Merge branch 'Kicksecure:master' into modprobe_refresh

README.md

@@ -50,16 +50,23 @@ configuration file and significant hardening is applied to a myriad of component
   and thwart certain kernel exploitation attempts) and kernel warnings in the `WARN()` path.
 
 - Force immediate system reboot on the occurrence of a single kernel panic, reducing the
-  risk and impact of denial of service attacks and both cold and warm boot attacks.
+  risk and impact of denial-of-service attacks and both cold and warm boot attacks.
 
-- Optional - Force immediate kernel panic on OOM. This is to avoid security features such as the screen
-  locker, kloak, emerg-shutdown from being arbitrarily terminated when the system starts
-  running out of memory.
+- Optional - Force immediate kernel panic on OOM (out of memory) which with the above setting
+  will force an immediate system reboot as opposed to placing any reliance on the oom_killer
+  to avoid arbitrarily terminating security features based on their OOM score. Note this
+  creates the risk of userspace-based denial-of-service attacks that maliciously fill memory.
+
+- Optional - Force immediate kernel panics upon receiving NMIs (Non-Maskable Interrupts)
+  triggered by serious hardware-level I/O issues, uncorrectable memory and hardware errors,
+  and undefined or unknown sources in order to prevent data corruption.
 
 - Disable the use of legacy TIOCSTI operations which can be used to inject keypresses.
 
 - Disable asynchronous I/O as `io_uring` has been the source of numerous kernel exploits.
 
+- Disable 32-bit vDSO mappings as they are a legacy compatibility feature.
+
 #### User space
 
 - Disable the usage of `ptrace()` by all processes as it enables programs to inspect
@@ -132,6 +139,9 @@ configuration file and significant hardening is applied to a myriad of component
 
 - Disable TCP timestamps as they can allow detecting the system time.
 
+- Disable reuse of `TIME_WAIT` sockets for new outgoing connections as the above
+  setting disables TCP timestamps.
+
 - Optional - Log packets with impossible source or destination addresses to
   enable further inspection and analysis.
 
@@ -156,6 +166,8 @@ CPU mitigations:
 
 - Spectre Side Channels (BTI and BHI)
 
+- Meltdown
+
 - Speculative Store Bypass (SSB)
 
 - L1 Terminal Fault (L1TF)
@@ -206,8 +218,8 @@ Kernel space:
 - Enable the kernel page allocator to randomize free lists to limit some data
   exfiltration and ROP attacks, especially during the early boot process.
 
-- Enable kernel page table isolation to increase KASLR effectiveness and also
-  mitigate the Meltdown CPU vulnerability.
+- Enable kernel page table isolation on x86_64 and ARM64 CPUs to increase
+  KASLR effectiveness and also mitigate the Meltdown CPU vulnerability.
 
 - Enable randomization of the kernel stack offset on syscall entries to harden
   against memory corruption attacks.
@@ -218,10 +230,11 @@ Kernel space:
 - Restrict access to debugfs by not registering the file system since it can
   contain sensitive information.
 
-- Force kernel panics on "oopses" to potentially indicate and thwart certain
-  kernel exploitation attempts.
+- Force the kernel to immediately panic on both "oopses" (which can potentially indicate
+  and thwart certain kernel exploitation attempts) and kernel warnings in the `WARN()` path.
 
-- Optional - Modify the machine check exception handler.
+- Force immediate system reboot on the occurrence of a single kernel panic, reducing the
+  risk and impact of denial-of-service attacks and both cold and warm boot attacks.
 
 - Prevent sensitive kernel information leaks in the console during boot.
 
@@ -238,6 +251,15 @@ Kernel space:
 - Disable the EFI persistent storage feature which prevents the kernel from writing crash logs
   and other persistent data to either the UEFI variable storage or ACPI ERST backends.
 
+- Optional - On compatible AMD CPUs enable Secure Memory Encryption (SME) to protect against
+  cold boot attacks and Secure Encrypted Virtualization (SEV) for further guest memory isolation.
+
+- Prevent runaway privileged processes from writing to block devices that are mounted by
+  filesystems to protect against filesystem corruption and kernel crashes.
+
+- Restrict processes from modifying their own memory mappings unless actively done via
+  `ptrace()` in order to limit self-modification which can trigger exploits.
+
 Direct memory access:
 
 - Enable strict IOMMU translation to protect against some DMA attacks via the use
@@ -248,12 +270,21 @@ Direct memory access:
 
 Entropy:
 
-- Do not credit the CPU or bootloader as entropy sources at boot in order to
-  maximize the absolute quantity of entropy in the combined pool.
+- Do not credit the CPU seeds as an entropy source at boot in order to maximize the
+  absolute quantity of entropy in the combined pool. This is desirable for all
+  cryptographic operations, to avoid reliance on proprietary RDRAND and RDSEED CPU
+  instructions for random number generation that have long history of being defective.
+
+- Do not credit the bootloader seeds as an entropy sources at boot to maximize the
+  absolute quantity of entropy in the combined pool. This is desirable for all
+  cryptographic operations as seeds passed by the bootloader could be tampered.
 
 - Obtain more entropy at boot from RAM as the runtime memory allocator is
   being initialized.
 
+- Obtain more entropy at boot from RAM as the runtime memory allocator is being
+  initialized to maximize the absolute quantity of entropy in the combined pool.
+
 Networking:
 
 - Optional - Disable the entire IPv6 stack to reduce attack surface.
@@ -295,6 +326,14 @@ feasible due to compatibility issues with Firefox.
 * [security-misc pull request #249](https://github.com/Kicksecure/security-misc/pull/249)
 * [security-misc issue #267](https://github.com/Kicksecure/security-misc/issues/267)
 
+3. Kernel boot parameter `hash_pointers=always`
+
+Force all exposed pointers to be hashed and must be used in combination with the already enabled
+`slab_debug=FZ` kernel boot parameter. Currently is not possible as requires Linux kernel >= 6.17.
+
+* [security-misc issue #253](https://github.com/Kicksecure/security-misc/issues/253)
+* [security-misc pull request #325](https://github.com/Kicksecure/security-misc/pull/325)
+
 ### Kernel Modules
 
