Merge remote-tracking branch 'raja/modprobe_refresh' into arraybolt3/trixie-raja-merge

2026-01-04 06:25:33 -05:00 · 2025-12-13 18:44:03 -06:00 · 2025-12-13 18:44:03 -06:00 · 4d0a126955
commit 4d0a126955
parent 39ce591976 8040ba7579
5 changed files with 107 additions and 61 deletions
--- a/README.md
+++ b/README.md
@ -383,6 +383,9 @@ Hardware modules:

 - Optional - Bluetooth: Disabled to reduce attack surface.

+- Optional - CPU MSRs: Disabled as can be abused to access other trust domains
+  and write to arbitrary memory.
+
 - FireWire (IEEE 1394): Disabled as they are often vulnerable to DMA attacks.

 - GPS: Disable GPS-related modules such as those required for Global Navigation
@ -412,20 +415,22 @@ Miscellaneous modules:

 - Amateur Radios: Disabled to reduce attack surface.

- Optional - CPU MSRs: Disabled as can be abused to write to arbitrary memory.
-
 - Floppy Disks: Disabled to reduce attack surface.

 - Framebuffer (fbdev): Disabled as these drivers are well-known to be buggy, cause
  kernel panics, and are generally only used by legacy devices.

+- Joysticks: Disabled to reduce attack surface.
+
 - Replaced Modules: Disabled legacy drivers that have been entirely replaced and
  superseded by newer drivers.

+- RDNIS - Disabled as believed to have unfixable buffer overflow issues.
+
 - Optional - USB Video Device Class: Disables the USB-based video streaming driver for
  devices like some webcams and digital camcorders.

- Vivid: Disabled to reduce attack surface given previous vulnerabilities.
+- Optional - Vivid: Disabled to reduce attack surface given previous vulnerabilities.

 ### Other

--- a/debian/security-misc-shared.install
+++ b/debian/security-misc-shared.install
@ -69,6 +69,7 @@ usr/bin/disabled-network-by-security-misc#security-misc-shared => /usr/bin/disab
 usr/bin/disabled-thunderbolt-by-security-misc#security-misc-shared => /usr/bin/disabled-thunderbolt-by-security-misc
 usr/bin/disabled-cdrom-by-security-misc#security-misc-shared => /usr/bin/disabled-cdrom-by-security-misc
 usr/bin/disabled-filesys-by-security-misc#security-misc-shared => /usr/bin/disabled-filesys-by-security-misc
+usr/bin/disabled-cpumsr-by-security-misc#security-misc-shared => /usr/bin/disabled-cpumsr-by-security-misc
 usr/bin/permission-hardener#security-misc-shared => /usr/bin/permission-hardener
 usr/bin/disabled-intelpmt-by-security-misc#security-misc-shared => /usr/bin/disabled-intelpmt-by-security-misc
 usr/bin/disabled-bluetooth-by-security-misc#security-misc-shared => /usr/bin/disabled-bluetooth-by-security-misc
--- a/etc/modprobe.d/30_security-misc_blacklist.conf#security-misc-shared
+++ b/etc/modprobe.d/30_security-misc_blacklist.conf#security-misc-shared
@ -11,13 +11,13 @@
 ## CD-ROM/DVD:
 ## Blacklist CD-ROM and DVD modules.
 ## Not disabled by default due to potential future ISO plans.
+## Can uncomment the bottom pair to disable both modules.
 ##
 ## https://nvd.nist.gov/vuln/detail/CVE-2018-11506
 ## https://forums.whonix.org/t/blacklist-more-kernel-modules-to-reduce-attack-surface/7989/31
 ##
 blacklist cdrom
 blacklist sr_mod
-##
 #install cdrom /usr/bin/disabled-cdrom-by-security-misc
 #install sr_mod /usr/bin/disabled-cdrom-by-security-misc

@ -26,21 +26,17 @@ blacklist sr_mod
 ## GrapheneOS:
 ## Partial selection of their infrastructure blacklist.
 ## Duplicate and already disabled modules have been omitted.
+## Currently snd_intel8x0 is required by some users for VirtualBox audio device ICH AC97.
 ##
-## https://github.com/GrapheneOS/infrastructure/blob/main/etc/modprobe.d/local.conf
+## https://github.com/GrapheneOS/infrastructure/tree/main/etc/modprobe.d
+## https://www.kicksecure.com/wiki/Dev/audio
+## https://github.com/Kicksecure/security-misc/issues/271
 ##
 #blacklist cfg80211
 #blacklist intel_agp
 #blacklist ip_tables
-blacklist joydev
 #blacklist mousedev
 #blacklist psmouse
-## TODO: Re-check in Debian trixie
-## In GrapheneOS list, yes, "should" be out-commented here.
-## But not actually out-commented.
-## Breaks VirtualBox audio device ICH AC97, which is unfortunately still required by some users.
-## https://www.kicksecure.com/wiki/Dev/audio
-## https://github.com/Kicksecure/security-misc/issues/271
 #blacklist snd_intel8x0
 #blacklist tls
 #blacklist virtio_balloon
--- a/etc/modprobe.d/30_security-misc_disable.conf#security-misc-shared
+++ b/etc/modprobe.d/30_security-misc_disable.conf#security-misc-shared
@ -18,10 +18,9 @@

