From 535c258b834028e5638fd2b37b1a6f352e2b4558 Mon Sep 17 00:00:00 2001
From: madaidan <50278627+madaidan@users.noreply.github.com>
Date: Wed, 18 Dec 2019 20:43:01 +0000
Subject: [PATCH] More kernel hardening

---
 etc/default/grub.d/40_kernel_hardening.cfg | 40 +++++++++++++++++-----
 1 file changed, 32 insertions(+), 8 deletions(-)

diff --git a/etc/default/grub.d/40_kernel_hardening.cfg b/etc/default/grub.d/40_kernel_hardening.cfg
index 7a50db8..c6fc47c 100644
--- a/etc/default/grub.d/40_kernel_hardening.cfg
+++ b/etc/default/grub.d/40_kernel_hardening.cfg
@@ -1,18 +1,29 @@
 ## Copyright (C) 2019 - 2019 ENCRYPTED SUPPORT LP <adrelanos@riseup.net>
 ## See the file COPYING for copying conditions.
 
-## Disables the merging of slabs of similar sizes. Sometimes a slab can be used in a vulnerable way which an attacker can exploit.
+kver="$(uname -r)"
+
+## Disables the merging of slabs of similar sizes.
+## Sometimes a slab can be used in a vulnerable way which an attacker can exploit.
 GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX slab_nomerge"
 
-## Enables sanity checks (F), redzoning (Z) and poisoning (P).
-GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX slub_debug=FZP"
+## Enables sanity checks (F) and redzoning (Z).
+GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX slub_debug=FZ"
 
-if command -v "qubesdb-read" >/dev/null 2>&1 ; then
-   ## https://github.com/QubesOS/qubes-issues/issues/5212#issuecomment-533873012
-   true "skip adding page_poison=1 in Qubes"
+## Zero memory at allocation and free time.
+if dpkg --compare-versions "${kver}" ge "5.3"; then
+  GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX init_on_alloc=1 init_on_free=1"
 else
-   ## Wipes free memory so it can't leak in various ways and prevents some use-after-free vulnerabilites.
-   GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX page_poison=1"
+  ## SLUB poisoning and page poisoning is used if the kernel
+  ## does not yet support init_on_{,alloc,free}.
+  GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX slub_debug=P"
+
+  if command -v "qubesdb-read" >/dev/null 2>&1 ; then
+     ## https://github.com/QubesOS/qubes-issues/issues/5212#issuecomment-533873012
+     true "skip adding page_poison=1 in Qubes"
+  else
+     GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX page_poison=1"
+  fi
 fi
 
 ## Makes the kernel panic on uncorrectable errors in ECC memory that an attacker could exploit.
@@ -24,3 +35,16 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX pti=on"
 ## Enables all mitigations for the MDS vulnerability.
 ## Disables smt which can be used to exploit the MDS vulnerability.
 GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX mds=full,nosmt"
+
+## Vsyscalls are obsolete, are at fixed addresses and are a target for ROP.
+GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX vsyscall=none"
+
+## Enables page allocator freelist randomization.
+if dpkg --compare-versions "${kver}" ge "5.2"; then
+  GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX page_alloc.shuffle=1"
+fi
+
+## Enables kernel lockdown.
+if dpkg --compare-versions "${kver}" ge "5.4"; then
+  GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX lockdown=confidentiality"
+fi