIG_COMPAT, CONFIG_IA32_EMULATION, CONFIG_X86_X32, CONFIG_X86_X32_ABI, and CONFIG_MODIFY_LDT_SYSCALL.
+##
 ## TODO: Debian 13 Trixie
 ## Applicable when using Linux kernel >= 6.7 (retained here for future-proofing and completeness).
 ##
@@ -186,6 +222,9 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX vdso32=0"
 
 ## Enable CPU manufacturer-specific IOMMU drivers to mitigate some DMA attacks.
 ##
+## KSPP=yes
+## KSPP sets CONFIG_INTEL_IOMMU=y, CONFIG_INTEL_IOMMU_DEFAULT_ON=y, CONFIG_INTEL_IOMMU_SVM=y, CONFIG_AMD_IOMMU=y, and CONFIG_AMD_IOMMU_V2=y.
+##
 GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX amd_iommu=force_isolation"
 GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX intel_iommu=on"
 
@@ -197,6 +236,9 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX intel_iommu=on"
 ## https://en.wikipedia.org/wiki/DMA_attack
 ## https://lenovopress.lenovo.com/lp1467.pdf
 ##
+## KSPP=yes
+## KSPP sets the kernel parameters, CONFIG_IOMMU_SUPPORT=y, CONFIG_IOMMU_DEFAULT_DMA_STRICT=y, and does not set CONFIG_IOMMU_DEFAULT_PASSTHROUGH.
+##
 GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX iommu=force"
 GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX iommu.passthrough=0"
 GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX iommu.strict=1"
@@ -210,6 +252,9 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX iommu.strict=1"
 ## https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=4444f8541dad16fefd9b8807ad1451e806ef1d94
 ## https://mjg59.dreamwidth.org/54433.html
 ##
+## KSPP=yes
+## KSPP sets CONFIG_EFI_DISABLE_PCI_DMA=y.
+##
 GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX efi=disable_early_pci_dma"
 
 ## 3. Entropy:
@@ -234,6 +279,9 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX efi=disable_early_pci_dma"
 ## https://github.com/NixOS/nixpkgs/pull/165355
 ## https://lkml.org/lkml/2022/6/5/271
 ##
+## KSPP=yes
+## KSPP sets CONFIG_RANDOM_TRUST_BOOTLOADER=y and CONFIG_RANDOM_TRUST_CPU=y.
+##
 GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX random.trust_bootloader=off"
 GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX random.trust_cpu=off"
 

etc/default/grub.d/40_signed_modules.cfg

@@ -9,6 +9,9 @@
 ## https://forums.whonix.org/t/enforce-kernel-module-software-signature-verification-module-signing-disallow-kernel-module-loading-by-default/7880/61
 ## https://github.com/dell/dkms/issues/359
 ##
+## KSPP=yes
+## KSPP sets CONFIG_MODULE_SIG=y, CONFIG_MODULE_SIG_FORCE=y, and CONFIG_MODULE_SIG_ALL=y.
+##
 ## Not enabled by default yet due to several issues.
 ##
 #GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX module.sig_enforce=1"
@@ -18,7 +21,10 @@
 ##
 ## https://forums.whonix.org/t/enforce-kernel-module-software-signature-verification-module-signing-disallow-kernel-module-loading-by-default/7880
 ##
-## ## Not enabled by default yet due to several issues.
+## KSPP=yes
+## KSPP sets CONFIG_SECURITY_LOCKDOWN_LSM=y, CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y, and CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY=y.
+##
+## Not enabled by default yet due to several issues.
 ##
 #if dpkg --compare-versions "${kver}" ge "5.4"; then
 #  GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX lockdown=confidentiality"

usr/lib/sysctl.d/30_security-misc_kexec-disable.conf

@@ -14,4 +14,7 @@
 ##
 ## https://en.wikipedia.org/wiki/Kexec
 ##
+## KSPP=yes
+## KSPP sets the sysctl and does not set CONFIG_KEXEC.
+##
 kernel.kexec_load_disabled=1

usr/lib/sysctl.d/990-security-misc.conf

@@ -31,11 +31,17 @@
 ##
 ## https://kernsec.org/wiki/index.php/Bug_Classes/Kernel_pointer_leak
 ##
+## KSPP=yes
+## KSPP sets the sysctl.
+##
 kernel.kptr_restrict=2
 
 ## Restrict access to the kernel log buffer to users with CAP_SYSLOG.
 ## Kernel logs often contain sensitive information such as kernel pointers.
 ##
+## KSPP=yes
+## KSPP sets the sysctl and CONFIG_SECURITY_DMESG_RESTRICT=y.
+##
 kernel.dmesg_restrict=1
 
 ## Prevent kernel information leaks in the console during boot.
@@ -52,6 +58,9 @@ kernel.dmesg_restrict=1
 ##
 ## https://en.wikipedia.org/wiki/EBPF#Security
 ##
+## KSPP=yes
+## KSPP sets the sysctls.
+##
 kernel.unprivileged_bpf_disabled=1
 net.core.bpf_jit_harden=2
 
@@ -61,6 +70,9 @@ net.core.bpf_jit_harden=2
 ## https://a13xp0p0v.github.io/2017/03/24/CVE-2017-2636.html
 ## https://lkml.org/lkml/2019/4/15/890
 ##
+## KSPP=yes
+## KSPP sets the sysctl does not set CONFIG_LDISC_AUTOLOAD.
+##
 dev.tty.ldisc_autoload=0
 