 #### Kernel Module Signature Verification

changelog.upstream

@@ -1,3 +1,195 @@
+commit b7b6b6e5fbeba0cfab141bf05d7fb657879ba8e9
+Author: Patrick Schleizer <adrelanos@whonix.org>
+Date:   Mon Dec 8 09:42:59 2025 -0500
+
+    output
+
+commit 8f99672cb24242d6cb86d985384ab4ad7d1aca54
+Author: Patrick Schleizer <adrelanos@whonix.org>
+Date:   Fri Dec 5 11:39:12 2025 +0000
+
+    bumped changelog version
+
+commit ac128dd873968b1815e4113b30ea69f34fa0b088
+Merge: 17dd7af7 85761a41
+Author: Patrick Schleizer <adrelanos@whonix.org>
+Date:   Fri Dec 5 06:35:03 2025 -0500
+
+    Merge remote-tracking branch 'ArrayBolt3/arraybolt3/trixie'
+
+commit 85761a4153a4f19e7b18e91062e97d3376451884
+Author: Aaron Rainbolt <arraybolt3@ubuntu.com>
+Date:   Thu Dec 4 23:27:18 2025 -0600
+
+    permission-hardener: Fix undo warning logic, minor improvements suggested by ChatGPT Codex
+
+commit 17dd7af7d1cf37ff30a17e2eaee06732d627ed34
+Author: Patrick Schleizer <adrelanos@whonix.org>
+Date:   Wed Dec 3 08:31:22 2025 +0000
+
+    bumped changelog version
+
+commit c44678f92df924e4c10f08960426c526e0292aba
+Merge: 6f9732be 0534a34e
+Author: Patrick Schleizer <adrelanos@whonix.org>
+Date:   Wed Dec 3 03:22:44 2025 -0500
+
+    Merge remote-tracking branch 'ArrayBolt3/arraybolt3/trixie'
+
+commit 0534a34ed7246793db384518cfbecb3adfcb7f3e
+Author: Aaron Rainbolt <arraybolt3@ubuntu.com>
+Date:   Tue Dec 2 19:06:30 2025 -0600
+
+    Fix block-unsafe-logins when running as non-root, add swaylock to list of safe auth services
+
+commit 6f9732be98cbc344076b89d57491c423368172d5
+Merge: 2089b3a9 b3eb739f
+Author: Patrick Schleizer <adrelanos@whonix.org>
+Date:   Tue Dec 2 06:04:07 2025 -0500
+
+    Merge remote-tracking branch 'ArrayBolt3/arraybolt3/trixie'
+
+commit b3eb739fe2662acfbd844de8d87af4720727fc7a
+Author: Aaron Rainbolt <arraybolt3@ubuntu.com>
+Date:   Sun Nov 30 00:20:21 2025 -0600
+
+    Link fix, change some wording
+
+commit 5f34b4146e895bb935b719071ab2762278944995
+Merge: 2c253b13 29176d2e
+Author: Aaron Rainbolt <arraybolt3@ubuntu.com>
+Date:   Sun Nov 30 00:12:18 2025 -0600
+
+    Merge remote-tracking branch 'raja/docs' into arraybolt3/trixie
+
+commit 2c253b1312c034cb8395039803380c1157967061
+Merge: 17ab1bb0 c5f91eb3
+Author: Aaron Rainbolt <arraybolt3@ubuntu.com>
+Date:   Sat Nov 29 21:01:51 2025 -0600
+
+    Merge remote-tracking branch 'raja/vsyscall32' into arraybolt3/trixie
+
+commit 17ab1bb00fe287c4c941d9cd3813ee3a3ae89ade
+Author: Aaron Rainbolt <arraybolt3@ubuntu.com>
+Date:   Sat Nov 29 20:44:30 2025 -0600
+
+    Documentation fix
+
+commit 2b2d30afce3d40eb9c2177ad67fd7d89cd4602a0
+Merge: f0d069c7 3fdfebc4
+Author: Aaron Rainbolt <arraybolt3@ubuntu.com>
+Date:   Sat Nov 29 20:23:09 2025 -0600
+
+    Merge remote-tracking branch 'raja/limit_full_force' into arraybolt3/trixie
+
+commit f0d069c7968e2ee10d7104ce1ba502d3122b0ab2
+Author: Aaron Rainbolt <arraybolt3@ubuntu.com>
+Date:   Sat Nov 29 20:15:03 2025 -0600
+
+    Minor README.md corrections
+
+commit b73a830b0f62fe43b38cc89d56d997bed355570c
+Merge: e54cb007 53d90b11
+Author: Aaron Rainbolt <arraybolt3@ubuntu.com>
+Date:   Sat Nov 29 19:59:35 2025 -0600
+
+    Merge remote-tracking branch 'raja/kpti' into arraybolt3/trixie
+
+commit e54cb007f9fc351c25c292ffd68abe974be56bb0
+Merge: 84e193c4 e43d4d7f
+Author: Aaron Rainbolt <arraybolt3@ubuntu.com>
+Date:   Sat Nov 29 19:54:10 2025 -0600
+
+    Merge remote-tracking branch 'raja/limit_bdev_writes' into arraybolt3/trixie
+
+commit 84e193c44ec9ebf676d1fb4a32d6e2f68afd3d0d
+Merge: 65c45fc3 5ac02d2d
+Author: Aaron Rainbolt <arraybolt3@ubuntu.com>
+Date:   Fri Nov 28 14:21:59 2025 -0600
+
+    Merge remote-tracking branch 'raja/stop_tw_reuse' into arraybolt3/trixie
+
+commit 65c45fc3d799cdf6402328cc61cbdd1949a12945
+Author: Aaron Rainbolt <arraybolt3@ubuntu.com>
+Date:   Fri Nov 28 00:13:45 2025 -0600
+
+    Minor fixes to NMI panic docs
+
+commit 37b1d055f18c6335e96c41c06174b66e43e4a8ff
+Merge: 7280d886 ebc011e6
+Author: Aaron Rainbolt <arraybolt3@ubuntu.com>
+Date:   Fri Nov 28 00:09:43 2025 -0600
+
+    Merge remote-tracking branch 'raja/panic_nmi' into arraybolt3/trixie
+
+commit 7280d8867da50e05dd7d3071123d49b15660051d
+Merge: 2089b3a9 62dc2d44
+Author: Aaron Rainbolt <arraybolt3@ubuntu.com>
+Date:   Thu Nov 27 23:28:53 2025 -0600
+
+    Merge remote-tracking branch 'raja/amd_encrypt_ram' into arraybolt3/trixie
+
+commit 2089b3a9b8e9d10c06850f0329f7e2eb8a8a12cc
+Author: Patrick Schleizer <adrelanos@whonix.org>
+Date:   Mon Nov 24 08:44:10 2025 +0000
+
+    bumped changelog version
+
+commit cbd35502f19e74b6f95ff40bf03f02806eef3cdc
+Author: Patrick Schleizer <adrelanos@whonix.org>
+Date:   Mon Nov 24 03:18:25 2025 -0500
+
+    comment
+
+commit cac73c3154b3278ad71edc0fd159afc71d5dbc45
+Author: Patrick Schleizer <adrelanos@whonix.org>
+Date:   Mon Nov 24 03:17:38 2025 -0500
+
+    minor
+
+commit d68988e76cda939ce200d970e19310cadba5d08e
+Author: Patrick Schleizer <adrelanos@whonix.org>
+Date:   Mon Nov 24 03:17:25 2025 -0500
+
+    comments
+
+commit c1ca36d75888b95835b953c3a8a122954c1e5929
+Merge: ec116795 a3417e99
+Author: Patrick Schleizer <adrelanos@whonix.org>
+Date:   Mon Nov 24 03:11:19 2025 -0500
+
+    Merge remote-tracking branch 'ArrayBolt3/arraybolt3/trixie'
+
+commit a3417e997d26e9a88d30da408d470fab98f58d79
+Author: Aaron Rainbolt <arraybolt3@ubuntu.com>
+Date:   Sun Nov 23 16:27:59 2025 -0600
+
+    Add pkexec remembered permissions fix for permission-hardener, fix some postinst bugs
+
+commit edda37809fb186f6d85511e774957b701483ca66
+Author: Aaron Rainbolt <arraybolt3@ubuntu.com>
+Date:   Sun Nov 23 14:54:02 2025 -0600
+
+    Remove obsolete migration code for permission-hardener, add initial permission-hardener state installation code
+
+commit ec11679514d54c9a61e7c4e35ce81467b12333f4
+Author: Patrick Schleizer <adrelanos@whonix.org>
+Date:   Sun Nov 23 10:26:13 2025 +0000
+
+    bumped changelog version
+
+commit 5c4d3162ab3c5178502c1f48e6288dc86cc45bb1
+Author: Patrick Schleizer <adrelanos@whonix.org>
+Date:   Sun Nov 23 05:25:13 2025 -0500
+
+    fix
+
+commit 9f85a78c9919d71c3e92099cac8525ac385aea5c
+Author: Patrick Schleizer <adrelanos@whonix.org>
+Date:   Wed Nov 19 07:02:14 2025 +0000
+
+    bumped changelog version
+
 commit 4e7cfb0d061810ec7c3139379a65db83abc39efc
 Merge: d267cf67 936c799c
 Author: Patrick Schleizer <adrelanos@whonix.org>
@@ -11,6 +203,43 @@ Date:   Tue Nov 18 23:53:03 2025 -0600
 
