From f175d1961e4e028539f5a90c0db1fcd1f760cdba Mon Sep 17 00:00:00 2001 From: raja-grewal Date: Sun, 17 Aug 2025 07:08:08 +0000 Subject: [PATCH] Enable `ia32_emulation=0` --- README.md | 3 +-- etc/default/grub.d/40_kernel_hardening.cfg | 7 ++----- 2 files changed, 3 insertions(+), 7 deletions(-) diff --git a/README.md b/README.md index ac12886..6a98c52 100644 --- a/README.md +++ b/README.md @@ -225,8 +225,7 @@ Kernel space: since it may be slightly more resilient to attacks that are able to write arbitrary executables in memory. -- Optional - Disable support for all x86 processes and syscalls (when using Linux kernel >= 6.7) - to reduce attack surface. +- Disable support for all 32-bit x86 processes and syscalls to reduce attack surface. - Disable the EFI persistent storage feature which prevents the kernel from writing crash logs and other persistent data to either the UEFI variable storage or ACPI ERST backends. diff --git a/etc/default/grub.d/40_kernel_hardening.cfg b/etc/default/grub.d/40_kernel_hardening.cfg index 671c28b..5ac2c8c 100644 --- a/etc/default/grub.d/40_kernel_hardening.cfg +++ b/etc/default/grub.d/40_kernel_hardening.cfg @@ -210,7 +210,7 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX vdso32=0" ## #GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX cfi=kcfi" -## Disable support for x86 processes and syscalls. +## Disable support for all 32-bit x86 processes and syscalls. ## Unconditionally disables IA32 emulation to substantially reduce attack surface. ## ## https://lore.kernel.org/all/20230623111409.3047467-7-nik.borisov@suse.com/ @@ -218,10 +218,7 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX vdso32=0" ## KSPP=yes ## KSPP does not set CONFIG_COMPAT, CONFIG_IA32_EMULATION, CONFIG_X86_X32, CONFIG_X86_X32_ABI, and CONFIG_MODIFY_LDT_SYSCALL. ## -## TODO: Debian 13 Trixie -## Applicable when using Linux kernel >= 6.7 (retained here for future-proofing and completeness). -## -#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX ia32_emulation=0" +GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX ia32_emulation=0" ## Disable EFI persistent storage feature. ## Disable Error Record Serialization Table (ERST) support as a form of defense-in-depth.