 ## Bluetooth:
 ## Disable Bluetooth to reduce the attack surface due to its long history of security vulnerabilities.
+## Replaced with a privacy and security preserving default Bluetooth configuration for better usability.
 ##
 ## https://en.wikipedia.org/wiki/Bluetooth#History_of_security_concerns
-##
-## Now replaced with a privacy- and security-preserving default Bluetooth configuration for better usability.
 ## https://github.com/Kicksecure/security-misc/pull/145
 ##
 #install bluetooth /usr/bin/disabled-bluetooth-by-security-misc
@ -42,6 +41,20 @@
 #install btusb /usr/bin/disabled-bluetooth-by-security-misc
 #install virtio_bt /usr/bin/disabled-bluetooth-by-security-misc

+## CPU Model-Specific Registers (MSRs):
+## User-level read access to MSRs can allow malicious unprivileged applications to access other trust domains.
+## MSRs can also be abused to write to arbitrary memory.
+##
+## https://en.wikipedia.org/wiki/Model-specific_register
+## https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/advisory-guidance/running-average-power-limit-energy-reporting.html
+## https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/best-practices/reading-writing-msrs-in-linux.html
+## https://security.stackexchange.com/questions/119712/methods-root-can-use-to-elevate-itself-to-kernel-mode
+## https://github.com/Kicksecure/security-misc/issues/215
+##
+#install intel_rapl_msr /usr/bin/disabled-cpumsr-by-security-misc
+#install isst_if_mbox_msr /usr/bin/disabled-cpumsr-by-security-misc
+#install msr /usr/bin/disabled-cpumsr-by-security-misc
+
 ## FireWire (IEEE 1394):
 ## Disable IEEE 1394 (FireWire/i.LINK/Lynx) modules to prevent certain DMA attacks.
 ##
@ -96,6 +109,7 @@ install gnss-usb /usr/bin/disabled-gps-by-security-misc
 ## Intel Platform Monitoring Technology (PMT) Telemetry:
 ## Disable certain functionalities of the Intel PMT components.
 ##
+## https://www.intel.com/content/www/us/en/content-details/710389/intel-platform-monitoring-technology-intel-pmt-technical-specification.html
 ## https://github.com/intel/Intel-PMT
 ##
 install pmt_class /usr/bin/disabled-intelpmt-by-security-misc
@ -117,28 +131,52 @@ install thunderbolt_net /usr/bin/disabled-thunderbolt-by-security-misc
 ## Disable uncommon file systems to reduce attack surface.
 ## HFS/HFS+ are legacy Apple file systems that may be required depending on the EFI partition format.
 ##
+## https://docs.kernel.org/filesystems/index.html
+## https://github.com/secureblue/secureblue/tree/live/files/system/usr/lib/modprobe.d
+##
+install adfs /usr/bin/disabled-filesys-by-security-misc
+install affs /usr/bin/disabled-filesys-by-security-misc
+install afs /usr/bin/disabled-filesys-by-security-misc
+install befs /usr/bin/disabled-filesys-by-security-misc
+install ceph /usr/bin/disabled-filesys-by-security-misc
+install coda /usr/bin/disabled-filesys-by-security-misc
 install cramfs /usr/bin/disabled-filesys-by-security-misc
+install ecryptfs /usr/bin/disabled-filesys-by-security-misc
 install freevxfs /usr/bin/disabled-filesys-by-security-misc
 install hfs /usr/bin/disabled-filesys-by-security-misc
 install hfsplus /usr/bin/disabled-filesys-by-security-misc
 install jffs2 /usr/bin/disabled-filesys-by-security-misc
 install jfs /usr/bin/disabled-filesys-by-security-misc
+install kafs /usr/bin/disabled-filesys-by-security-misc
+install minix /usr/bin/disabled-filesys-by-security-misc
+install nilfs2 /usr/bin/disabled-filesys-by-security-misc
+install ocfs2 /usr/bin/disabled-filesys-by-security-misc
+install orangefs /usr/bin/disabled-filesys-by-security-misc
 install reiserfs /usr/bin/disabled-filesys-by-security-misc
+install romfs /usr/bin/disabled-filesys-by-security-misc
+install sysv /usr/bin/disabled-filesys-by-security-misc
+install ubifs /usr/bin/disabled-filesys-by-security-misc
 install udf /usr/bin/disabled-filesys-by-security-misc
+install ufs /usr/bin/disabled-filesys-by-security-misc
+install zonefs /usr/bin/disabled-filesys-by-security-misc

