Git-Mirrors/security-misc
1
0
Fork 0
mirror of https://github.com/Kicksecure/security-misc.git synced 2025-07-25 05:55:26 -04:00
Code Issues Projects Releases Packages Wiki Activity

Add KSPP notice definitions

Browse source
This commit is contained in:
Raja Grewal 2024-08-26 11:34:12 +10:00
parent 2841d789be
commit 2c356e8b0e
No known key found for this signature in database
GPG key ID: 92CA473C156B64C4
8 changed files with 32 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

4
etc/default/grub.d/40_cpu_mitigations.cfg
View file

@ -1,6 +1,10 @@
## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
## See the file COPYING for copying conditions.
## Definitions:
## KSPP=yes: compliant with recommendations by the KSPP
## KSPP=partial: partially compliant with recommendations by the KSPP
## Enable known mitigations for CPU vulnerabilities.
## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/index.html
## https://www.kernel.org/doc/html/latest/admin-guide/kernel-parameters.html

4
etc/default/grub.d/40_kernel_hardening.cfg
View file

@ -5,6 +5,10 @@ kpkg="linux-image-$(dpkg --print-architecture)" || true
kver="$(dpkg-query --show --showformat='${Version}' "$kpkg")" 2>/dev/null || true
#echo "## kver: $kver"
## Definitions:
## KSPP=yes: compliant with recommendations by the KSPP
## KSPP=partial: partially compliant with recommendations by the KSPP
## This configuration file is split into 4 sections:
## 1. Kernel Space
## 2. Direct Memory Access

4
etc/default/grub.d/40_remount_secure.cfg
View file

@ -1,6 +1,10 @@
## Copyright (C) 2023 - 2024 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
## See the file COPYING for copying conditions.
## Definitions:
## KSPP=yes: compliant with recommendations by the KSPP
## KSPP=partial: partially compliant with recommendations by the KSPP
## Remount Secure provides enhanced security via mount options:
## https://www.kicksecure.com/wiki/Security-misc#Remount_Secure

4
etc/default/grub.d/40_signed_modules.cfg
View file

@ -1,6 +1,10 @@
## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
## See the file COPYING for copying conditions.
## Definitions:
## KSPP=yes: compliant with recommendations by the KSPP
## KSPP=partial: partially compliant with recommendations by the KSPP
## Require every kernel module to be signed before being loaded.
## Any module that is unsigned or signed with an invalid key cannot be loaded.
## This prevents all out-of-tree kernel modules unless signed.

4
etc/default/grub.d/41_quiet_boot.cfg
View file

@ -1,6 +1,10 @@
## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
## See the file COPYING for copying conditions.
## Definitions:
## KSPP=yes: compliant with recommendations by the KSPP
## KSPP=partial: partially compliant with recommendations by the KSPP
## Some default configuration files automatically include the "quiet" parameter.
## Therefore, first remove "quiet" from GRUB_CMDLINE_LINUX_DEFAULT since "quiet" must be first.
## LANG=C str_replace is provided by package helper-scripts.