From 322584db3346aaa1e3d1f9782b3d22ca2153c7da Mon Sep 17 00:00:00 2001 From: raja-grewal Date: Mon, 3 Nov 2025 04:31:59 +0000 Subject: [PATCH] Update docs on `pti=on` --- README.md | 4 ++-- .../grub.d/40_kernel_hardening.cfg#security-misc-shared | 4 +++- 2 files changed, 5 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 35815ac..87b3742 100644 --- a/README.md +++ b/README.md @@ -208,8 +208,8 @@ Kernel space: - Enable the kernel page allocator to randomize free lists to limit some data exfiltration and ROP attacks, especially during the early boot process. -- Enable kernel page table isolation to increase KASLR effectiveness and also - mitigate the Meltdown CPU vulnerability. +- Enable kernel page table isolation on X86_64 CPUs to increase KASLR effectiveness + and also mitigate the Meltdown CPU vulnerability. - Enable randomization of the kernel stack offset on syscall entries to harden against memory corruption attacks. diff --git a/etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared b/etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared index 2eef877..73dca75 100644 --- a/etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared +++ b/etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared @@ -83,8 +83,10 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX init_on_free=1" GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX page_alloc.shuffle=1" ## Enable kernel page table isolation to harden against kernel ASLR (KASLR) bypasses. -## Mitigates the Meltdown CPU vulnerability. +## Mitigates the Meltdown (Spectre Variant 3) CPU vulnerability. +## Mitigations for ARM64 CPUs are done in /etc/default/grub.d/40_cpu_mitigations.cfg using "kpti=1". ## +## https://en.wikipedia.org/wiki/Meltdown_(security_vulnerability) ## https://en.wikipedia.org/wiki/Kernel_page-table_isolation ## ## KSPP=yes