From 9db63d97770e62749c0b602dd9e7d2d4d6a1128b Mon Sep 17 00:00:00 2001 From: raja-grewal Date: Mon, 13 Oct 2025 01:01:14 +0000 Subject: [PATCH 01/31] README: Update KSSP compliance status --- README.md | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/README.md b/README.md index a73f6b0..7bb18f7 100644 --- a/README.md +++ b/README.md @@ -279,23 +279,15 @@ there are a few cases of partial or non-compliance due to technical limitations. More than 30 kernel boot parameters and over 30 sysctl settings are fully aligned with the KSPP's recommendations. -**Partial compliance:** - -1. `sysctl kernel.yama.ptrace_scope=3` - -Completely disables `ptrace()`. Can be enabled easily if needed. - -* [security-misc pull request #242](https://github.com/Kicksecure/security-misc/pull/242) - **Non-compliance:** -2. `sysctl user.max_user_namespaces=0` +1. `sysctl user.max_user_namespaces=0` Disables user namespaces entirely. Not recommended due to the potential for widespread breakages. * [security-misc pull request #263](https://github.com/Kicksecure/security-misc/pull/263) -3. `sysctl fs.binfmt_misc.status=0` +2. `sysctl fs.binfmt_misc.status=0` Disables the registration of interpreters for miscellaneous binary formats. Currently not feasible due to compatibility issues with Firefox. @@ -303,6 +295,14 @@ feasible due to compatibility issues with Firefox. * [security-misc pull request #249](https://github.com/Kicksecure/security-misc/pull/249) * [security-misc issue #267](https://github.com/Kicksecure/security-misc/issues/267) +3. Kernel boot parameter `hash_pointers=always` + +Forces all exposed pointers to be hashed and must be used in combination with already enabled +kernel boot parameter `slab_debug=FZ`. Currently not possible as requires Linux kernel >= 6.17. + +* [security-misc issue #253](https://github.com/Kicksecure/security-misc/issues/253) +* [security-misc pull request #325](https://github.com/Kicksecure/security-misc/pull/325) + ### Kernel Modules #### Kernel Module Signature Verification From f690b58870bd90582018cec51046f4ed67a414d4 Mon Sep 17 00:00:00 2001 From: raja-grewal Date: Mon, 13 Oct 2025 02:08:44 +0000 Subject: [PATCH 02/31] Add docs relating to panic on OOM --- README.md | 7 ++++--- .../990-security-misc.conf#security-misc-shared | 13 ++++++++++--- 2 files changed, 14 insertions(+), 6 deletions(-) diff --git a/README.md b/README.md index 7bb18f7..8d1119a 100644 --- a/README.md +++ b/README.md @@ -52,9 +52,10 @@ configuration file and significant hardening is applied to a myriad of component - Force immediate system reboot on the occurrence of a single kernel panic, reducing the risk and impact of denial of service attacks and both cold and warm boot attacks. -- Force immediate kernel panic on OOM. This is to avoid security features such as the screen - locker, kloak, emerg-shutdown from being arbitrarily terminated when the system starts - running out of memory. +- Force immediate kernel panic on OOM (out of memory) which the above setting will force + an immediate system reboot, as opposed to placing any reliance on the oom_killer to + avoid arbitrarily terminating security features based on their OOM score. Note this creates + the risk of userspace-based denial of service attacks that maliciously fill memory. - Disable the use of legacy TIOCSTI operations which can be used to inject keypresses. diff --git a/usr/lib/sysctl.d/990-security-misc.conf#security-misc-shared b/usr/lib/sysctl.d/990-security-misc.conf#security-misc-shared index d99a580..5faeec0 100644 --- a/usr/lib/sysctl.d/990-security-misc.conf#security-misc-shared +++ b/usr/lib/sysctl.d/990-security-misc.conf#security-misc-shared @@ -199,11 +199,18 @@ kernel.perf_event_paranoid=3 ## #kernel.panic=-1 -## Force immediate kernel panic on OOM. -## This is to avoid security features such as the screen locker, kloak, emerg-shutdown -## from being arbitrarily terminated when the system starts running out of memory. +## Force immediate kernel panic on OOM (out of memory) scenarios. +## Registers a kernel panic whenever the oom_killer is triggered to kill some rouge process based on their OOM score. +## Note that this