     Don't break passwordless sudo in unrestricted admin mode
 
+commit ebc011e67bff659778cbca2240c5e57d663f3f41
+Author: raja-grewal <rg_public@proton.me>
+Date:   Wed Nov 19 11:35:04 2025 +1100
+
+    Typo
+
+commit 62dc2d448366d190812773ec9eeadd38e1223cbc
+Author: raja-grewal <rg_public@proton.me>
+Date:   Tue Nov 18 20:31:46 2025 +1100
+
+    Add note about Intel TME
+
+commit 29176d2ed29b07c4da9b9c0df1eefd2bda70b984
+Author: raja-grewal <rg_public@proton.me>
+Date:   Sat Nov 15 06:30:11 2025 +0000
+
+    Remove the option to reduce the MCE tolerance level
+
+commit 9f897c5ccda781d010077446abb3d176cf929c94
+Author: raja-grewal <rg_public@proton.me>
+Date:   Sat Nov 15 05:48:33 2025 +0000
+
+    Update docs on reducing the MCE tolerance level
+
+commit b6fe1a5a6e164c7a7505b5e27ece582a1b928d82
+Author: raja-grewal <rg_public@proton.me>
+Date:   Sat Nov 15 04:51:01 2025 +0000
+
+    Make panic related settings consistent
+    Ensures the `sysctl` and boot parameters are equivalent in settings and in description. This should prevent future questions regarding having omitted boot parameters that were actually redundant.
+
+commit 99e993b885ca1fa30a871120b545f9334371cd5a
+Author: raja-grewal <rg_public@proton.me>
+Date:   Sat Nov 15 03:16:07 2025 +0000
+
+    Provide options to enable AMD SME and SEV
+
 commit d267cf6761076092c299508a0c356c05d0ee713d
 Author: Patrick Schleizer <adrelanos@whonix.org>
 Date:   Fri Nov 14 06:21:34 2025 +0000
@@ -36,6 +265,18 @@ Date:   Tue Nov 11 23:59:50 2025 -0500
 
     Merge remote-tracking branch 'ArrayBolt3/arraybolt3/trixie'
 
+commit d891313d57b469c28c08993b05d355b29ea08397
+Author: raja-grewal <rg_public@proton.me>
+Date:   Tue Nov 11 11:39:21 2025 +0000
+
+    Provide options to panic upon receiving NMIs
+
+commit 0b9b9ffb1e87850e3296d0420c305062b66868d5
+Author: raja-grewal <rg_public@proton.me>
+Date:   Tue Nov 11 11:32:47 2025 +0000
+
+    Improve clarity for panic on OOM
+
 commit 3070aa5d1f988b199030b31baa2fabc2db7b289f
 Author: Aaron Rainbolt <arraybolt3@ubuntu.com>
 Date:   Mon Nov 10 22:40:15 2025 -0600
@@ -121,6 +362,18 @@ Date:   Mon Nov 10 02:04:15 2025 -0500
 
     Merge remote-tracking branch 'ArrayBolt3/arraybolt3/trixie'
 
+commit 5ac02d2d528a37fe1c162c4808b3d874a8c53159
+Author: raja-grewal <rg_public@proton.me>
+Date:   Mon Nov 10 06:13:35 2025 +0000
+
+    Set `net.ipv4.tcp_tw_reuse=0`
+
+commit b89aaea61e83aea6b23ea34a01dbb1e6bce1e2df
+Author: raja-grewal <rg_public@proton.me>
+Date:   Mon Nov 10 06:03:33 2025 +0000
+
+    Add docs on logging martian packets
+
 commit 5fbd42bbec55d66197b70789b10f7cb6705207fb
 Author: Aaron Rainbolt <arraybolt3@ubuntu.com>
 Date:   Sun Nov 9 18:38:54 2025 -0600
@@ -133,6 +386,19 @@ Date:   Sun Nov 9 17:46:22 2025 -0600
 
     Prevent non-sysmaint logins in sysmaint mode and unsafe passwordless logins in user mode
 
+commit a3830db09e3f567237caefb687ef2da877573b03
+Author: raja-grewal <rg_public@proton.me>
+Date:   Sun Nov 9 13:42:31 2025 +0000
+
+    Update docs relating to panic on OOM
+
+commit 0aa0b67df6a33b84a656cfb7055c4af5ca583439
+Merge: a46f678c 0939883f
+Author: raja-grewal <rg_public@proton.me>
+Date:   Mon Nov 10 00:20:48 2025 +1100
+
+    Merge branch 'master' into docs
+
 commit 0939883f0b5e1232e9aa85e61c0cbef551a59357
 Author: Patrick Schleizer <adrelanos@whonix.org>
 Date:   Sun Nov 9 10:47:45 2025 +0000
@@ -202,6 +468,61 @@ Date:   Fri Nov 7 17:09:22 2025 -0600
 
     Suppress usbguard startup unless a USB controller is visible to lspci
 
+commit a46f678c7f8715fd1cedd1102f9815b9d845ccb3
+Author: raja-grewal <rg_public@proton.me>
+Date:   Wed Nov 5 00:05:17 2025 +0000
+
+    Update docs on latent entropy
+
+commit 37b493826ec60397c6019959abb7e0631dd33ed4
+Author: raja-grewal <rg_public@proton.me>
+Date:   Wed Nov 5 00:03:54 2025 +0000
+
+    Spit distrusting entropy settings for clarity
+
+commit 019a0cf72c99f9f10fd42afbfed96c283e17e458
+Author: raja-grewal <rg_public@proton.me>
+Date:   Wed Nov 5 00:03:19 2025 +0000
+
+    Update docs on entropy
+
+commit 4c88b911415cbf57eecc93a22c6674322662db50
+Merge: d175d1be 5b97e7bd
+Author: raja-grewal <rg_public@proton.me>
+Date:   Wed Nov 5 10:10:10 2025 +1100
+
+    Merge branch 'Kicksecure:master' into docs
+
+commit e43d4d7f7110de0b23996373e9462aa900b314a6
+Author: raja-grewal <rg_public@proton.me>
+Date:   Mon Nov 3 05:46:07 2025 +0000
+
+    Set `bdev_allow_write_mounted=0`
+
+commit 53d90b1128d55e352b3eef8ae680a07a825b1ecf
+Author: raja-grewal <rg_public@proton.me>
+Date:   Mon Nov 3 04:32:49 2025 +0000
+
+    Update docs on `ssbd=force-on`
+
+commit 322584db3346aaa1e3d1f9782b3d22ca2153c7da
+Author: raja-grewal <rg_public@proton.me>
+Date:   Mon Nov 3 04:31:59 2025 +0000
+
+    Update docs on `pti=on`
+
+commit 5e87c9bea49b5a06c1400cb8b632f344cccb6db6
+Author: raja-grewal <rg_public@proton.me>
+Date:   Mon Nov 3 04:30:58 2025 +0000
+
+    Set `kpti=1`
+
+commit 3fdfebc4646d7c1f48806d02810de44fd53482bb
+Author: raja-grewal <rg_public@proton.me>
+Date:   Mon Nov 3 00:48:49 2025 +0000
+
+    Set `proc_mem.force_override=ptrace`
+
 commit 5b97e7bd277038b3b04c80a78ce05bb52277d4f6
 Author: Patrick Schleizer <adrelanos@whonix.org>
 Date:   Sun Nov 2 11:41:51 2025 +0000
@@ -227,6 +548,18 @@ Date:   Sun Nov 2 05:57:52 2025 -0500
 
     move usbguard reject rules to the top
 
+commit c5f91eb33a2ad745af7a6278cf49419d0b366343
+Author: raja-grewal <rg_public@proton.me>
+Date:   Sun Nov 2 06:15:06 2025 +0000
+
+    Add another method to disable 32-bit legacy vsyscalls
+
+commit d175d1be525edd8fb6140680c31425c8a89cc244
+Author: raja-grewal <rg_public@proton.me>
+Date:   Sun Nov 2 15:54:34 2025 +1100
+
+    Add doc on entropy related failure on AMD Zen 5 CPUs
+
 commit 7beb19b64a33cb86771488ab558756fa86b577d3
 Author: Aaron Rainbolt <arraybolt3@ubuntu.com>
 Date:   Sat Nov 1 22:06:44 2025 -0500
@@ -375,6 +708,12 @@ Date:   Wed Oct 22 00:37:36 2025 -0400
 
     do not start usbguard-notifier if /sys/bus/usb does not exist
 
+commit 8f78269949217ac11163cc8b6f17147621fef6eb
+Author: raja-grewal <rg_public@proton.me>
+Date:   Mon Oct 20 05:36:54 2025 +0000
+
+    Add docs on slab_debug
+
 commit 7969ffd4a52786f4a92f74931fff85430906a629
 Author: Patrick Schleizer <adrelanos@whonix.org>
 Date:   Sun Oct 19 08:43:36 2025 +0000
@@ -389,6 +728,19 @@ Date:   Sun Oct 19 04:42:24 2025 -0400
     
     https://forums.kicksecure.com/t/usbguard-what-should-we-allow-or-disallow-by-default/1248/49
 
