Git-Mirrors/security-misc
1
0
Fork 0
mirror of https://github.com/Kicksecure/security-misc.git synced 2026-01-05 09:25:26 -05:00
Code Issues Projects Releases Packages Wiki Activity

Update option to panic_on_taint

Browse source
This commit is contained in:
raja-grewal 2025-12-13 04:35:02 +00:00 committed by GitHub
parent 22b1e3dc92
commit 650b923c7a
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
2 changed files with 10 additions and 8 deletions
Download patch file Download diff file Expand all files Collapse all files

4
README.md
View file

@ -237,8 +237,8 @@ Kernel space:
risk and impact of denial-of-service attacks and both cold and warm boot attacks.
- Optional - Force the kernel to immediately panic if it becomes tainted. Some reasons include
upon using out of specification hardware, bad page states, severe firmware bugs, and kernel
live patching. Can also include the loading of proprietary, out-of-tree, and unsigned modules.
upon using out of specification hardware, bad page states, severe firmware bugs. It can also
include the loading of proprietary, out-of-tree, and unsigned modules.
- Prevent sensitive kernel information leaks in the console during boot.

14
etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared
View file

@ -167,21 +167,23 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX debugfs=off"
## Using kernel documentation can select a subset of taints to create a security policy.
## Requires summing the numbers for each taint state and then converting it to a hexadecimal bitmask.
## Some example combinations are shown below.
## Panic on using out of specification hardware: 4 = 0x4.
## Panic on the above and bad page faults or some unexpected page flags: 36 = 0x24.
## Panic on the above and severe firmware bugs: 2084 = 0x824.
## Panic on the above and kernel live patching: 34852 = 0x8824.
## Panic on the above and the loading of proprietary, out-of-tree, or unsigned modules: 47141 = 0xB825.
## S - Panic on using out of specification hardware: 4 = 0x4.
## B - On the above and bad page faults or some unexpected page flags: 36 = 0x24.
## I - On the above and severe firmware bugs: 2084 = 0x824.
## N - On the above and if an in-kernel test has been run: 264228 = 0x40824.
## J - On the above and if userspace used a mutating debug operation: 788516 = 0xC0824.
## G/P, O, E - On the above and the loading of proprietary, out-of-tree, or unsigned modules: 800805 = 0xC3825.
## All must first be tested to ensure there are no pre-existing issues on user hardware.
## After confirming stability this enforces strict user-defined kernel operation and security at runtime.
##
## https://www.kernel.org/doc/html/latest/admin-guide/tainted-kernels.html
## https://support.scc.suse.com/s/kb/Tainted-kernel-1583239310621?language=en_US
## https://lore.kernel.org/all/20200515175502.146720-1-aquini@redhat.com/T/
## https://github.com/Kicksecure/security-misc/pull/339
##
## Note that this must be used with panic=-1 for it to function as intended.
##
#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX panic_on_taint=0x8824:
#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX panic_on_taint=0xC0824
## Prevent sensitive kernel information leaks in the console during boot.
## Must be used in combination with the kernel.printk sysctl.