 ## Network File Systems:
 ## Disable uncommon network file systems to reduce attack surface.
+## Currently 9p is required for KVM shared folders in Whonix.
 ##
+## https://www.whonix.org/wiki/KVM#Shared_Folder
+##
+#install 9p /usr/bin/disabled-netfilesys-by-security-misc
 install gfs2 /usr/bin/disabled-netfilesys-by-security-misc
 install ksmbd /usr/bin/disabled-netfilesys-by-security-misc
-##
-## Common Internet File System (CIFS):
+
+## Network File System - Common Internet File System (CIFS):
 ##
 install cifs /usr/bin/disabled-netfilesys-by-security-misc
 install cifs_arc4 /usr/bin/disabled-netfilesys-by-security-misc
 install cifs_md4 /usr/bin/disabled-netfilesys-by-security-misc
-##
-## Network File System (NFS):
+
+## Network File System - Network File System (NFS):
 ##
 install nfs /usr/bin/disabled-netfilesys-by-security-misc
 install nfs_acl /usr/bin/disabled-netfilesys-by-security-misc
@ -152,7 +190,7 @@ install nfsv4 /usr/bin/disabled-netfilesys-by-security-misc
 ## 2. Networking:

 ## Network Protocols:
-## Disables rare and unneeded network protocols that are a common source of unknown vulnerabilities.
+## Disable rare and unneeded network protocols that are a common source of unknown vulnerabilities.
 ## Previously had blacklisted eepro100 and eth1394.
 ##
 ## https://tails.boum.org/blueprint/blacklist_modules/
@ -163,7 +201,6 @@ install nfsv4 /usr/bin/disabled-netfilesys-by-security-misc
 install af_802154 /usr/bin/disabled-network-by-security-misc
 install appletalk /usr/bin/disabled-network-by-security-misc
 install ax25 /usr/bin/disabled-network-by-security-misc
-#install brcm80211 /usr/bin/disabled-network-by-security-misc
 install decnet /usr/bin/disabled-network-by-security-misc
 install dccp /usr/bin/disabled-network-by-security-misc
 install econet /usr/bin/disabled-network-by-security-misc
@ -177,15 +214,15 @@ install p8023 /usr/bin/disabled-network-by-security-misc
 install psnap /usr/bin/disabled-network-by-security-misc
 install rose /usr/bin/disabled-network-by-security-misc
 install x25 /usr/bin/disabled-network-by-security-misc
-##
-## Asynchronous Transfer Mode (ATM):
+
+## Network Protocol - Asynchronous Transfer Mode (ATM):
 ##
 install atm /usr/bin/disabled-network-by-security-misc
 install ueagle-atm /usr/bin/disabled-network-by-security-misc
 install usbatm /usr/bin/disabled-network-by-security-misc
 install xusbatm /usr/bin/disabled-network-by-security-misc
-##
-## Controller Area Network (CAN) Protocol:
+
+## Network Protocol - Controller Area Network (CAN):
 ##
 install c_can /usr/bin/disabled-network-by-security-misc
 install c_can_pci /usr/bin/disabled-network-by-security-misc
@ -208,19 +245,19 @@ install slcan /usr/bin/disabled-network-by-security-misc
 install ucan /usr/bin/disabled-network-by-security-misc
 install vxcan /usr/bin/disabled-network-by-security-misc
 install vcan /usr/bin/disabled-network-by-security-misc
-##
-## Transparent Inter Process Communication (TIPC):
+
+## Network Protocol - Transparent Inter Process Communication (TIPC):
 ##
 install tipc /usr/bin/disabled-network-by-security-misc
 install tipc_diag /usr/bin/disabled-network-by-security-misc
-##
-## Reliable Datagram Sockets (RDS):
+
+## Network Protocol - Reliable Datagram Sockets (RDS):
 ##
 install rds /usr/bin/disabled-network-by-security-misc
 install rds_rdma /usr/bin/disabled-network-by-security-misc
 install rds_tcp /usr/bin/disabled-network-by-security-misc
-##
-## Stream Control Transmission Protocol (SCTP):
+
+## Network Protocol - Stream Control Transmission Protocol (SCTP):
 ##
 install sctp /usr/bin/disabled-network-by-security-misc
 install sctp_diag /usr/bin/disabled-network-by-security-misc
@ -231,14 +268,6 @@ install sctp_diag /usr/bin/disabled-network-by-security-misc
 ##
 install hamradio /usr/bin/disabled-miscellaneous-by-security-misc