+commit 9f7480e20adf148dcb7dbe80e704f3f79691b657
+Author: raja-grewal <rg_public@proton.me>
+Date:   Sun Oct 19 01:41:58 2025 +0000
+
+    Make terminology consistent
+
+commit f2c3eba4f06c38fda7843427c352022a0f869f66
+Merge: 11d9b940 929421bd
+Author: raja-grewal <rg_public@proton.me>
+Date:   Sun Oct 19 12:23:13 2025 +1100
+
+    Merge branch 'Kicksecure:master' into docs
+
 commit 929421bd258a3c0c1f142f707aeff479f2ea3c49
 Author: Patrick Schleizer <adrelanos@whonix.org>
 Date:   Sat Oct 18 09:19:07 2025 +0000
@@ -414,6 +766,18 @@ Date:   Fri Oct 17 15:49:42 2025 -0500
 
     Set USBGuard settings to permit USB hubs and Qubes USB passthrough
 
+commit 11d9b9403854ae7cd2638765e8350257580be35f
+Author: raja-grewal <rg_public@proton.me>
+Date:   Fri Oct 17 01:01:28 2025 +0000
+
+    Add docs on entropy
+
+commit 708e1358dfbc21444f2bf39dfa81ea5053f2bb10
+Author: raja-grewal <rg_public@proton.me>
+Date:   Fri Oct 17 00:48:57 2025 +0000
+
+    Add docs relating `extra_latent_entropy`
+
 commit 3d5e659b78cf2588f95280c13b1ebdf24060fb6f
 Author: Aaron Rainbolt <arraybolt3@ubuntu.com>
 Date:   Wed Oct 15 19:02:48 2025 -0500
@@ -446,6 +810,18 @@ Date:   Wed Oct 15 17:53:26 2025 -0500
 
     Allow listing USB devices via usbguard
 
+commit f690b58870bd90582018cec51046f4ed67a414d4
+Author: raja-grewal <rg_public@proton.me>
+Date:   Mon Oct 13 02:08:44 2025 +0000
+
+    Add docs relating to panic on OOM
+
+commit 9db63d97770e62749c0b602dd9e7d2d4d6a1128b
+Author: raja-grewal <rg_public@proton.me>
+Date:   Mon Oct 13 01:01:14 2025 +0000
+
+    README: Update KSSP compliance status
+
 commit 23041741715cc5f3d16378d6bb34719ceaa1642c
 Author: raja-grewal <rg_public@proton.me>
 Date:   Sun Oct 12 02:32:45 2025 +0000

debian/changelog

@@ -1,3 +1,33 @@
+security-misc (3:50.6-1) unstable; urgency=medium
+
+  * New upstream version (local package).
+
+ -- Patrick Schleizer <adrelanos@whonix.org>  Tue, 09 Dec 2025 14:06:55 +0000
+
+security-misc (3:50.5-1) unstable; urgency=medium
+
+  * New upstream version (local package).
+
+ -- Patrick Schleizer <adrelanos@whonix.org>  Fri, 05 Dec 2025 11:39:12 +0000
+
+security-misc (3:50.4-1) unstable; urgency=medium
+
+  * New upstream version (local package).
+
+ -- Patrick Schleizer <adrelanos@whonix.org>  Wed, 03 Dec 2025 08:31:21 +0000
+
+security-misc (3:50.3-1) unstable; urgency=medium
+
+  * New upstream version (local package).
+
+ -- Patrick Schleizer <adrelanos@whonix.org>  Mon, 24 Nov 2025 08:44:09 +0000
+
+security-misc (3:50.2-1) unstable; urgency=medium
+
+  * New upstream version (local package).
+
+ -- Patrick Schleizer <adrelanos@whonix.org>  Sun, 23 Nov 2025 10:26:13 +0000
+
 security-misc (3:50.1-1) unstable; urgency=medium
 
   * New upstream version (local package).

debian/security-misc-shared.postinst

@@ -37,41 +37,86 @@ permission_hardening() {
     echo "$0: INFO: Permission hardening success."
 }
 
-migrate_permission_hardener_state() {
-   local existing_mode_dir new_mode_dir dpkg_statoverride_list
-   ## If folder /var/lib/permission-hardener (version 1) does not exist, this migration is unneeded.
-   if [ ! -d '/var/lib/permission-hardener' ]; then
+fix_pkexec_remembered_permissions() {
+   if [ -f "/var/lib/security-misc/do_once/${FUNCNAME[0]}_version_1" ]; then
       return 0
    fi
-
-   if [ -f "/var/lib/security-misc/do_once/${FUNCNAME[0]}_version_2" ]; then
-     return 0
-   fi
    mkdir --parents '/var/lib/security-misc/do_once'
 
-   existing_mode_dir='/var/lib/permission-hardener-v2/existing_mode'
-   new_mode_dir='/var/lib/permission-hardener-v2/new_mode'
-
-   mkdir --parents "${existing_mode_dir}";
-   mkdir --parents "${new_mode_dir}";
-
-   cp --verbose '/usr/share/security-misc/permission-hardener-existing-mode-legacy-hardcoded' "${existing_mode_dir}/statoverride"
-   cp --verbose '/usr/share/security-misc/permission-hardener-new-mode-legacy-hardcoded' "${new_mode_dir}/statoverride"
-
-   dpkg_statoverride_list="$(dpkg-statoverride --admindir "${new_mode_dir}" --list)"
-
-   if [ "$(stat --format '%G' /usr/bin/sudo)" = 'sysmaint' ]; then
-      if ! [[ "${dpkg_statoverride_list}" =~ '/usr/bin/sudo' ]]; then
-         dpkg-statoverride --admindir "${new_mode_dir}" --add 'root' 'sysmaint' '4750' '/usr/bin/sudo'
-      fi
-   fi
-   if [ "$(stat --format '%G' /usr/bin/pkexec)" = 'sysmaint' ]; then
-      if ! [[ "${dpkg_statoverride_list}" =~ '/usr/bin/pkexec' ]]; then
-         dpkg-statoverride --admindir "${new_mode_dir}" --add 'root' 'sysmaint' '4750' '/usr/bin/pkexec'
-      fi
+   if ! [ -f "/var/lib/permission-hardener-v2/existing_mode/statoverride" ]; then
+      ## 'statoverride' file does not exist yet. Therefore no need to fix it using 'str_replace'.
+      touch "/var/lib/security-misc/do_once/${FUNCNAME[0]}_version_1"
+      return 0
    fi
 
-   touch "/var/lib/security-misc/do_once/${FUNCNAME[0]}_version_2"
+   ## The existing_mode database may incorrectly list the original permissions
+   ## of pkexec as '755'. They should be '4755'. Fix this with str_replace. If
+   ## this issue is not present, str_replace will do nothing.
+   str_replace 'root root 755 /usr/bin/pkexec' \
+      'root root 4755 /usr/bin/pkexec' \
+      /var/lib/permission-hardener-v2/existing_mode/statoverride
+
+   touch "/var/lib/security-misc/do_once/${FUNCNAME[0]}_version_1"
+}
+
+install_permission_hardener_base_state() {
+   local state_str
+
+   if [ -f "/var/lib/security-misc/do_once/${FUNCNAME[0]}_version_1" ]; then
+      return 0
+   fi
+   mkdir --parents '/var/lib/security-misc/do_once'
+
+   if [ -f "/var/lib/permission-hardener-v2/existing_mode/statoverride" ]; then
+      ## 'statoverride' file already exists. Therefore no need to pre-populate it.
+      touch "/var/lib/security-misc/do_once/${FUNCNAME[0]}_version_1"
+      return 0
+   fi
+
+   mkdir --parents -- '/var/lib/permission-hardener-v2/existing_mode'
+   state_str="root root 644 /etc/passwd-
+root root 755 /etc/cron.monthly
+root root 755 /etc/sudoers.d
+root shadow 2755 /usr/bin/expiry
+root root 4755 /usr/bin/umount
+root root 4755 /usr/bin/gpasswd
+root root 755 /usr/lib/modules
+root root 644 /etc/issue.net
+root root 644 /etc/group-
+root root 4755 /usr/bin/newgrp
+root root 755 /etc/cron.weekly
+root root 4755 /usr/lib/polkit-1/polkit-agent-helper-1
+root root 644 /etc/hosts.deny
+root root 4755 /usr/bin/newgidmap
+root root 644 /etc/issue.kicksecure
+root root 4755 /usr/bin/pkexec
+root root 4755 /usr/bin/su
+root root 644 /etc/hosts.allow
+root root 700 /root
+root root 755 /etc/cron.daily
+root root 644 /etc/motd
+root root 4755 /usr/bin/newuidmap
+root root 755 /boot
+root root 755 /home
+root shadow 2755 /usr/bin/chage
+root root 4755 /usr/lib/openssh/ssh-keysign
+root root 4755 /usr/bin/ntfs-3g
+root root 4755 /usr/bin/chsh
+root root 644 /etc/motd.kicksecure
+root root 755 /usr/bin/su-to-root
+root root 4755 /usr/bin/passwd
+root root 4755 /usr/bin/chfn
+root root 644 /etc/group
+root root 4755 /usr/bin/sudo
+root root 644 /etc/passwd
+root root 755 /usr/src
+root root 4755 /usr/bin/mount
+root root 644 /etc/issue
+root root 755 /etc/cron.d"
+
+   printf '%s\n' "$state_str" | tee /var/lib/permission-hardener-v2/existing_mode/statoverride
+
+   touch "/var/lib/security-misc/do_once/${FUNCNAME[0]}_version_1"
 }
 
