From a1bde21ccb475fc21a084559dbe766f6315d9287 Mon Sep 17 00:00:00 2001
From: raja-grewal <rg_public@proton.me>
Date: Sat, 17 May 2025 04:41:06 +0000
Subject: [PATCH 1/5] Set `erst_disable`

---
 README.md                                  | 4 ++--
 etc/default/grub.d/40_kernel_hardening.cfg | 5 ++++-
 2 files changed, 6 insertions(+), 3 deletions(-)

diff --git a/README.md b/README.md
index 38cc8e0..628f732 100644
--- a/README.md
+++ b/README.md
@@ -226,8 +226,8 @@ Kernel space:
 - Optional - Disable support for all x86 processes and syscalls (when using Linux kernel >= 6.7)
   to reduce attack surface.
 
-- Disable EFI persistent storage feature, preventing the kernel from writing crash logs and
-  other persistent data to the EFI variable store.
+- Disable the EFI persistent storage feature which prevents the kernel from writing crash logs
+  and other persistent data to either the UEFI variable storage or ACPI ERST backends.
 
 Direct memory access:
 
diff --git a/etc/default/grub.d/40_kernel_hardening.cfg b/etc/default/grub.d/40_kernel_hardening.cfg
index 99f2d16..ee79f81 100644
--- a/etc/default/grub.d/40_kernel_hardening.cfg
+++ b/etc/default/grub.d/40_kernel_hardening.cfg
@@ -224,7 +224,9 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX vdso32=0"
 #GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX ia32_emulation=0"
 
 ## Disable EFI persistent storage feature.
-## Prevents the kernel from writing crash logs and other persistent data to the EFI variable store.
+## Disable Error Record Serialization Table (ERST) support as a form of defense-in-depth.
+## Prevents the kernel from writing crash logs and other persistent data to the storage backend.
+## Both the UEFI variable storage and ACPI ERST backends are inactivated.
 ##
 ## https://blogs.oracle.com/linux/post/pstore-linux-kernel-persistent-storage-file-system
 ## https://www.ais.com/understanding-pstore-linux-kernel-persistent-storage-file-system/
@@ -234,6 +236,7 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX vdso32=0"
 ## https://github.com/Kicksecure/security-misc/issues/299
 ##
 GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX efi_pstore.pstore_disable=1"
+GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX erst_disable"
 
 ## 2. Direct Memory Access:
 ##

From 35fa32e4ed6333f3ab87d09828f13155aa1e7a72 Mon Sep 17 00:00:00 2001
From: raja-grewal <rg_public@proton.me>
Date: Sat, 17 May 2025 15:06:49 +1000
Subject: [PATCH 2/5] Reword

---
 etc/default/grub.d/40_kernel_hardening.cfg | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/etc/default/grub.d/40_kernel_hardening.cfg b/etc/default/grub.d/40_kernel_hardening.cfg
index ee79f81..671c28b 100644
--- a/etc/default/grub.d/40_kernel_hardening.cfg
+++ b/etc/default/grub.d/40_kernel_hardening.cfg
@@ -226,7 +226,7 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX vdso32=0"
 ## Disable EFI persistent storage feature.
 ## Disable Error Record Serialization Table (ERST) support as a form of defense-in-depth.
 ## Prevents the kernel from writing crash logs and other persistent data to the storage backend.
-## Both the UEFI variable storage and ACPI ERST backends are inactivated.
+## Both the UEFI variable storage and ACPI ERST backends are deactivated.
 ##
 ## https://blogs.oracle.com/linux/post/pstore-linux-kernel-persistent-storage-file-system
 ## https://www.ais.com/understanding-pstore-linux-kernel-persistent-storage-file-system/

From dd0b55cc45f9ccd64d0075ba37ab6a4723d94a02 Mon Sep 17 00:00:00 2001
From: raja-grewal <rg_public@proton.me>
Date: Tue, 3 Jun 2025 12:32:17 +1000
Subject: [PATCH 3/5] Add reference

