From 29176d2ed29b07c4da9b9c0df1eefd2bda70b984 Mon Sep 17 00:00:00 2001
From: raja-grewal <rg_public@proton.me>
Date: Sat, 15 Nov 2025 06:30:11 +0000
Subject: [PATCH] Remove the option to reduce the MCE tolerance level

---
 README.md                                     |  3 ---
 ..._kernel_hardening.cfg#security-misc-shared | 19 -------------------
 2 files changed, 22 deletions(-)

diff --git a/README.md b/README.md
index 4ee2d0b..112ab3b 100644
--- a/README.md
+++ b/README.md
@@ -225,9 +225,6 @@ Kernel space:
 - Force immediate system reboot on the occurrence of a single kernel panic, reducing the
   risk and impact of denial-of-service attacks and both cold and warm boot attacks.
 
-- Optional - Reduce the the Machine Check Exception (MCE) handler tolerance level to
-  always force kernel panics on any uncorrected hardware errors detected by the CPU.
-
 - Prevent sensitive kernel information leaks in the console during boot.
 
 - Enable the kernel Electric-Fence sampling-based memory safety error detector
diff --git a/etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared b/etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared
index da6b63a..7ab1e46 100644
--- a/etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared
+++ b/etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared
@@ -161,25 +161,6 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX debugfs=off"
 ##
 #GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX panic=-1"
 
-## Reduce the Machine Check Exception (MCE) handler tolerance level.
-## Machine checks report internal hardware error conditions detected by the CPU.
-## Force the kernel to always panic on any uncorrected errors.
-## Improves security using ECC memory against vulnerabilities like Rowhammer.
-## Note current x86 CPUs generally do not allow recovery from MCEs.
-## Must first be tested to ensure there are no pre-existing issues on user hardware.
-## The default kernel setting should be utilized until provided sufficient evidence to modify.
-##
-## https://www.kernel.org/doc/html/latest/arch/x86/x86_64/machinecheck.html
-## https://www.kernel.org/doc/Documentation/x86/x86_64/boot-options.txt
-## https://www.kernel.org/doc/Documentation/x86/x86_64/machinecheck
-## https://en.wikipedia.org/wiki/Machine-check_exception#Linux
-## https://groups.google.com/g/rowhammer-discuss/c/9Vgso6u2GP0
-## https://forums.whonix.org/t/kernel-hardening/7296/494
-##
-## Note that this must be used with panic=-1 for it to function as intended.
-##
-#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX mce=0"
-
 ## Prevent sensitive kernel information leaks in the console during boot.
 ## Must be used in combination with the kernel.printk sysctl.
 ## See /usr/lib/sysctl.d/30_silent-kernel-printk.conf for implementation.