 case "$1" in
@@ -84,11 +129,18 @@ case "$1" in
         ## /usr/share/glib-2.0/schemas/30_security-misc.gschema.override
         glib-compile-schemas /usr/share/glib-2.0/schemas || true
 
-        ## state dir for faillock
+        ## state dir for PAM 'faillock'
         mkdir -p /var/lib/security-misc/faillock
 
-        ## migrate permission_hardener state to v2 if applicable
-        migrate_permission_hardener_state
+        ## Fix pkexec remembered permissions if necessary.
+        fix_pkexec_remembered_permissions
+
+        ## Pre-populate permission-hardener state on first postinst run.
+        ## Necessary because the first permission-hardener run may occur
+        ## before all permissions are set properly by package postinst
+        ## scripts. In particular, pkexec is not SUID-root until after its
+        ## postinst runs.
+        install_permission_hardener_base_state
 
         ## Fix usbguard config permissions, this seemingly can't be done
         ## during the unpack stage

etc/default/grub.d/40_cpu_mitigations.cfg#security-misc-shared

@@ -71,10 +71,24 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX nosmt=force"
 GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX spectre_v2=on"
 GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX spectre_bhi=on"
 
+## Meltdown:
+## Mitigate Spectre Variant 3 using kernel page table isolation (PTI).
+## Force enable PTI of user and kernel address spaces on all cores.
+## Mitigations for X86_64 CPUs are done in /etc/default/grub.d/40_kernel_hardening.cfg using "pti=on".
+## Currently affects ARM64 CPUs.
+##
+## https://en.wikipedia.org/wiki/Meltdown_(security_vulnerability)
+## https://en.wikipedia.org/wiki/Kernel_page-table_isolation
+##
+## KSPP=yes
+## KSPP sets CONFIG_UNMAP_KERNEL_AT_EL0=y.
+##
+GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX kpti=1"
+
 ## Speculative Store Bypass (SSB):
 ## Mitigate Spectre Variant 4 by disabling speculative store bypass system-wide.
 ## Unconditionally enable the mitigation for both kernel and userspace.
-## Currently affects both AMD and Intel CPUs.
+## Currently affects AMD, ARM64, and Intel CPUs.
 ##
 ## https://en.wikipedia.org/wiki/Speculative_Store_Bypass
 ## https://www.suse.com/support/kb/doc/?id=000019189

etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared

@@ -38,13 +38,17 @@ kver="$(dpkg-query --show --showformat='${Version}' "$kpkg")" 2>/dev/null || tru
 ##
 GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX slab_nomerge"
 
-## Enable sanity checks and red zoning of slabs via debugging options to detect corruption.
+## Enable sanity checks and red zoning of slabs via debugging options to detect memory corruption.
+## Sanity checks force additional verification steps on every memory allocation and free operation.
+## Red zoning adds extra metadata to each object to detect writes beyond the object's boundaries.
 ## As a by product of debugging, this will implicitly disabling kernel pointer hashing unless manually re-enabled.
 ## Enabling this (for now) will therefore leak exact and all kernel memory addresses to root.
-## Has the potential to cause a noticeable performance decrease.
+## Introduces a noticeable performance overhead during all memory allocation and deallocation operations.
 ##
 ## https://www.kernel.org/doc/html/latest/mm/slub.html
+## https://www.kernel.org/doc/Documentation/vm/slub.txt
 ## https://lore.kernel.org/all/20210601182202.3011020-5-swboyd@chromium.org/T/#u
+## https://blogs.oracle.com/linux/post/linux-slub-allocator-internals-and-debugging-2
 ## https://gitlab.tails.boum.org/tails/tails/-/issues/19613
 ## https://github.com/Kicksecure/security-misc/issues/253
 ##
@@ -83,8 +87,10 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX init_on_free=1"
 GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX page_alloc.shuffle=1"
 
 ## Enable kernel page table isolation to harden against kernel ASLR (KASLR) bypasses.
-## Mitigates the Meltdown CPU vulnerability.
+## Mitigates the Meltdown (Spectre Variant 3) CPU vulnerability.
+## Mitigations for ARM64 CPUs are done in /etc/default/grub.d/40_cpu_mitigations.cfg using "kpti=1".
 ##
+## https://en.wikipedia.org/wiki/Meltdown_(security_vulnerability)
 ## https://en.wikipedia.org/wiki/Kernel_page-table_isolation
 ##
 ## KSPP=yes
@@ -122,33 +128,40 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX vsyscall=none"
 ##
 GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX debugfs=off"
 
-## Force the kernel to immediately panic on "oopses".
+## Force the kernel to immediately panic on "oopses" and kernel warnings in the WARN() path.
 ## Panics may be due to false-positives such as bad drivers.
+## Both allowed limits are set to one so that panics occur on the single first instance of either scenario.
 ## Oopses are serious but non-fatal errors.
 ## Certain "oopses" can sometimes indicate and thwart potential kernel exploitation attempts.
-## Note that by forcing kernel panics on oopses, this exposes the system to targeted denial of service attacks.
+## Warnings are messages generated by the kernel to indicate unexpected conditions or errors.
+## By default, code execution continues regardless of warnings emitted by macros like WARN() and WARN_ON().
+## Note that by forcing kernel panics on oopses and warnings, this exposes the system to targeted denial of service attacks.
 ##
 ## https://en.wikipedia.org/wiki/Kernel_panic#Linux
 ## https://en.wikipedia.org/wiki/Linux_kernel_oops
+## https://lwn.net/Articles/876209/
+## https://git.sr.ht/~gregkh/presentation-security/tree/3fdaf81a2f8b2c8d64cdb2f529cc714624868aa8/item/security-stuff.pdf
 ## https://forums.whonix.org/t/set-oops-panic-kernel-parameter-or-kernel-panic-on-oops-1-sysctl-for-better-security/7713
 ##
 ## KSPP=yes
-## KSPP sets CONFIG_PANIC_ON_OOPS=y and CONFIG_PANIC_TIMEOUT=-1.
+## KSPP sets CONFIG_PANIC_ON_OOPS=y.
 ##
 ## See /usr/libexec/security-misc/panic-on-oops for implementation.
 ##
 #GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX oops=panic"
+#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX panic_on_warn=1"
 
