Merge remote-tracking branch 'github-kicksecure/master'

README.md

@@ -214,9 +214,6 @@ modules from automatically starting.
 
 - CD-ROM/DVD: Blacklist modules required for CD-ROM/DVD devices.
 
-- Framebuffer Drivers: Blacklisted as they are well-known to be buggy, cause
-  kernel panics, and are generally only used by legacy devices.
-
 - Miscellaneous: Blacklist an assortment of other modules to prevent them from
   automatically loading.
 
@@ -234,14 +231,17 @@ disabling should first be blacklisted for a suitable amount of time.
 
 - FireWire (IEEE 1394): Disabled as they are often vulnerable to DMA attacks.
 
+- Framebuffer (fbdev): Disabled as drivers are well-known to be buggy, cause
+  kernel panics, and are generally only used by legacy devices.
+
 - GPS: Disable GPS-related modules such as those required for Global Navigation
   Satellite Systems (GNSS).
 
 - Optional - Intel Management Engine (ME): Provides some disabling of the interface
-  between the Intel ME and the OS. May lead to breakages in places such as security,
-  power management, display, and DRM. See discussion: https://github.com/Kicksecure/security-misc/issues/239
+  between the Intel ME and the OS. May lead to breakages in places such as firmware
+  updates, security, power management, display, and DRM. See discussion: https://github.com/Kicksecure/security-misc/issues/239
 
-- Intel Platform Monitoring Technology Telemetry (PMT): Disable some functionality
+- Intel Platform Monitoring Technology (PMT) Telemetry: Disable some functionality
   of the Intel PMT components.
 
 - Network File Systems: Disable uncommon and legacy network file systems.
@@ -250,7 +250,8 @@ disabling should first be blacklisted for a suitable amount of time.
   are disabled.
 
 - Miscellaneous: Disable an assortment of other modules such as those required
-  for amateur radio, floppy disks, and vivid.
+  for amateur radio, floppy disks, and vivid. Also disable legacy drivers that
+  have been entirely replaced by newer drivers.
 
 - Thunderbolt: Disabled as they are often vulnerable to DMA attacks.
 

etc/modprobe.d/30_security-misc_blacklist.conf

@@ -21,52 +21,35 @@ blacklist sr_mod
 #install cdrom /usr/bin/disabled-cdrom-by-security-misc
 #install sr_mod /usr/bin/disabled-cdrom-by-security-misc
 
-## Framebuffer Drivers:
-##
-## https://git.launchpad.net/ubuntu/+source/kmod/tree/debian/modprobe.d/blacklist-framebuffer.conf?h=ubuntu/disco
-##
-blacklist aty128fb
-blacklist atyfb
-blacklist cirrusfb
-blacklist cyber2000fb
-blacklist cyblafb
-blacklist gx1fb
-blacklist hgafb
-blacklist i810fb
-blacklist intelfb
-blacklist kyrofb
-blacklist lxfb
-blacklist matroxfb_bases
-blacklist neofb
-blacklist nvidiafb
-blacklist pm2fb
-blacklist radeonfb
-blacklist rivafb
-blacklist s1d13xxxfb
-blacklist savagefb
-blacklist sisfb
-blacklist sstfb
-blacklist tdfxfb
-blacklist tridentfb
-blacklist vesafb
-blacklist vfb
-blacklist viafb
-blacklist vt8623fb
-blacklist udlfb
-
 ## Miscellaneous:
 ##
+## GrapheneOS:
+## Partial selection of their infrastructure blacklist.
+## Duplicate and already disabled modules have been omitted.
+##
+## https://github.com/GrapheneOS/infrastructure/blob/main/modprobe.d/local.conf
+##
+#blacklist cfg80211
+#blacklist intel_agp
+#blacklist ip_tables
+blacklist joydev
+#blacklist mousedev
+#blacklist psmouse
+blacklist snd_intel8x0
+#blacklist tls
+#blacklist virtio_balloon
+#blacklist virtio_console
+##
+## Ubuntu:
+## Already disabled modules have been omitted.
+##
 ## https://git.launchpad.net/ubuntu/+source/kmod/tree/debian/modprobe.d/blacklist.conf?h=ubuntu/disco
 ## https://git.launchpad.net/ubuntu/+source/kmod/tree/debian/modprobe.d/blacklist-ath_pci.conf?h=ubuntu/disco
 ##
-blacklist ath_pci
 blacklist amd76x_edac
-blacklist asus_acpi
-blacklist bcm43xx
+blacklist ath_pci
 blacklist evbug
-blacklist de4x5
 blacklist pcspkr
-blacklist prism54
 blacklist snd_aw2
 blacklist snd_intel8x0m
 blacklist snd_pcsp