 ## Restrict the userfaultfd() syscall to users with SYS_CAP_PTRACE.
@@ -69,6 +81,9 @@ dev.tty.ldisc_autoload=0
 ## https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=cefdca0a86be517bc390fc4541e3674b8e7803b0
 ## https://duasynt.com/blog/linux-kernel-heap-spray
 ##
+## KSPP=yes
+## KSPP sets the sysctl.
+##
 vm.unprivileged_userfaultfd=0
 
 ## Disables kexec, which can be used to replace the running kernel.
@@ -78,6 +93,9 @@ vm.unprivileged_userfaultfd=0
 ##
 ## See /usr/lib/sysctl.d/30_security-misc_kexec-disable.conf for implementation.
 ##
+## KSPP=yes
+## KSPP sets the sysctl and does not set CONFIG_KEXEC.
+##
 #kernel.kexec_load_disabled=1
 
 ## Disable the SysRq key to prevent leakage of kernel information.
@@ -87,6 +105,9 @@ vm.unprivileged_userfaultfd=0
 ## https://www.kicksecure.com/wiki/SysRq
 ## https://github.com/xairy/unlockdown
 ##
+## KSPP=yes
+## KSPP sets the less strict CONFIG_MAGIC_SYSRQ_DEFAULT_ENABLE=176.
+##
 kernel.sysrq=0
 
 ## Restrict user namespaces to users with CAP_SYS_ADMIN.
@@ -106,6 +127,9 @@ kernel.unprivileged_userns_clone=0
 ## https://www.kernel.org/doc/html/latest/admin-guide/perf-security.html#unprivileged-users
 ## https://lore.kernel.org/kernel-hardening/1469630746-32279-1-git-send-email-jeffv@google.com/
 ##
+## KSPP=yes
+## KSPP sets the sysctl.
+##
 kernel.perf_event_paranoid=3
 
 ## Force the kernel to panic on "oopses".
@@ -115,6 +139,9 @@ kernel.perf_event_paranoid=3
 ##
 ## https://forums.whonix.org/t/set-oops-panic-kernel-parameter-or-kernel-panic-on-oops-1-sysctl-for-better-security/7713
 ##
+## KSPP=yes
+## KSPP sets CONFIG_PANIC_ON_OOPS=y and CONFIG_PANIC_TIMEOUT=-1.
+##
 ## See /usr/libexec/security-misc/panic-on-oops for implementation.
 ##
 #kernel.panic_on_oops=1
@@ -126,6 +153,9 @@ kernel.perf_event_paranoid=3
 ##
 ## https://lore.kernel.org/lkml/20221228205726.rfevry7ud6gmttg5@begin/T/
 ##
+## KSPP=yes
+## KSPP sets the sysctl and does not set CONFIG_LEGACY_TIOCSTI.
+##
 ## TODO: Debian 13 Trixie
 ## This is disabled by default when using Linux kernel >= 6.2.
 ##
@@ -161,6 +191,9 @@ kernel.io_uring_disabled=2
 ## https://github.com/GrapheneOS/os-issue-tracker/issues/651#issuecomment-917599928
 ## https://github.com/netblue30/firejail/issues/2860
 ##
+## KSPP=partial
+## KSPP sets the stricter sysctl kernel.yama.ptrace_scope=3.
+##
 ## It is possible to harden further by disabling ptrace() for all users, see documentation.
 ## https://github.com/Kicksecure/security-misc/pull/242
 ##
@@ -188,6 +221,9 @@ kernel.yama.ptrace_scope=2
 ## https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=/tmp
 ## https://en.wikipedia.org/wiki/Time-of-check_to_time-of-use#Preventing_TOCTOU
 ##
+## KSPP=yes
+## KSPP sets the sysctls.
+##
 fs.protected_hardlinks=1
 fs.protected_symlinks=1
 
@@ -195,6 +231,9 @@ fs.protected_symlinks=1
 ## Also applies to group-writable sticky directories to make data spoofing attacks more difficult.
 ## Prevents unintentional writes to attacker-controlled files.
 ##
+## KSPP=yes
+## KSPP sets the sysctls.
+##
 fs.protected_fifos=2
 fs.protected_regular=2
 
@@ -205,6 +244,9 @@ fs.protected_regular=2
 ##
 ## https://en.wikipedia.org/wiki/Address_space_layout_randomization#Linux
 ##
+## KSPP=yes
+## KSPP sets the sysctl.
+##
 kernel.randomize_va_space=2
 
 ## Increase the maximum number of memory map areas a process is permitted to utilize.
@@ -254,6 +296,9 @@ kernel.core_pattern=|/bin/false
 ## Prevent setuid processes or otherwise protected/tainted binaries from creating core dumps.
 ## Any process which has changed privilege levels or is execute-only will not be dumped.
 ##
+## KSPP=yes
+## KSPP sets the sysctl.
+##
 fs.suid_dumpable=0
 
 ## Set core dump file name to 'core.PID' instead of 'core' as a form of defense-in-depth.
@@ -284,6 +329,9 @@ vm.swappiness=1
 ## https://en.wikipedia.org/wiki/SYN_flood
 ## https://cateee.net/lkddb/web-lkddb/SYN_COOKIES.html
 ##
+## KSPP=yes
+## KSPP sets CONFIG_SYN_COOKIES=y.
+##
 net.ipv4.tcp_syncookies=1
 
 ## Protect against TCP time-wait assassination hazards.