Git-Mirrors/security-misc
1
0
Fork 0
mirror of https://github.com/Kicksecure/security-misc.git synced 2025-01-22 04:41:04 -05:00
Code Issues Packages Projects Releases Wiki Activity

README.md: Organise kernel boot parameters

Browse Source
This commit is contained in:
Raja Grewal 2024-08-21 12:52:48 +10:00
parent b87a18d405
commit 342caf82b2
No known key found for this signature in database
GPG Key ID: 92CA473C156B64C4
1 changed files with 8 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
README.md
View File

@ -117,6 +117,8 @@ Boot parameters relating to kernel hardening, DMA mitigations, and entropy
generation are outlined in the `/etc/default/grub.d/40_kernel_hardening.cfg`
configuration file.
Kernel space:
- Disable merging of slabs with similar size, which reduces the risk of
triggering heap overflows and limits influencing slab cache layout.
@ -160,18 +162,24 @@ configuration file.
- Optional - Disable support for all x86 processes and syscalls (when using Linux kernel >= 6.7)
to reduce attack surface.
Direct memory access:
- Enable strict IOMMU translation to protect against some DMA attacks via the use
of both CPU manufacturer-specific drivers and kernel settings.
- Clear the busmaster bit on all PCI bridges during the EFI hand-off, which disables
DMA before the IOMMU is configured. May cause boot failure on certain hardware.
Entropy:
- Do not credit the CPU or bootloader as entropy sources at boot in order to
maximize the absolute quantity of entropy in the combined pool.
- Obtain more entropy at boot from RAM as the runtime memory allocator is
being initialized.
Networking:
- Optional - Disable the entire IPv6 stack to reduce attack surface.
### mmap ASLR