etc/modprobe.d/30_security-misc_disable.conf

@@ -70,6 +70,43 @@ install raw1394 /usr/bin/disabled-firewire-by-security-misc
 install sbp2 /usr/bin/disabled-firewire-by-security-misc
 install video1394 /usr/bin/disabled-firewire-by-security-misc
 
+## Framebuffer (fbdev):
+## Video drivers are known to be buggy, cause kernel panics, and are generally only used by legacy devices.
+## These were all previously blacklisted.
+##
+## https://docs.kernel.org/fb/index.html
+## https://en.wikipedia.org/wiki/Linux_framebuffer
+## https://git.launchpad.net/ubuntu/+source/kmod/tree/debian/modprobe.d/blacklist-framebuffer.conf?h=ubuntu/disco
+##
+install aty128fb /usr/bin/disabled-framebuffer-by-security-misc
+install atyfb /usr/bin/disabled-framebuffer-by-security-misc
+install cirrusfb /usr/bin/disabled-framebuffer-by-security-misc
+install cyber2000fb /usr/bin/disabled-framebuffer-by-security-misc
+install cyblafb /usr/bin/disabled-framebuffer-by-security-misc
+install gx1fb /usr/bin/disabled-framebuffer-by-security-misc
+install hgafb /usr/bin/disabled-framebuffer-by-security-misc
+install i810fb /usr/bin/disabled-framebuffer-by-security-misc
+install intelfb /usr/bin/disabled-framebuffer-by-security-misc
+install kyrofb /usr/bin/disabled-framebuffer-by-security-misc
+install lxfb /usr/bin/disabled-framebuffer-by-security-misc
+install matroxfb_bases /usr/bin/disabled-framebuffer-by-security-misc
+install neofb /usr/bin/disabled-framebuffer-by-security-misc
+install nvidiafb /usr/bin/disabled-framebuffer-by-security-misc
+install pm2fb /usr/bin/disabled-framebuffer-by-security-misc
+install radeonfb /usr/bin/disabled-framebuffer-by-security-misc
+install rivafb /usr/bin/disabled-framebuffer-by-security-misc
+install s1d13xxxfb /usr/bin/disabled-framebuffer-by-security-misc
+install savagefb /usr/bin/disabled-framebuffer-by-security-misc
+install sisfb /usr/bin/disabled-framebuffer-by-security-misc
+install sstfb /usr/bin/disabled-framebuffer-by-security-misc
+install tdfxfb /usr/bin/disabled-framebuffer-by-security-misc
+install tridentfb /usr/bin/disabled-framebuffer-by-security-misc
+install vesafb /usr/bin/disabled-framebuffer-by-security-misc
+install vfb /usr/bin/disabled-framebuffer-by-security-misc
+install viafb /usr/bin/disabled-framebuffer-by-security-misc
+install vt8623fb /usr/bin/disabled-framebuffer-by-security-misc
+install udlfb /usr/bin/disabled-framebuffer-by-security-misc
+
 ## Global Positioning Systems (GPS):
 ## Disable GPS-related modules like GNSS (Global Navigation Satellite System).
 ##
@@ -84,7 +121,8 @@ install gnss-usb /usr/bin/disabled-gps-by-security-misc
 ## Intel Management Engine (ME):
 ## Partially disable the Intel ME interface with the OS.
 ## ME functionality has increasing become more intertwined with basic Intel system operation.
-## Disabling may lead to breakages in places such as security, power management, display, and DRM.
+## Disabling may lead to breakages in numerous places without clear debugging/error messages.
+## May cause issues with firmware updates, security, power management, display, and DRM.
 ##
 ## https://www.kernel.org/doc/html/latest/driver-api/mei/mei.html
 ## https://en.wikipedia.org/wiki/Intel_Management_Engine#Security_vulnerabilities
@@ -105,7 +143,7 @@ install gnss-usb /usr/bin/disabled-gps-by-security-misc
 #install mei_wdt /usr/bin/disabled-intelme-by-security-misc
 #install microread_mei /usr/bin/disabled-intelme-by-security-misc
 