-## Modify machine check exception handler.
-## Can decide whether the system should panic or not based on the occurrence of an exception.
+## Force immediate system reboots on the occurrence of a single kernel panic.
+## Increases resilience and limits impact of denial of service attacks as system automatically restarts.
+## Ensures the system does not hang forever if a panic occurs, reducing susceptibility to both cold and warm boot attacks.
+## Immediate rebooting also prevents persistent information disclosure on panic details that were dumped to screen.
 ##
-## https://www.kernel.org/doc/html/latest/arch/x86/x86_64/machinecheck.html
-## https://www.kernel.org/doc/html/latest/arch/x86/x86_64/boot-options.html#machine-check
-## https://forums.whonix.org/t/kernel-hardening/7296/494
+## KSPP=yes
+## KSPP sets CONFIG_PANIC_TIMEOUT=-1.
 ##
-## The default kernel setting will be utilized until provided sufficient evidence to modify.
+## See /usr/libexec/security-misc/panic-on-oops for implementation.
 ##
-#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX mce=0"
+#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX panic=-1"
 
 ## Prevent sensitive kernel information leaks in the console during boot.
 ## Must be used in combination with the kernel.printk sysctl.
@@ -186,6 +199,8 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX kfence.sample_interval=100"
 ## KSPP=yes
 ## KSPP sets the kernel parameter and does not set CONFIG_COMPAT_VDSO.
 ##
+## See /usr/lib/sysctl.d/990-security-misc.conf for another additional implementation.
+##
 GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX vdso32=0"
 
 ## Switch (back) to using kCFI as the default Control Flow Integrity (CFI) implementation.
@@ -237,6 +252,54 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX ia32_emulation=0"
 GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX efi_pstore.pstore_disable=1"
 GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX erst_disable"
 
+## Enable AMD Secure Memory Encryption (SME) and Secure Encrypted Virtualization (SEV).
+## SME encrypts memory with a single key at the kernel level to protect against cold boot attacks.
+## SEV extends SME to VMs by encrypting the memory of each with a unique key for guest isolation.
+## This is hardware-based encryption managed by the proprietary and closed-source AMD Platform Security Processor (PSP).
+## Both require a compatible AMD CPU and support for SME to first be enabled in the BIOS/UEFI.
+## Likely unavailable in consumer-grade AMD CPUs where Transparent SME (TSME) can be enabled in the BIOS/UEFI to achieve SME.
+## Note the corresponding Intel Total Memory Encryption (TME) can also be enabled via the BIOS/UEFI.
+## May cause boot failure on certain hardware with incompatible DMA masks.
+##
+## https://www.kernel.org/doc/html/next/x86/amd-memory-encryption.html
+## https://www.kernel.org/doc/html/latest/virt/kvm/x86/amd-memory-encryption.html
+## https://docs.amd.com/v/u/en-US/memory-encryption-white-paper
+## https://docs.amd.com/v/u/en-US/SEV-SNP-strengthening-vm-isolation-with-integrity-protection-and-more
+## https://en.wikichip.org/wiki/x86/sme
+## https://lore.kernel.org/lkml/YWvy9bSRaC+m1sV+@zn.tnic/T/#m01bcb37040b6b0d119d385d9a34b9c7ac4ce5f84
+## https://mricher.fr/post/amd-memory-encryption/
+## https://www.kicksecure.com/wiki/Dev/confidential_computing#AMD
+## https://forums.whonix.org/t/enable-secure-memory-encryption-sme-kernel-parameter-mem-encrypt-by-default/10393
+##
+#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX mem_encrypt=on"
+#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX kvm_amd.sev=1"
+
+## Prevent processes from writing to block devices that are mounted by filesystems.
+## Enhances system stability and security by protecting against runaway privileged processes.
+## Allowing processes to write to the buffer cache can cause filesystem corruption and kernel crashes.
+## Does not prevent data modifications using direct SCSI commands or lower-level storage stack access.
+## May lead to breakages in certain limited scenarios.
+##
+## https://github.com/torvalds/linux/commit/ed5cc702d311c14b653323d76062b0294effa66e
+## https://lore.kernel.org/lkml/20240105-vfs-super-4092d802972c@brauner/
+## https://github.com/a13xp0p0v/kernel-hardening-checker/issues/186
+##
+GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX bdev_allow_write_mounted=0"
+
+## Restrict processes from modifying their own memory mappings.
+## Prevents the use of /proc/PID/mem to write to protected pages via the kernel's
+## mem_rw() FOLL_FORCE flag. This makes it harder to trick applications into
+## overwriting their own memory.
+##
+## https://lore.kernel.org/lkml/20240712-vfs-procfs-ce7e6c7cf26b@brauner/
+## https://lwn.net/Articles/983169/
+## https://github.com/a13xp0p0v/kernel-hardening-checker/pull/201
+## https://github.com/Kicksecure/security-misc/issues/330
+##
+## Using "proc_mem.force_override=never" provides superior protection by never allowing overrides.
+##
+GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX proc_mem.force_override=ptrace"
+
 ## 2. Direct Memory Access:
 ##
 ## https://madaidans-insecurities.github.io/guides/linux-hardening.html#dma-attacks
@@ -282,32 +345,48 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX efi=disable_early_pci_dma"
 ##
 ## https://madaidans-insecurities.github.io/guides/linux-hardening.html#rdrand
 
-## Do not credit the CPU or bootloader seeds as entropy sources at boot.
-## The RDRAND CPU (RNG) instructions are proprietary and closed-source.
-## Numerous implementations of RDRAND have a long history of being defective.
-## The RNG seed passed by the bootloader could also potentially be tampered.
+## Do not credit the CPU seeds as an entropy sources at boot.
+## The RDRAND and RDSEED CPU (RNG) instructions are proprietary and closed-source.
+## Numerous implementations of RDRAND and RDSEED have a long history of being defective.
 ## Maximizing the entropy pool at boot is desirable for all cryptographic operations.
-## These settings ensure additional entropy is obtained from other sources to initialize the RNG.
-## Note that distrusting these (relatively fast) sources of entropy will increase boot time.
+## This ensures additional entropy is obtained from other sources to initialize the Linux CRNG.
+## Note that distrusting this (relatively fast) source of entropy will increase boot time.
 ##
-## https://en.wikipedia.org/wiki/RDRAND#Reception
+## https://en.wikipedia.org/wiki/RDRAND
 ## https://systemd.io/RANDOM_SEEDS/
 ## https://www.kicksecure.com/wiki/Dev/Entropy#RDRAND
-## https://arstechnica.com/gadgets/2019/10/how-a-months-old-amd-microcode-bug-destroyed-my-weekend/
-## https://x.com/pid_eins/status/1149649806056280069
 ## https://archive.nytimes.com/www.nytimes.com/interactive/2013/09/05/us/documents-reveal-nsa-campaign-against-encryption.html
 ## https://forums.whonix.org/t/entropy-config-random-trust-cpu-yes-or-no-rng-core-default-quality/8566
+## https://lkml.org/lkml/2022/6/5/271
+## https://lwn.net/Articles/961121/
+## https://lore.kernel.org/lkml/aPFDn-4Cm6n0_3_e@gourry-fedora-PF4VCD3F/
+## https://www.amd.com/en/resources/product-security/bulletin/amd-sb-7055.html
+##
+## KSPP=yes
+## KSPP sets CONFIG_RANDOM_TRUST_CPU=y.
+##
+GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX random.trust_cpu=off"
+
+## Do not credit the bootloader seeds as an entropy source at boot.
+## The RNG seed passed by the bootloader could potentially be tampered.
+## Maximizing the entropy pool at boot is desirable for all cryptographic operations.
+## This ensures additional entropy is obtained from other sources to initialize the Linux CRNG.
+## Note that distrusting this (relatively fast) source of entropy will increase boot time.
+##
+## https://systemd.io/RANDOM_SEEDS/
 ## https://github.com/NixOS/nixpkgs/pull/165355
 ## https://lkml.org/lkml/2022/6/5/271
 ##
 ## KSPP=yes
-## KSPP sets CONFIG_RANDOM_TRUST_BOOTLOADER=y and CONFIG_RANDOM_TRUST_CPU=y.
+## KSPP sets CONFIG_RANDOM_TRUST_BOOTLOADER=y.
 ##
 GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX random.trust_bootloader=off"
-GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX random.trust_cpu=off"
 