-## CPU Model-Specific Registers (MSRs):
-## Disable CPU MSRs as they can be abused to write to arbitrary memory.
-##
-## https://security.stackexchange.com/questions/119712/methods-root-can-use-to-elevate-itself-to-kernel-mode
-## https://github.com/Kicksecure/security-misc/issues/215
-##
-#install msr /usr/bin/disabled-miscellaneous-by-security-misc
-
 ## Floppy Disks:
 ##
 install floppy /usr/bin/disabled-miscellaneous-by-security-misc
@ -280,43 +309,48 @@ install viafb /usr/bin/disabled-framebuffer-by-security-misc
 install vt8623fb /usr/bin/disabled-framebuffer-by-security-misc
 install udlfb /usr/bin/disabled-framebuffer-by-security-misc

+## Joysticks:
+##
+## https://docs.kernel.org/input/joydev/joystick.html
+##
+install joydev /usr/bin/disabled-miscellaneous-by-security-misc
+
 ## Replaced Modules:
 ## These legacy drivers have all been entirely replaced and superseded by newer drivers.
-## These were all previously blacklisted.
+## Many of these were previously blacklisted.
 ##
 ## https://git.launchpad.net/ubuntu/+source/kmod/tree/debian/modprobe.d/blacklist.conf?h=ubuntu/disco
 ##
 install asus_acpi /usr/bin/disabled-miscellaneous-by-security-misc
 install bcm43xx /usr/bin/disabled-miscellaneous-by-security-misc
+install brcm80211 /usr/bin/disabled-miscellaneous-by-security-misc
 install de4x5 /usr/bin/disabled-miscellaneous-by-security-misc
 install prism54 /usr/bin/disabled-miscellaneous-by-security-misc

-## USB Video Device Class:
-## Disables the USB-based video streaming driver for devices like some webcams and digital camcorders.
-##
-#install uvcvideo /usr/bin/disabled-miscellaneous-by-security-misc
-
-## Vivid:
-## Disables the vivid kernel module since it has been the cause of multiple vulnerabilities.
-##
-## https://forums.whonix.org/t/kernel-recompilation-for-better-hardening/7598/233
-## https://www.openwall.com/lists/oss-security/2019/11/02/1
-## https://github.com/a13xp0p0v/kconfig-hardened-check/commit/981bd163fa19fccbc5ce5d4182e639d67e484475
-##
-## No longer disabled by default:
-## https://forums.whonix.org/t/testing-qubes-video-companion-on-whonix/21393
-## https://github.com/Kicksecure/security-misc/issues/298
-##
-#install vivid /usr/bin/disabled-miscellaneous-by-security-misc
-
 ## RNDIS:
-## Disable the RNDIS drivers used by some network devices (common with Android
-## USB tethering). RNDIS as a protocol is believed to have supposedly
-## unfixable buffer overflow issues and may be impossible to implement in a
-## secure fashion.
+## Disable as believed to have unfixable buffer overflow issues impossible to make secure.
+## Used by some network devices common with Android USB tethering.
 ##
+## https://en.wikipedia.org/wiki/RNDIS
 ## https://lkml.org/lkml/2022/11/23/728
 ## https://lore.kernel.org/lkml/2023071333-wildly-playroom-878b@gregkh/
 ##
 install rndis_host /usr/bin/disabled-miscellaneous-by-security-misc
 install usb_f_rndis /usr/bin/disabled-miscellaneous-by-security-misc
+
+## USB Video Device Class:
+## Disable the USB-based video streaming driver for devices like some webcams and digital camcorders.
+##
+#install uvcvideo /usr/bin/disabled-miscellaneous-by-security-misc
+
+## Vivid:
+## Disable the vivid kernel module since it has been the cause of multiple vulnerabilities.
+## Required only for running tests associated with the Qubes Video Companion.
+##
+## https://forums.whonix.org/t/kernel-recompilation-for-better-hardening/7598/233
+## https://www.openwall.com/lists/oss-security/2019/11/02/1
+## https://github.com/a13xp0p0v/kconfig-hardened-check/commit/981bd163fa19fccbc5ce5d4182e639d67e484475
+## https://forums.whonix.org/t/testing-qubes-video-companion-on-whonix/21393
+## https://github.com/Kicksecure/security-misc/issues/298
+##
+#install vivid /usr/bin/disabled-miscellaneous-by-security-misc
--- a/usr/bin/disabled-cpumsr-by-security-misc#security-misc-shared
+++ b/usr/bin/disabled-cpumsr-by-security-misc#security-misc-shared
@ -0,0 +1,10 @@
+#!/bin/bash
+
+## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC <adrelanos@whonix.org>
+## See the file COPYING for copying conditions.
+
+## Alerts user that a kernel module failed to load due to it being explicitly disabled by default.
+
+echo "$0: ALERT: This CPU MSR kernel module is disabled by package security-misc-shared by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf for details. | args: $@" >&2
+
+exit 1