must be used with kernel.panic=-1 for it to be function as intended. +## This prevents security features such as the screen locker, kloak, and emerg-shutdown from being arbitrarily terminated. +## Enabling these two together creates a risk of userspace-based denial-of-service attacks that maliciously fill memory. +## This opinionated default forces immediate system reboot rather than placing any reliance on the oom_killer. +## +## https://en.wikipedia.org/wiki/Out_of_memory ## https://forums.whonix.org/t/screen-locker-in-security-can-we-disable-these-at-least-4-backdoors/8128/14 +## https://github.com/KSPP/kspp.github.io/issues/9 ## https://github.com/Kicksecure/security-misc/issues/324 +## vm.panic_on_oom=2 ## Disable the use of legacy TIOCSTI operations which can be used to inject keypresses. From 708e1358dfbc21444f2bf39dfa81ea5053f2bb10 Mon Sep 17 00:00:00 2001 From: raja-grewal Date: Fri, 17 Oct 2025 00:48:57 +0000 Subject: [PATCH 03/31] Add docs relating `extra_latent_entropy` --- etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared | 2 ++ 1 file changed, 2 insertions(+) diff --git a/etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared b/etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared index 2eef877..39b04c5 100644 --- a/etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared +++ b/etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared @@ -308,6 +308,8 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX random.trust_cpu=off" ## Obtain more entropy during boot as the runtime memory allocator is being initialized. ## Entropy will be extracted from up to the first 4GB of RAM. +## Note that entropy extracted this way is not cryptographically secure and so is not credited. +## This will increase boot time due to interrupting the boot process. ## Requires the linux-hardened kernel patch. ## ## https://www.kicksecure.com/wiki/Hardened-kernel#linux-hardened From 11d9b9403854ae7cd2638765e8350257580be35f Mon Sep 17 00:00:00 2001 From: raja-grewal Date: Fri, 17 Oct 2025 01:01:28 +0000 Subject: [PATCH 04/31] Add docs on entropy --- .../grub.d/40_kernel_hardening.cfg#security-misc-shared | 3 +++ 1 file changed, 3 insertions(+) diff --git a/etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared b/etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared index 39b04c5..c8209f5 100644 --- a/etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared +++ b/etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared @@ -288,6 +288,7 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX efi=disable_early_pci_dma" ## The RNG seed passed by the bootloader could also potentially be tampered. ## Maximizing the entropy pool at boot is desirable for all cryptographic operations. ## These settings ensure additional entropy is obtained from other sources to initialize the RNG. +## RDSEED instructions also rely on periodic reseeds from the same underlying entropy sources. ## Note that distrusting these (relatively fast) sources of entropy will increase boot time. ## ## https://en.wikipedia.org/wiki/RDRAND#Reception @@ -299,6 +300,8 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX efi=disable_early_pci_dma" ## https://forums.whonix.org/t/entropy-config-random-trust-cpu-yes-or-no-rng-core-default-quality/8566 ## https://github.com/NixOS/nixpkgs/pull/165355 ## https://lkml.org/lkml/2022/6/5/271 +## https://lwn.net/Articles/961121/ +## https://lore.kernel.org/lkml/aPFDn-4Cm6n0_3_e@gourry-fedora-PF4VCD3F/ ## ## KSPP=yes ## KSPP sets CONFIG_RANDOM_TRUST_BOOTLOADER=y and CONFIG_RANDOM_TRUST_CPU=y. From 9f7480e20adf148dcb7dbe80e704f3f79691b657 Mon Sep 17 00:00:00 2001 From: raja-grewal Date: Sun, 19 Oct 2025 01:41:58 +0000 Subject: [PATCH 05/31] Make terminology consistent --- README.md | 4 ++-- .../grub.d/40_kernel_hardening.cfg#security-misc-shared | 2 +- .../sysctl.d/990-security-misc.conf#security-misc-shared | 6 +++--- .../security-misc/panic-on-oops#security-misc-shared | 5 +++-- 4 files changed, 9 insertions(+), 8 deletions(-) diff --git a/README.md b/README.md index 537b72a..3459fc6 100644 --- a/README.md +++ b/README.md @@ -50,12 +50,12 @@ configuration file