 ## Obtain more entropy during boot as the runtime memory allocator is being initialized.
-## Entropy will be extracted from up to the first 4GB of RAM.
+## Entropy will be extracted from up to the first 4GB of RAM as another source.
+## Note that entropy extracted this way is not cryptographically secure and so is not credited.
+## Maximizing the entropy pool at boot is desirable for all cryptographic operations.
+## This will increase boot time due to interrupting the boot process.
 ## Requires the linux-hardened kernel patch.
 ##
 ## https://www.kicksecure.com/wiki/Hardened-kernel#linux-hardened

usr/bin/permission-hardener#security-misc-shared

@@ -89,7 +89,13 @@ output_stat() {
     return 1
   fi
 
-  block_newlines file "${file_name}"
+  if ! block_newlines file "${file_name}"; then
+    existing_mode=''
+    existing_owner=''
+    existing_group=''
+    file_name_from_stat=''
+    return 0
+  fi
 
   if [ ! -e "${file_name}" ]; then
     log info "File does not exist. file_name: '${file_name}'" >&2
@@ -217,6 +223,12 @@ add_to_policy() {
   file_capabilities="${5:-}"
   updated_entry=false
 
+  if [ -z "${file_name}" ]; then
+    exit_code=207
+    log error "Attempted to add a policy entry with an empty filename! file_mode='${file_mode}' file_onwer='${file_owner}' file_group='${file_group}' file_capabilities='${file_capabilities}'" >&2
+    exit "${exit_code}"
+  fi
+
   if [ -h "${file_name}" ]; then
     file_name="$(realpath "${file_name}")" || return 1
   fi
@@ -319,6 +331,11 @@ match_dir() {
 
   base_str="${1}"
   match_str="${2}"
+  if [ -z "${base_str}" ] || [ -z "${match_str}" ]; then
+    exit_code=207
+    log error "Empty base_str or match_str provided to match_dir! base_str: '${base_str}' match_str: '${match_str}'" >&2
+    exit "${exit_code}"
+  fi
   [[ "${base_str}" =~ '//' ]] && return 1
   [[ "${match_str}" =~ '//' ]] && return 1
 
@@ -562,8 +579,13 @@ commit_policy() {
     ## group is the string we want. BASH_REMATCH[0] is the entire string,
     ## BASH_REMATCH[1] is the first match that we want to discard, and
     ## BASH_REMATCH[2] is the desired second group.
-    [[ "${state_mode_item}" =~ ^(0*)(.*) ]] || true;
-    state_mode_item="${BASH_REMATCH[2]}"
+    if [[ "${state_mode_item}" =~ ^(0*)(.*) ]]; then
+      state_mode_item="${BASH_REMATCH[2]}"
+    else
+      exit_code=208
+      log error "'Impossible' regex match failure in commit_policy! Regex: '^(0*)(.*)' String (state_mode_item): '${state_mode_item}'" >&2
+      exit "${exit_code}"
+    fi
 
     output_stat "${state_file_item}"
     if [ -z "${file_name_from_stat}" ]; then
@@ -693,9 +715,11 @@ undo_policy_for_file() {
         state_user_owner_item="${state_user_owner_list[state_idx]}"
         state_group_owner_item="${state_group_owner_list[state_idx]}"
         state_mode_item="${state_mode_list[state_idx]}"
+        # shellcheck disable=SC2086
         chown ${verbose} -- "${state_user_owner_item}:${state_group_owner_item}" \
           "${undo_file}" || exit_code=202
         ## chmod needs to be run after chown since chown removes suid.
+        # shellcheck disable=SC2086
         chmod ${verbose} "${state_mode_item}" "${undo_file}" || exit_code=203
       else
         log info "File does not exist: '${undo_file}'"
@@ -708,8 +732,8 @@ undo_policy_for_file() {
     fi
   done
 
-  if ! [[ "${did_undo}" = 'false' ]]; then
-    log info "The specified file is not hardened, leaving unchanged.
+  if [ "${did_undo}" = 'false' ]; then
+    log notice "The specified file is not hardened, leaving unchanged.
 
   File '${undo_file}' has not been removed from SUID Disabler and Permission Hardener during this invocation. This is expected if no policy was ever applied to the file before.
 
@@ -797,7 +821,11 @@ print_raw_state() {
   for state_file in "${store_dir}/existing_mode/statoverride" \
     "${store_dir}/new_mode/statoverride"; do
     echo "*** begin ${state_file} ***"
-    cat "${state_file}"
+    if [ -f "${state_file}" ]; then
+      cat "${state_file}"
+    else
+      echo '(file does not exist)'
+    fi
     echo "***   end ${state_file} ***"
   done
 }
@@ -826,12 +854,17 @@ print_fs_audit() {
     ## group is the string we want. BASH_REMATCH[0] is the entire string,
     ## BASH_REMATCH[1] is the first match that we want to discard, and
     ## BASH_REMATCH[2] is the desired second group.
-    [[ "${state_mode_item}" =~ ^(0*)(.*) ]] || true;
-    state_mode_item="${BASH_REMATCH[2]}"
+    if [[ "${state_mode_item}" =~ ^(0*)(.*) ]]; then
+      state_mode_item="${BASH_REMATCH[2]}"
+    else
+      exit_code=208
+      log error "'Impossible' regex match failure in print_fs_audit! Regex: '^(0*)(.*)' String (state_mode_item): '${state_mode_item}'" >&2
+      exit "${exit_code}"
+    fi
 
     output_stat "${state_file_item}"
     if [ -z "${file_name_from_stat}" ]; then
-      echo "... '${file_name_from_stat}' does not exist"
+      echo "... '${state_file_item}' does not exist"
       continue
     fi
 

usr/lib/sysctl.d/990-security-misc.conf#security-misc-shared

@@ -20,6 +20,7 @@
 ## 5. Networking
 
 ## For detailed explanations of most of the selected commands, refer to:
+## https://www.kernel.org/doc/html/latest/admin-guide/sysctl/abi.html
 ## https://www.kernel.org/doc/html/latest/admin-guide/sysctl/kernel.html
 ## https://www.kernel.org/doc/html/latest/admin-guide/sysctl/fs.html
 ## https://www.kernel.org/doc/html/latest/admin-guide/sysctl/net.html
@@ -171,7 +172,7 @@ kernel.perf_event_paranoid=3
 ## Certain "oopses" can sometimes indicate and thwart potential kernel exploitation attempts.
 ## Warnings are messages generated by the kernel to indicate unexpected conditions or errors.
 ## By default, code execution continues regardless of warnings emitted by macros like WARN() and WARN_ON().
-## Note that by forcing kernel panics on oopses and warnings, this exposes the system to targeted denial of service attacks.
+## Note that by forcing kernel panics on oopses and warnings, this exposes the system to targeted denial-of-service attacks.
 ##
 ## https://en.wikipedia.org/wiki/Kernel_panic#Linux
 ## https://en.wikipedia.org/wiki/Linux_kernel_oops
@@ -188,7 +189,7 @@ kernel.perf_event_paranoid=3
 #kernel.warn_limit=1
 
 ## Force immediate system reboots on the occurrence of a single kernel panic.
-## Increases resilience and limits impact of denial of service attacks as system automatically restarts.
+## Increases resilience and limits impact of denial-of-service attacks as system automatically restarts.
 ## Ensures the system does not hang forever if a panic occurs, reducing susceptibility to both cold and warm boot attacks.
 ## Immediate rebooting also prevents persistent information disclosure on panic details that were dumped to screen.
 ##
@@ -199,15 +200,44 @@ kernel.perf_event_paranoid=3
 ##
 #kernel.panic=-1
 
-## Force immediate kernel panic on OOM.
-## This is to avoid security features such as the screen locker, kloak, emerg-shutdown
-## from being arbitrarily terminated when the system starts running out of memory.
+## Force immediate kernel panic on OOM (out of memory) scenarios.
+## Registers a kernel panic whenever the oom_killer is triggered to kill some rouge process based on their OOM score.
+## This prevents security features such as the screen locker, kloak, and emerg-shutdown from being arbitrarily terminated.
+## Enabling these two together creates a risk of userspace-based denial-of-service attacks that maliciously fill memory.
+## This forces immediate system reboot rather than placing any reliance on the oom_killer.
+## Known to cause extreme user experience problems with certain applications as the Tor Browser.
+## Enabling by default requires improved upstream handling of user space OOM better accounting for desktop users.
+##
+## https://en.wikipedia.org/wiki/Out_of_memory
 ## https://forums.whonix.org/t/screen-locker-in-security-can-we-disable-these-at-least-4-backdoors/8128/14
+## https://github.com/KSPP/kspp.github.io/issues/9
 ## https://github.com/Kicksecure/security-misc/issues/324
-## Needs more work.
+##
+## Note that this must be used with kernel.panic=-1 for it to function as intended.
 ##
 #vm.panic_on_oom=2
 
