diff --git a/README.md b/README.md index 38cc8e0..ab0c69a 100644 --- a/README.md +++ b/README.md @@ -143,7 +143,7 @@ and simultaneous multithreading (SMT) is disabled. See the Note, to achieve complete protection for known CPU vulnerabilities, the latest security microcode (BIOS/UEFI) updates must be installed on the system. Furthermore, if using Secure Boot, the Secure Boot Forbidden Signature Database (DBX) must be kept -up to date through [UEFI Revocation List](https://uefi.org/revocationlistfile) updates. +up to date through [UEFI Revocation List](https://github.com/microsoft/secureboot_objects) updates. CPU mitigations: @@ -226,8 +226,8 @@ Kernel space: - Optional - Disable support for all x86 processes and syscalls (when using Linux kernel >= 6.7) to reduce attack surface. -- Disable EFI persistent storage feature, preventing the kernel from writing crash logs and - other persistent data to the EFI variable store. +- Disable the EFI persistent storage feature which prevents the kernel from writing crash logs + and other persistent data to either the UEFI variable storage or ACPI ERST backends. Direct memory access: diff --git a/etc/default/grub.d/40_cpu_mitigations.cfg b/etc/default/grub.d/40_cpu_mitigations.cfg index 9b29760..efc9e5e 100644 --- a/etc/default/grub.d/40_cpu_mitigations.cfg +++ b/etc/default/grub.d/40_cpu_mitigations.cfg @@ -30,6 +30,7 @@ ## The UEFI Revocation List contains signatures of now revoked firmware and software used in booting systems. ## If using compatible hardware, the database can be updated directly in user space using fwupd. ## Note that incorrectly performing DBX updates can potentially lead to serious functionality issues. +## https://github.com/microsoft/secureboot_objects ## https://uefi.org/revocationlistfile ## https://github.com/fwupd/fwupd diff --git a/etc/default/grub.d/40_kernel_hardening.cfg b/etc/default/grub.d/40_kernel_hardening.cfg index 99f2d16..671c28b 100644 --- a/etc/default/grub.d/40_kernel_hardening.cfg +++ b/etc/default/grub.d/40_kernel_hardening.cfg @@ -224,7 +224,9 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX vdso32=0" #GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX ia32_emulation=0" ## Disable EFI persistent storage feature. -## Prevents the kernel from writing crash logs and other persistent data to the EFI variable store. +## Disable Error Record Serialization Table (ERST) support as a form of defense-in-depth. +## Prevents the kernel from writing crash logs and other persistent data to the storage backend. +## Both the UEFI variable storage and ACPI ERST backends are deactivated. ## ## https://blogs.oracle.com/linux/post/pstore-linux-kernel-persistent-storage-file-system ## https://www.ais.com/understanding-pstore-linux-kernel-persistent-storage-file-system/ @@ -234,6 +236,7 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX vdso32=0" ## https://github.com/Kicksecure/security-misc/issues/299 ## GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX efi_pstore.pstore_disable=1" +GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX erst_disable" ## 2. Direct Memory Access: ## diff --git a/usr/lib/sysctl.d/990-security-misc.conf b/usr/lib/sysctl.d/990-security-misc.conf index 3b2e38c..eaa671e 100644 --- a/usr/lib/sysctl.d/990-security-misc.conf +++ b/usr/lib/sysctl.d/990-security-misc.conf @@ -360,6 +360,8 @@ kernel.core_pattern=|/bin/false ## Prevent setuid processes or otherwise protected/tainted binaries from creating core dumps. ## Any process which has changed privilege levels or is execute-only will not be dumped. ## +## https://blog.qualys.com/vulnerabilities-threat-research/2025/05/29/qualys-tru-discovers-two-local-information-disclosure-vulnerabilities-in-apport-and-systemd-coredump-cve-2025-5054-and-cve-2025-4598 +## ## KSPP=yes ## KSPP sets the sysctl. ## @@ -475,6 +477,9 @@ net.ipv4.conf.*.arp_filter=1 ## https://github.com/mullvad/mullvadvpn-app/pull/7141 ## https://www.x41-dsec.de/static/reports/X41-Mullvad-Audit-Public-Report-2024-12-10.pdf ## +## Can lead to breakages with certain VM configurations that may be resolved by lowering protection to `arp_ignore=1`. +## https://github.com/Kicksecure/security-misc/pull/290 +## net.ipv4.conf.*.arp_ignore=2 ## Drop gratuitous ARP (Address Resolution Protocol) packets.