and significant hardening is applied to a myriad of component and thwart certain kernel exploitation attempts) and kernel warnings in the `WARN()` path. - Force immediate system reboot on the occurrence of a single kernel panic, reducing the - risk and impact of denial of service attacks and both cold and warm boot attacks. + risk and impact of denial-of-service attacks and both cold and warm boot attacks. - Force immediate kernel panic on OOM (out of memory) which the above setting will force an immediate system reboot, as opposed to placing any reliance on the oom_killer to avoid arbitrarily terminating security features based on their OOM score. Note this creates - the risk of userspace-based denial of service attacks that maliciously fill memory. + the risk of userspace-based denial-of-service attacks that maliciously fill memory. - Disable the use of legacy TIOCSTI operations which can be used to inject keypresses. diff --git a/etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared b/etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared index c8209f5..21e2c06 100644 --- a/etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared +++ b/etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared @@ -126,7 +126,7 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX debugfs=off" ## Panics may be due to false-positives such as bad drivers. ## Oopses are serious but non-fatal errors. ## Certain "oopses" can sometimes indicate and thwart potential kernel exploitation attempts. -## Note that by forcing kernel panics on oopses, this exposes the system to targeted denial of service attacks. +## Note that by forcing kernel panics on oopses, this exposes the system to targeted denial-of-service attacks. ## ## https://en.wikipedia.org/wiki/Kernel_panic#Linux ## https://en.wikipedia.org/wiki/Linux_kernel_oops diff --git a/usr/lib/sysctl.d/990-security-misc.conf#security-misc-shared b/usr/lib/sysctl.d/990-security-misc.conf#security-misc-shared index aeb3fe0..4e8625c 100644 --- a/usr/lib/sysctl.d/990-security-misc.conf#security-misc-shared +++ b/usr/lib/sysctl.d/990-security-misc.conf#security-misc-shared @@ -171,7 +171,7 @@ kernel.perf_event_paranoid=3 ## Certain "oopses" can sometimes indicate and thwart potential kernel exploitation attempts. ## Warnings are messages generated by the kernel to indicate unexpected conditions or errors. ## By default, code execution continues regardless of warnings emitted by macros like WARN() and WARN_ON(). -## Note that by forcing kernel panics on oopses and warnings, this exposes the system to targeted denial of service attacks. +## Note that by forcing kernel panics on oopses and warnings, this exposes the system to targeted denial-of-service attacks. ## ## https://en.wikipedia.org/wiki/Kernel_panic#Linux ## https://en.wikipedia.org/wiki/Linux_kernel_oops @@ -188,7 +188,7 @@ kernel.perf_event_paranoid=3 #kernel.warn_limit=1 ## Force immediate system reboots on the occurrence of a single kernel panic. -## Increases resilience and limits impact of denial of service attacks as system automatically restarts. +## Increases resilience and limits impact of denial-of-service attacks as system automatically restarts. ## Ensures the system does not hang forever if a panic occurs, reducing susceptibility to both cold and warm boot attacks. ## Immediate rebooting also prevents persistent information disclosure on panic details that were dumped to screen. ## @@ -531,7 +531,7 @@ net.ipv6.conf.*.accept_source_route=0 ## Do not accept IPv6 router advertisements (RAs) and solicitations. ## RAs are unsecured and unauthenticated and any device on the local link can send and accept them without verification. ## Malicious RAs can activate IPv6 connectivity on dormant hosts leading to unauthorized access. -## Flooding the network with malicious RAs can lead to denial of service attacks. +## Flooding the network with malicious RAs can lead to denial-of-service attacks. ## Rogue RAs can lead to interception of all network traffic by setting the attacker's system as the default gateway. ## ## https://datatracker.ietf.org/doc/html/rfc6104 diff --git