+## Force immediate kernel panic on certain NMIs (Non-Maskable Interrupts).
+## NMIs are hardware interrupts that cannot be ignored by standard interrupt-masking techniques.
+## NMIs are reserved for critical events that require immediate attention.
+## Panic upon a NMI indicating a serious hardware-level I/O issue to prevent data corruption.
+## Panic upon a NMI indicating uncorrectable memory and hardware errors to prevent data corruption.
+## Panic upon receiving an undefined or unknown NMI.
+## All three must first be tested to ensure there are no pre-existing issues on user hardware.
+## After confirming stability of each they can then be used to prevent data corruption from hardware sources.
+## These are valuable for high-reliability systems where data integrity is critical.
+##
+## https://en.wikipedia.org/wiki/Non-maskable_interrupt
+## https://www.kernel.org/doc/html/latest/trace/events-nmi.html
+## https://0xax.gitbook.io/linux-insides/summary/interrupts/linux-interrupts-6
+## https://docs.redhat.com/en/documentation/red_hat_enterprise_linux_for_real_time/7/html/reference_guide/non-maskable_interrupts
+##
+## Note that these must be used with kernel.panic=-1 for them to function as intended.
+##
+#kernel.panic_on_io_nmi=1
+#kernel.panic_on_unrecovered_nmi=1
+#kernel.unknown_nmi_panic=1
+
 ## Disable the use of legacy TIOCSTI operations which can be used to inject keypresses.
 ## Can lead to privilege escalation by pushing characters into a controlling TTY.
 ## Will break out-dated screen readers that continue to rely on this legacy functionality.
@@ -232,6 +262,19 @@ dev.tty.legacy_tiocsti=0
 ##
 kernel.io_uring_disabled=2
 
+## Disable 32-bit Virtual Dynamic Shared Object (vDSO) mappings.
+## Legacy compatibility feature for superseded glibc versions.
+##
+## https://lore.kernel.org/lkml/20080409082927.BD59E26F992@magilla.localdomain/T/
+## https://lists.openwall.net/linux-kernel/2014/03/11/3
+##
+## KSPP=yes
+## KSPP sets the kernel parameter and does not set CONFIG_COMPAT_VDSO.
+##
+## See /etc/default/grub.d/40_kernel_hardening.cfg for another additional implementation.
+##
+abi.vsyscall32=0
+
 ## 2. User Space:
 ##
 ## https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl-userspace
@@ -526,7 +569,7 @@ net.ipv6.conf.*.accept_source_route=0
 ## Do not accept IPv6 router advertisements (RAs) and solicitations.
 ## RAs are unsecured and unauthenticated and any device on the local link can send and accept them without verification.
 ## Malicious RAs can activate IPv6 connectivity on dormant hosts leading to unauthorized access.
-## Flooding the network with malicious RAs can lead to denial of service attacks.
+## Flooding the network with malicious RAs can lead to denial-of-service attacks.
 ## Rogue RAs can lead to interception of all network traffic by setting the attacker's system as the default gateway.
 ##
 ## https://datatracker.ietf.org/doc/html/rfc6104
@@ -565,6 +608,16 @@ net.ipv6.conf.*.accept_ra=0
 ##
 net.ipv4.tcp_timestamps=0
 
+## Disable reuse of TIME_WAIT sockets for new outgoing connections.
+## The safety of reusing of TIME_WAIT sockets requires enabling TCP timestamps.
+## The kernel uses timestamps to verify a new connection is not a duplicate segment from an older connection.
+## Hence TIME-WAIT sockets should wait the full timeout period before being made available again.
+## Can lead to port exhaustion on high-traffic networks with numerous short-lived connections.
+##
+## https://vincent.bernat.ch/en/blog/2014-tcp-time-wait-state-linux
+##
+net.ipv4.tcp_tw_reuse=0
+
 ## Enable logging of packets with impossible source or destination addresses.
 ## Martian and unroutable packets may be used for malicious purposes.
 ## Recommended to keep a (kernel dmesg) log of these to identify suspicious packets.
@@ -572,6 +625,8 @@ net.ipv4.tcp_timestamps=0
 ## Known to cause performance issues, especially on systems with multiple interfaces.
 ##
 ## https://wiki.archlinux.org/title/Sysctl#Log_martian_packets
+## https://www.cyberciti.biz/faq/linux-log-suspicious-martian-packets-un-routable-source-addresses/
+## https://support.scc.suse.com/s/kb/Martian-sources-errors-showing-in-messages-log?language=en_US
 ## https://github.com/Kicksecure/security-misc/issues/214
 ##
 ## The logging of martian packets is currently disabled.

usr/lib/systemd/system/usbguard.service.d/30_security-misc.conf#security-misc-shared

@@ -3,4 +3,6 @@
 
 [Unit]
 ConditionPathExists=/sys/bus/usb
+
+[Service]
 ExecCondition=/usr/libexec/security-misc/check-for-usb-controller

usr/libexec/security-misc/block-unsafe-logins#security-misc-shared

@@ -36,10 +36,10 @@ fi
 if [[ "$kernel_cmdline" =~ 'boot-role=sysmaint' ]]; then
   true "INFO: session type: sysmaint session"
   if [ "$PAM_USER" != 'sysmaint' ]; then
-    printf '%s\n' 'ERROR: Rejecting non-sysmaint account in sysmaint session!'
+    printf '%s\n' 'ERROR: Rejecting non-sysmaint account '$PAM_USER' in sysmaint session!'
     exit 1
   fi
-  true 'INFO: Running in sysmaint session and logging into sysmaint account, allowing authentication to proceed.'
+  true 'INFO: Running in sysmaint session and authenticating as sysmaint account, allowing authentication to proceed.'
   exit 0
 fi
 
@@ -72,7 +72,7 @@ fi
 ##   tools do not permit privilege escalation from one user to another, and
 ##   passwordless login is expected to work even for sensitive accounts.
 
-login_service_list=( 'login' 'greetd' 'sshd' )
+login_service_list=( 'login' 'greetd' 'sshd' 'swaylock' )
 for login_service in "${login_service_list[@]}"; do
   if [ "$PAM_SERVICE" = "$login_service" ]; then
     true "INFO: Login service '$PAM_SERVICE' is considered safe, allowing authentication to proceed."
@@ -97,7 +97,17 @@ fi
 ## attack would require root privileges to execute though, so this is likely
 ## not a concern. We do this before checking if $PAM_USER is in the list of
 ## interactive users to keep the race window as short as possible.
-if ! output="$(/usr/libexec/helper-scripts/get-password-status-list)"; then
+##
+## NOTE: PAM modules may run as non-root in some instances (such as when used
+## by Swaylock).
+if [ "$(id -u)" = '0' ]; then
+  passwd_status_list_cmd=(
+    '/usr/libexec/helper-scripts/get-password-status-list'
+  )
+else
+  passwd_status_list_cmd=( 'leaprun' 'get-password-status-list' )
+fi
+if ! output="$("${passwd_status_list_cmd[@]}")"; then
   printf '%s\n' 'ERROR: Failed to get password status list!'
   exit 1
 fi

usr/libexec/security-misc/panic-on-oops#security-misc-shared

@@ -24,7 +24,8 @@ sysctl kernel.oops_limit=1
 sysctl kernel.warn_limit=1
 
 ## Makes the system immediately reboot on the occurrence of a single
-## kernel panic. This reduces the risk and impact of denial of
-## service attacks and both cold and warm boot attacks.
+## kernel panic. This reduces the risk and impact of denial-of-service
+## attacks and both cold and warm boot attacks.
+##
 ## https://docs.kernel.org/admin-guide/sysctl/kernel.html#panic
 sysctl kernel.panic=-1