-## Intel Platform Monitoring Technology Telemetry (PMT):
+## Intel Platform Monitoring Technology (PMT) Telemetry:
 ## Disable some functionality of the Intel PMT components.
 ##
 ## https://github.com/intel/Intel-PMT
@@ -221,6 +259,17 @@ install hamradio /usr/bin/disabled-miscellaneous-by-security-misc
 ##
 install floppy /usr/bin/disabled-miscellaneous-by-security-misc
 ##
+## Replaced:
+## These legacy drivers have all been entirely replaced and superseded by newer drivers.
+## These were all previously blacklisted.
+##
+## https://git.launchpad.net/ubuntu/+source/kmod/tree/debian/modprobe.d/blacklist.conf?h=ubuntu/disco
+##
+install asus_acpi /usr/bin/disabled-miscellaneous-by-security-misc
+install bcm43xx /usr/bin/disabled-miscellaneous-by-security-misc
+install de4x5 /usr/bin/disabled-miscellaneous-by-security-misc
+install prism54 /usr/bin/disabled-miscellaneous-by-security-misc
+##
 ## Vivid:
 ## Disables the vivid kernel module since it has been the cause of multiple vulnerabilities.
 ##

usr/bin/disabled-bluetooth-by-security-misc

@@ -3,8 +3,8 @@
 ## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
 ## See the file COPYING for copying conditions.
 
-## Alerts the user that a kernel module failed to load due to it being blacklisted by default.
+## Alerts user that a kernel module failed to load due to it being explicitly disabled by default.
 
-echo "$0: ERROR: This Bluetooth kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf | args: $@" >&2
+echo "$0: ALERT: This Bluetooth kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf for details. | args: $@" >&2
 
 exit 1

usr/bin/disabled-cdrom-by-security-misc

@@ -3,8 +3,8 @@
 ## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
 ## See the file COPYING for copying conditions.
 
-## Alerts the user that a kernel module failed to load due to it being blacklisted by default.
+## Alerts user that a kernel module failed to load due to it being explicitly disabled by default.
 
-echo "$0: ERROR: This CD-ROM/DVD kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf | args: $@" >&2
+echo "$0: ALERT: This CD-ROM/DVD kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf for details. | args: $@" >&2
 
 exit 1

usr/bin/disabled-filesys-by-security-misc

@@ -3,8 +3,8 @@
 ## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
 ## See the file COPYING for copying conditions.
 
-## Alerts the user that a kernel module failed to load due to it being blacklisted by default.
+## Alerts user that a kernel module failed to load due to it being explicitly disabled by default.
 
-echo "$0: ERROR: This file system kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf | args: $@" >&2
+echo "$0: ALERT: This file system kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf for details. | args: $@" >&2
 
 exit 1

usr/bin/disabled-firewire-by-security-misc

@@ -3,8 +3,8 @@
 ## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
 ## See the file COPYING for copying conditions.
 
-## Alerts the user that a kernel module failed to load due to it being blacklisted by default.
+## Alerts user that a kernel module failed to load due to it being explicitly disabled by default.
 
