Add KSPP notice definitions

etc/default/grub.d/40_cpu_mitigations.cfg

@@ -1,6 +1,10 @@
 ## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
 ## See the file COPYING for copying conditions.
 
+## Definitions:
+## KSPP=yes: compliant with recommendations by the KSPP
+## KSPP=partial: partially compliant with recommendations by the KSPP
+
 ## Enable known mitigations for CPU vulnerabilities.
 ## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/index.html
 ## https://www.kernel.org/doc/html/latest/admin-guide/kernel-parameters.html

etc/default/grub.d/40_kernel_hardening.cfg

@@ -5,6 +5,10 @@ kpkg="linux-image-$(dpkg --print-architecture)" || true
 kver="$(dpkg-query --show --showformat='${Version}' "$kpkg")" 2>/dev/null || true
 #echo "## kver: $kver"
 
+## Definitions:
+## KSPP=yes: compliant with recommendations by the KSPP
+## KSPP=partial: partially compliant with recommendations by the KSPP
+
 ## This configuration file is split into 4 sections:
 ## 1. Kernel Space
 ## 2. Direct Memory Access

etc/default/grub.d/40_remount_secure.cfg

@@ -1,6 +1,10 @@
 ## Copyright (C) 2023 - 2024 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
 ## See the file COPYING for copying conditions.
 
+## Definitions:
+## KSPP=yes: compliant with recommendations by the KSPP
+## KSPP=partial: partially compliant with recommendations by the KSPP
+
 ## Remount Secure provides enhanced security via mount options:
 ## https://www.kicksecure.com/wiki/Security-misc#Remount_Secure
 

etc/default/grub.d/40_signed_modules.cfg

@@ -1,6 +1,10 @@
 ## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
 ## See the file COPYING for copying conditions.
 
+## Definitions:
+## KSPP=yes: compliant with recommendations by the KSPP
+## KSPP=partial: partially compliant with recommendations by the KSPP
+
 ## Require every kernel module to be signed before being loaded.
 ## Any module that is unsigned or signed with an invalid key cannot be loaded.
 ## This prevents all out-of-tree kernel modules unless signed.

etc/default/grub.d/41_quiet_boot.cfg

@@ -1,6 +1,10 @@
 ## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
 ## See the file COPYING for copying conditions.
 
+## Definitions:
+## KSPP=yes: compliant with recommendations by the KSPP
+## KSPP=partial: partially compliant with recommendations by the KSPP
+
 ## Some default configuration files automatically include the "quiet" parameter.
 ## Therefore, first remove "quiet" from GRUB_CMDLINE_LINUX_DEFAULT since "quiet" must be first.
 ## LANG=C str_replace is provided by package helper-scripts.

usr/lib/sysctl.d/30_security-misc_kexec-disable.conf

@@ -1,6 +1,10 @@
 ## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
 ## See the file COPYING for copying conditions.
 
+## Definitions:
+## KSPP=yes: compliant with recommendations by the KSPP
+## KSPP=partial: partially compliant with recommendations by the KSPP
+
 ## NOTE:
 ## This configuration is in a dedicated file because the ram-wipe package
 ## requires kexec. However, ram-wipe cannot ship a config file

usr/lib/sysctl.d/30_silent-kernel-printk.conf

@@ -1,6 +1,10 @@
 ## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
 ## See the file COPYING for copying conditions.
 
+## Definitions:
+## KSPP=yes: compliant with recommendations by the KSPP
+## KSPP=partial: partially compliant with recommendations by the KSPP
+
 ## Prevent kernel information leaks in the console during boot.
 ## Must be used in conjunction with kernel boot parameters.
 ## See /etc/default/grub.d/41_quiet_boot.cfg for implementation.

usr/lib/sysctl.d/990-security-misc.conf

@@ -6,6 +6,10 @@
 ## is parsed first, followed by /usr/lib/sysctl.d/990-security-misc.conf.
 ## https://github.com/Kicksecure/security-misc/pull/135
 
+## Definitions:
+## KSPP=yes: compliant with recommendations by the KSPP
+## KSPP=partial: partially compliant with recommendations by the KSPP
+
 ## This configuration file is divided into 5 sections:
 ## 1. Kernel Space
 ## 2. User Space