Git-Mirrors/security-misc
1
0
Fork 0
mirror of https://github.com/Kicksecure/security-misc.git synced 2025-12-27 20:14:36 -05:00
Code Issues Projects Releases Packages Wiki Activity

Merge remote-tracking branch 'raja/amd_encrypt_sev' into arraybolt3/trixie-raja-merge

Browse source
This commit is contained in:
Aaron Rainbolt 2025-12-13 18:27:22 -06:00
commit 39ce591976
No known key found for this signature in database
GPG key ID: A709160D73C79109
1 changed files with 5 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

5
etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared
View file

@ -255,6 +255,8 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX erst_disable"
## Enable AMD Secure Memory Encryption (SME) and Secure Encrypted Virtualization (SEV).
## SME encrypts memory with a single key at the kernel level to protect against cold boot attacks.
## SEV extends SME to VMs by encrypting the memory of each with a unique key for guest isolation.
## SEV-ES (Encrypted State) extends SEV by encrypting each guests virtual CPU register state during VM exits.
## SEV-SNP (Secure Nested Paging) extends SEV by activating hardware-level memory integrity.
## This is hardware-based encryption managed by the proprietary and closed-source AMD Platform Security Processor (PSP).
## Both require a compatible AMD CPU and support for SME to first be enabled in the BIOS/UEFI.
## Likely unavailable in consumer-grade AMD CPUs where Transparent SME (TSME) can be enabled in the BIOS/UEFI to achieve SME.
@ -265,6 +267,7 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX erst_disable"
## https://www.kernel.org/doc/html/latest/virt/kvm/x86/amd-memory-encryption.html
## https://docs.amd.com/v/u/en-US/memory-encryption-white-paper
## https://docs.amd.com/v/u/en-US/SEV-SNP-strengthening-vm-isolation-with-integrity-protection-and-more
## https://github.com/AMDESE/AMDSEV
## https://en.wikichip.org/wiki/x86/sme
## https://lore.kernel.org/lkml/YWvy9bSRaC+m1sV+@zn.tnic/T/#m01bcb37040b6b0d119d385d9a34b9c7ac4ce5f84
## https://mricher.fr/post/amd-memory-encryption/
@ -273,6 +276,8 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX erst_disable"
##
#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX mem_encrypt=on"
#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX kvm_amd.sev=1"
#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX kvm_amd.sev_es=1"
#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX kvm_amd.sev_snp=1"
## Prevent processes from writing to block devices that are mounted by filesystems.
## Enhances system stability and security by protecting against runaway privileged processes.