---
 usr/lib/sysctl.d/990-security-misc.conf | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/usr/lib/sysctl.d/990-security-misc.conf b/usr/lib/sysctl.d/990-security-misc.conf
index 3b2e38c..9d4f3eb 100644
--- a/usr/lib/sysctl.d/990-security-misc.conf
+++ b/usr/lib/sysctl.d/990-security-misc.conf
@@ -360,6 +360,8 @@ kernel.core_pattern=|/bin/false
 ## Prevent setuid processes or otherwise protected/tainted binaries from creating core dumps.
 ## Any process which has changed privilege levels or is execute-only will not be dumped.
 ##
+## https://blog.qualys.com/vulnerabilities-threat-research/2025/05/29/qualys-tru-discovers-two-local-information-disclosure-vulnerabilities-in-apport-and-systemd-coredump-cve-2025-5054-and-cve-2025-4598
+##
 ## KSPP=yes
 ## KSPP sets the sysctl.
 ##

From 72613203b9692d1098b13ff98119499a5a30a6da Mon Sep 17 00:00:00 2001
From: raja-grewal <rg_public@proton.me>
Date: Fri, 6 Jun 2025 13:07:52 +0000
Subject: [PATCH 4/5] Add reference

---
 README.md                                 | 2 +-
 etc/default/grub.d/40_cpu_mitigations.cfg | 1 +
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/README.md b/README.md
index 628f732..ab0c69a 100644
--- a/README.md
+++ b/README.md
@@ -143,7 +143,7 @@ and simultaneous multithreading (SMT) is disabled. See the
 Note, to achieve complete protection for known CPU vulnerabilities, the latest
 security microcode (BIOS/UEFI) updates must be installed on the system. Furthermore,
 if using Secure Boot, the Secure Boot Forbidden Signature Database (DBX) must be kept
-up to date through [UEFI Revocation List](https://uefi.org/revocationlistfile) updates.
+up to date through [UEFI Revocation List](https://github.com/microsoft/secureboot_objects) updates.
 
 CPU mitigations:
 
diff --git a/etc/default/grub.d/40_cpu_mitigations.cfg b/etc/default/grub.d/40_cpu_mitigations.cfg
index 9b29760..efc9e5e 100644
--- a/etc/default/grub.d/40_cpu_mitigations.cfg
+++ b/etc/default/grub.d/40_cpu_mitigations.cfg
@@ -30,6 +30,7 @@
 ## The UEFI Revocation List contains signatures of now revoked firmware and software used in booting systems.
 ## If using compatible hardware, the database can be updated directly in user space using fwupd.
 ## Note that incorrectly performing DBX updates can potentially lead to serious functionality issues.
+## https://github.com/microsoft/secureboot_objects
 ## https://uefi.org/revocationlistfile
 ## https://github.com/fwupd/fwupd
 

From 4314b1e85bd5495832b4398bdbd358c41703dcc9 Mon Sep 17 00:00:00 2001
From: raja-grewal <rg_public@proton.me>
Date: Tue, 1 Jul 2025 13:36:39 +1000
Subject: [PATCH 5/5] Add comment

---
 usr/lib/sysctl.d/990-security-misc.conf | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/usr/lib/sysctl.d/990-security-misc.conf b/usr/lib/sysctl.d/990-security-misc.conf
index 9d4f3eb..eaa671e 100644
--- a/usr/lib/sysctl.d/990-security-misc.conf
+++ b/usr/lib/sysctl.d/990-security-misc.conf
@@ -477,6 +477,9 @@ net.ipv4.conf.*.arp_filter=1
 ## https://github.com/mullvad/mullvadvpn-app/pull/7141
 ## https://www.x41-dsec.de/static/reports/X41-Mullvad-Audit-Public-Report-2024-12-10.pdf
 ##
+## Can lead to breakages with certain VM configurations that may be resolved by lowering protection to `arp_ignore=1`.
+## https://github.com/Kicksecure/security-misc/pull/290
+##
 net.ipv4.conf.*.arp_ignore=2
 
 ## Drop gratuitous ARP (Address Resolution Protocol) packets.