-echo "$0: ERROR: This FireWire (IEEE 1394) kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf | args: $@" >&2
+echo "$0: ALERT: This FireWire (IEEE 1394) kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf for details. | args: $@" >&2
 
 exit 1

usr/bin/disabled-framebuffer-by-security-misc

@@ -0,0 +1,10 @@
+#!/bin/bash
+
+## Copyright (C) 2024 - 2024 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
+## See the file COPYING for copying conditions.
+
+## Alerts user that a kernel module failed to load due to it being explicitly disabled by default.
+
+echo "$0: ALERT: This framebuffer (fbdev) kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf for details. | args: $@" >&2
+
+exit 1

usr/bin/disabled-gps-by-security-misc

@@ -3,8 +3,8 @@
 ## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
 ## See the file COPYING for copying conditions.
 
-## Alerts the user that a kernel module failed to load due to it being blacklisted by default.
+## Alerts user that a kernel module failed to load due to it being explicitly disabled by default.
 
-echo "$0: ERROR: This GPS (Global Positioning System) kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf | args: $@" >&2
+echo "$0: ALERT: This Global Positioning System (GPS) kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf for details. | args: $@" >&2
 
 exit 1

usr/bin/disabled-intelme-by-security-misc

@@ -3,8 +3,8 @@
 ## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
 ## See the file COPYING for copying conditions.
 
-## Alerts the user that a kernel module failed to load due to it being blacklisted by default.
+## Alerts user that a kernel module failed to load due to it being explicitly disabled by default.
 
-echo "$0: ERROR: This Intel Management Engine (ME) kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf | args: $@" >&2
+echo "$0: ALERT: This Intel Management Engine (ME) kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf for details. | args: $@" >&2
 
 exit 1

usr/bin/disabled-intelpmt-by-security-misc

@@ -3,8 +3,8 @@
 ## Copyright (C) 2024 - 2024 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
 ## See the file COPYING for copying conditions.
 
-## Alerts the user that a kernel module failed to load due to it being blacklisted by default.
+## Alerts user that a kernel module failed to load due to it being explicitly disabled by default.
 
-echo "$0: ERROR: This Intel Platform Monitoring Technology Telemetry (PMT) kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf | args: $@" >&2
+echo "$0: ALERT: This Intel Platform Monitoring Technology (PMT) Telemetry kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf for details. | args: $@" >&2
 
 exit 1

usr/bin/disabled-miscellaneous-by-security-misc

@@ -3,8 +3,8 @@
 ## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
 ## See the file COPYING for copying conditions.
 
-## Alerts the user that a kernel module failed to load due to it being blacklisted by default.
+## Alerts user that a kernel module failed to load due to it being explicitly disabled by default.
 
-echo "$0: ERROR: This kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf | args: $@" >&2
+echo "$0: ALERT: This kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf for details. | args: $@" >&2
 
 exit 1

usr/bin/disabled-netfilesys-by-security-misc

@@ -3,8 +3,8 @@
 ## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
 ## See the file COPYING for copying conditions.
 
-## Alerts the user that a kernel module failed to load due to it being blacklisted by default.
+## Alerts user that a kernel module failed to load due to it being explicitly disabled by default.
 
-echo "$0: ERROR: This network file system kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf | args: $@" >&2
+echo "$0: ALERT: This network file system kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf for details. | args: $@" >&2
 
 exit 1

usr/bin/disabled-network-by-security-misc

@@ -3,8 +3,8 @@
 ## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
 ## See the file COPYING for copying conditions.
 
-## Alerts the user that a kernel module failed to load due to it being blacklisted by default.
+## Alerts user that a kernel module failed to load due to it being explicitly disabled by default.
 
-echo "$0: ERROR: This network protocol kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf | args: $@" >&2
+echo "$0: ALERT: This network protocol kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf for details. | args: $@" >&2
 
 exit 1

usr/bin/disabled-thunderbolt-by-security-misc

@@ -3,8 +3,8 @@
 ## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
 ## See the file COPYING for copying conditions.
 
-## Alerts the user that a kernel module failed to load due to it being blacklisted by default.
+## Alerts user that a kernel module failed to load due to it being explicitly disabled by default.
 
-echo "$0: ERROR: This Thunderbolt kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf | args: $@" >&2
+echo "$0: ALERT: This Thunderbolt kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf for details. | args: $@" >&2
 
 exit 1