a/usr/libexec/security-misc/panic-on-oops#security-misc-shared b/usr/libexec/security-misc/panic-on-oops#security-misc-shared index 54731c9..5e32d02 100755 --- a/usr/libexec/security-misc/panic-on-oops#security-misc-shared +++ b/usr/libexec/security-misc/panic-on-oops#security-misc-shared @@ -24,7 +24,8 @@ sysctl kernel.oops_limit=1 sysctl kernel.warn_limit=1 ## Makes the system immediately reboot on the occurrence of a single -## kernel panic. This reduces the risk and impact of denial of -## service attacks and both cold and warm boot attacks. +## kernel panic. This reduces the risk and impact of denial-of-service +## attacks and both cold and warm boot attacks. +## ## https://docs.kernel.org/admin-guide/sysctl/kernel.html#panic sysctl kernel.panic=-1 From 8f78269949217ac11163cc8b6f17147621fef6eb Mon Sep 17 00:00:00 2001 From: raja-grewal Date: Mon, 20 Oct 2025 05:36:54 +0000 Subject: [PATCH 06/31] Add docs on slab_debug --- README.md | 4 ++-- .../grub.d/40_kernel_hardening.cfg#security-misc-shared | 8 ++++++-- 2 files changed, 8 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index 3459fc6..42220a2 100644 --- a/README.md +++ b/README.md @@ -298,8 +298,8 @@ feasible due to compatibility issues with Firefox. 3. Kernel boot parameter `hash_pointers=always` -Forces all exposed pointers to be hashed and must be used in combination with already enabled -kernel boot parameter `slab_debug=FZ`. Currently not possible as requires Linux kernel >= 6.17. +Force all exposed pointers to be hashed and must be used in combination with the already enabled +`slab_debug=FZ` kernel boot parameter. Currently is not possible as requires Linux kernel >= 6.17. * [security-misc issue #253](https://github.com/Kicksecure/security-misc/issues/253) * [security-misc pull request #325](https://github.com/Kicksecure/security-misc/pull/325) diff --git a/etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared b/etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared index 21e2c06..fac7117 100644 --- a/etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared +++ b/etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared @@ -38,13 +38,17 @@ kver="$(dpkg-query --show --showformat='${Version}' "$kpkg")" 2>/dev/null || tru ## GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX slab_nomerge" -## Enable sanity checks and red zoning of slabs via debugging options to detect corruption. +## Enable sanity checks and red zoning of slabs via debugging options to detect memory corruption. +## Sanity checks force additional verification steps on every memory allocation and free operation. +## Red zoning adds extra metadata to each object to detect writes beyond the object's boundaries. ## As a by product of debugging, this will implicitly disabling kernel pointer hashing unless manually re-enabled. ## Enabling this (for now) will therefore leak exact and all kernel memory addresses to root. -## Has the potential to cause a noticeable performance decrease. +## Introduces a noticeable performance overhead during all memory allocation and deallocation operations. ## ## https://www.kernel.org/doc/html/latest/mm/slub.html +## https://www.kernel.org/doc/Documentation/vm/slub.txt ## https://lore.kernel.org/all/20210601182202.3011020-5-swboyd@chromium.org/T/#u +## https://blogs.oracle.com/linux/post/linux-slub-allocator-internals-and-debugging-2 ## https://gitlab.tails.boum.org/tails/tails/-/issues/19613 ## https://github.com/Kicksecure/security-misc/issues/253 ## From d175d1be525edd8fb6140680c31425c8a89cc244 Mon Sep 17 00:00:00 2001 From: raja-grewal Date: Sun, 2 Nov 2025 15:54:34 +1100 Subject: [PATCH 07/31] Add doc on entropy related failure on AMD Zen 5 CPUs --- etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared | 1 + 1 file changed, 1 insertion(+) diff --git a/etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared b/etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared index fac7117..5af1493 100644 --- a/etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared +++ b/etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared @@ -306,6 +306,7 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX efi=disable_early_pci_dma" ## https://lkml.org/lkml/2022/6/5/271 ## https://lwn.net/Articles/961121/ ## https://lore.kernel.org/lkml/aPFDn-4Cm6n0_3_e@gourry-fedora-PF4VCD3F/ +## https://www.amd.com/en/resources/product-security/bulletin/amd-sb-7055.html ## ## KSPP=yes ## KSPP sets CONFIG_RANDOM_TRUST_BOOTLOADER=y and CONFIG_RANDOM_TRUST_CPU=y. From c5f91eb33a2ad745af7a6278cf49419d0b366343 Mon Sep 17 00:00:00 2001 From: raja-grewal Date: Sun, 2 Nov 2025 06:15:06 +0000 Subject: [PATCH 08/31] Add another method to disable 32-bit legacy vsyscalls --- README.md | 2 ++ .../40_kernel_hardening.cfg#security-misc-shared | 2 ++ .../990-security-misc.conf#security-misc-shared | 14 ++++++++++++++ 3 files changed, 18 insertions(+) diff --git a/README.md b/README.md index ee8d364..1501d26 100644 --- a/README.md +++ b/README.md @@ -60,6 +60,8 @@ configuration file and significant hardening is applied to a myriad of component - Disable asynchronous I/O as `io_uring` has been the source of numerous kernel exploits. +- Disable 32-bit vDSO mappings as they are a legacy compatibility feature. + #### User space - Disable the usage of `ptrace()` by all processes as it enables programs to inspect diff --git a/etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared b/etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared index 2eef877..9a5e983 100644 --- a/etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared +++ b/etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared @@ -186,6 +186,8 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX kfence.sample_interval=100" ## KSPP=yes ## KSPP sets the kernel parameter and does not set CONFIG_COMPAT_VDSO. ## +## See /usr/lib/sysctl.d/990-security-misc.conf for another additional implementation. +## GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX vdso32=0" ## Switch (back) to using kCFI as the default Control Flow Integrity (CFI) implementation. diff --git a/usr/lib/sysctl.d/990-security-misc.conf#security-misc-shared b/usr/lib/sysctl.d/990-security-misc.conf#security-misc-shared index 78e5e5f..53bec74 100644 --- a/usr/lib/sysctl.d/990-security-misc.conf#security-misc-shared +++ b/usr/lib/sysctl.d/990-security-misc.conf#security-misc-shared @@ -20,6 +20,7 @@ ## 5. Networking ## For detailed explanations of most of the selected commands, refer to: +## https://www.kernel.org/doc/html/latest/admin-guide/sysctl/abi.html ## https://www.kernel.org/doc/html/latest/admin-guide/sysctl/kernel.html ## https://www.kernel.org/doc/html/latest/admin-guide/sysctl/fs.html ## https://www.kernel.org/doc/html/latest/admin-guide/sysctl/net.html @@ -230,6 +231,19 @@ dev.tty.legacy_tiocsti=0 ## kernel.io_uring_disabled=2 +## Disable 32-bit Virtual Dynamic Shared Object (vDSO) mappings. +## Legacy compatibility feature for superseded glibc versions. +## +## https://lore.kernel.org/lkml/20080409082927.BD59E26F992@magilla.localdomain/T/ +## https://lists.openwall.net/linux-kernel/2014/03/11/3 +## +## KSPP=yes +## KSPP sets the kernel parameter and does not set CONFIG_COMPAT_VDSO. +## +## See /etc/default/grub.d/40_kernel_hardening.cfg for another additional implementation. +## +abi.vsyscall32=0 + ## 2. User Space: ## ## https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl-userspace From 3fdfebc4646d7c1f48806d02810de44fd53482bb Mon Sep 17 00:00:00 2001 From: raja-grewal Date: Mon, 3 Nov 2025 00:48:49 +0000 Subject: [PATCH 09/31] Set `proc_mem.force_override=ptrace` --- README.md | 3 +++ .../40_kernel_hardening.cfg#security-misc-shared | 13 +++++++++++++ 2 files changed, 16 insertions(+) diff --git a/README.md b/README.md index 302c8ab..69e3728 100644 --- a/README.md +++ b/README.md @@ -238,6 +238,9 @@ Kernel space: - Disable the EFI persistent storage feature which prevents the kernel from writing crash logs and other persistent data to either the UEFI variable storage or ACPI ERST backends. +- Restrict processes from modifying their own memory mappings unless actively done via + `ptrace()` in order to limit self-modification which can trigger exploits. + Direct memory access: - Enable strict IOMMU translation to protect against some DMA attacks via the use diff --git a/etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared b/etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared index 2eef877..0bddd2d 100644 --- a/etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared +++ b/etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared @@ -237,6 +237,19 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX ia32_emulation=0" GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX efi_pstore.pstore_disable=1" GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX erst_disable" +## Restrict processes from modifying their own memory mappings. +## Prevents the use of FULL_FORCE by a processes unless via ptrace() for debugging. +## Limit self-modification which can be used trigger race condition vulnerabilities. +## +## https://lore.kernel.org/lkml/20240712-vfs-procfs-ce7e6c7cf26b@brauner/ +## https://lwn.net/Articles/983169/ +## https://github.com/a13xp0p0v/kernel-hardening-checker/pull/201 +## https://github.com/Kicksecure/security-misc/issues/330 +## +## Using "proc_mem.force_override=never" provides superior protection by never allowing overrides. +## +GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX proc_mem.force_override=ptrace" + ## 2. Direct Memory Access: ## ## https://madaidans-insecurities.github.io/guides/linux-hardening.html#dma-attacks From 5e87c9bea49b5a06c1400cb8b632f344cccb6db6 Mon Sep 17 00:00:00 2001 From: raja-grewal Date: Mon, 3 Nov 2025 04:30:58 +0000 Subject: [PATCH 10/31] Set `kpti=1` --- README.md | 2 ++ .../40_cpu_mitigations.cfg#security-misc-shared | 14 ++++++++++++++ 2 files changed, 16 insertions(+) diff --git a/README.md b/README.md index 302c8ab..35815ac 100644 --- a/README.md +++ b/README.md @@ -156,6 +156,8 @@ CPU mitigations: - Spectre Side Channels (BTI and BHI) +- Meltdown + - Speculative Store Bypass (SSB) - L1 Terminal Fault (L1TF) diff --git a/etc/default/grub.d/40_cpu_mitigations.cfg#security-misc-shared b/etc/default/grub.d/40_cpu_mitigations.cfg#security-misc-shared index 8f18ad0..4ee58fc 100644 --- a/etc/default/grub.d/40_cpu_mitigations.cfg#security-misc-shared +++ b/etc/default/grub.d/40_cpu_mitigations.cfg#security-misc-shared @@ -71,6 +71,20 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX nosmt=force" GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX spectre_v2=on" GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX spectre_bhi=on" +## Meltdown: +## Mitigate Spectre Variant 3 using kernel page table isolation (PTI). +## Force enable PTI of user and kernel address spaces on all cores. +## Mitigations for X86_64 CPUs are done in /etc/default/grub.d/40_kernel_hardening.cfg using "pti=on". +## Currently affects ARM64 CPUs. +## +## https://en.wikipedia.org/wiki/Meltdown_(security_vulnerability) +## https://en.wikipedia.org/wiki/Kernel_page-table_isolation +## +## KSPP=yes +## KSPP sets CONFIG_UNMAP_KERNEL_AT_EL0=y. +## +GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX kpti=1" + ## Speculative Store Bypass (SSB): ## Mitigate Spectre Variant 4 by disabling speculative store bypass system-wide. ## Unconditionally enable the mitigation for both kernel and userspace. From 322584db3346aaa1e3d1f9782b3d22ca2153c7da Mon Sep 17 00:00:00 2001 From: raja-grewal Date: Mon, 3 Nov 2025 04:31:59 +0000 Subject: [PATCH 11/31] Update docs on `pti=on` --- README.md | 4 ++-- .../grub.d/40_kernel_hardening.cfg#security-misc-shared | 4 +++- 2 files changed, 5 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 35815ac..87b3742 100644 --- a/README.md +++ b/README.md @@ -208,8 +208,8 @@ Kernel space: - Enable the kernel page allocator to randomize free lists to limit some data exfiltration and ROP attacks, especially during the early boot process. -- Enable kernel page table isolation to increase KASLR effectiveness and also - mitigate the Meltdown CPU vulnerability. +- Enable kernel page table isolation on X86_64 CPUs to increase KASLR effectiveness + and also mitigate the Meltdown CPU vulnerability. - Enable randomization of the kernel stack offset on syscall entries to harden against memory corruption attacks. diff --git a/etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared b/etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared index 2eef877..73dca75 100644 --- a/etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared +++ b/etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared @@ -83,8 +83,10 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX init_on_free=1" GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX page_alloc.shuffle=1" ## Enable kernel page table isolation to harden against kernel ASLR (KASLR) bypasses. -## Mitigates the Meltdown CPU vulnerability. +## Mitigates the Meltdown (Spectre Variant 3) CPU vulnerability. +## Mitigations for ARM64 CPUs are done in /etc/default/grub.d/40_cpu_mitigations.cfg using "kpti=1". ## +## https://en.wikipedia.org/wiki/Meltdown_(security_vulnerability) ## https://en.wikipedia.org/wiki/Kernel_page-table_isolation ## ## KSPP=yes From 53d90b1128d55e352b3eef8ae680a07a825b1ecf Mon Sep 17 00:00:00 2001 From: raja-grewal Date: Mon, 3 Nov 2025 04:32:49 +0000 Subject: [PATCH 12/31] Update docs on `ssbd=force-on` --- etc/default/grub.d/40_cpu_mitigations.cfg#security-misc-shared | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/etc/default/grub.d/40_cpu_mitigations.cfg#security-misc-shared b/etc/default/grub.d/40_cpu_mitigations.cfg#security-misc-shared index 4ee58fc..0bd8665 100644 --- a/etc/default/grub.d/40_cpu_mitigations.cfg#security-misc-shared +++ b/etc/default/grub.d/40_cpu_mitigations.cfg#security-misc-shared @@ -88,7 +88,7 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX kpti=1" ## Speculative Store Bypass (SSB): ## Mitigate Spectre Variant 4 by disabling speculative store bypass system-wide. ## Unconditionally enable the mitigation for both kernel and userspace. -## Currently affects both AMD and Intel CPUs. +## Currently affects AMD, ARM64, and Intel CPUs. ## ## https://en.wikipedia.org/wiki/Speculative_Store_Bypass ## https://www.suse.com/support/kb/doc/?id=000019189 From e43d4d7f7110de0b23996373e9462aa900b314a6 Mon Sep 17 00:00:00 2001 From: raja-grewal Date: Mon, 3 Nov 2025 05:46:07 +0000 Subject: [PATCH 13/31] Set `bdev_allow_write_mounted=0` --- README.md | 3 +++ .../40_kernel_hardening.cfg#security-misc-shared | 12 ++++++++++++ 2 files changed, 15 insertions(+) diff --git a/README.md b/README.md index 302c8ab..831f61d 100644 --- a/README.md +++ b/README.md @@ -238,6 +238,9 @@ Kernel space: - Disable the EFI persistent storage feature which prevents the kernel from writing crash logs and other persistent data to either the UEFI variable storage or ACPI ERST backends. +- Prevent runaway privileged processes from writing to block devices that are mounted by + filesystems to protect against filesystem corruption and kernel crashes. + Direct memory access: - Enable strict IOMMU translation to protect against some DMA attacks via the use diff --git a/etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared b/etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared index 2eef877..6274892 100644 --- a/etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared +++ b/etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared @@ -237,6 +237,18 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX ia32_emulation=0" GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX efi_pstore.pstore_disable=1" GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX erst_disable" +## Prevent processes from writing to block devices that are mounted by filesystems. +## Enhances system stability and security by protecting against runaway privileged processes. +## Allowing processes to write to the buffer cache can cause filesystem corruption and kernel crashes. +## Does not prevent data modifications using direct SCSI commands or lower-level storage stack access. +## May lead to breakages in certain limited scenarios. +## +## https://github.com/torvalds/linux/commit/ed5cc702d311c14b653323d76062b0294effa66e +## https://lore.kernel.org/lkml/20240105-vfs-super-4092d802972c@brauner/ +## https://github.com/a13xp0p0v/kernel-hardening-checker/issues/186 +## +GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX bdev_allow_write_mounted=0" + ## 2. Direct Memory Access: ## ## https://madaidans-insecurities.github.io/guides/linux-hardening.html#dma-attacks From 019a0cf72c99f9f10fd42afbfed96c283e17e458 Mon Sep 17 00:00:00 2001 From: raja-grewal Date: Wed, 5 Nov 2025 00:03:19 +0000 Subject: [PATCH 14/31] Update docs on entropy --- README.md | 4 +++- .../grub.d/40_kernel_hardening.cfg#security-misc-shared | 8 +++----- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/README.md b/README.md index 578e822..c5e69e6 100644 --- a/README.md +++ b/README.md @@ -250,7 +250,9 @@ Direct memory access: Entropy: - Do not credit the CPU or bootloader as entropy sources at boot in order to - maximize the absolute quantity of entropy in the combined pool. + maximize the absolute quantity of entropy in the combined pool. This is desirable + for all cryptographic operations reliant proprietary on RDRAND and RDSEED CPU + instructions for random number generation that have long history of being defective. - Obtain more entropy at boot from RAM as the runtime memory allocator is being initialized. diff --git a/etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared b/etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared index 5af1493..4894a29 100644 --- a/etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared +++ b/etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared @@ -287,19 +287,17 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX efi=disable_early_pci_dma" ## https://madaidans-insecurities.github.io/guides/linux-hardening.html#rdrand ## Do not credit the CPU or bootloader seeds as entropy sources at boot. -## The RDRAND CPU (RNG) instructions are proprietary and closed-source. -## Numerous implementations of RDRAND have a long history of being defective. +## The RDRAND and RDSEED CPU (RNG) instructions are proprietary and closed-source. +## Numerous implementations of RDRAND and RDSEED have a long history of being defective. ## The RNG seed passed by the bootloader could also potentially be tampered. ## Maximizing the entropy pool at boot is desirable for all cryptographic operations. -## These settings ensure additional entropy is obtained from other sources to initialize the RNG. -## RDSEED instructions also rely on periodic reseeds from the same underlying entropy sources. +## These settings ensure additional entropy is obtained from other sources to initialize the Linux CRNG. ## Note that distrusting these (relatively fast) sources of entropy will increase boot time. ## ## https://en.wikipedia.org/wiki/RDRAND#Reception ## https://systemd.io/RANDOM_SEEDS/ ## https://www.kicksecure.com/wiki/Dev/Entropy#RDRAND ## https://arstechnica.com/gadgets/2019/10/how-a-months-old-amd-microcode-bug-destroyed-my-weekend/ -## https://x.com/pid_eins/status/1149649806056280069 ## https://archive.nytimes.com/www.nytimes.com/interactive/2013/09/05/us/documents-reveal-nsa-campaign-against-encryption.html ## https://forums.whonix.org/t/entropy-config-random-trust-cpu-yes-or-no-rng-core-default-quality/8566 ## https://github.com/NixOS/nixpkgs/pull/165355 From 37b493826ec60397c6019959abb7e0631dd33ed4 Mon Sep 17 00:00:00 2001 From: raja-grewal Date: Wed, 5 Nov 2025 00:03:54 +0000 Subject: [PATCH 15/31] Spit distrusting entropy settings for clarity --- README.md | 12 +++++--- ..._kernel_hardening.cfg#security-misc-shared | 29 +++++++++++++------ 2 files changed, 28 insertions(+), 13 deletions(-) diff --git a/README.md b/README.md index c5e69e6..dc9649d 100644 --- a/README.md +++ b/README.md @@ -249,10 +249,14 @@ Direct memory access: Entropy: -- Do not credit the CPU or bootloader as entropy sources at boot in order to - maximize the absolute quantity of entropy in the combined pool. This is desirable - for all cryptographic operations reliant proprietary on RDRAND and RDSEED CPU - instructions for random number generation that have long history of being defective. +- Do not credit the CPU seeds as an entropy sources at boot in order to maximize the + absolute quantity of entropy in the combined pool. This is desirable for all + cryptographic operations reliant proprietary on RDRAND and RDSEED CPU instructions + for random number generation that have long history of being defective. + +- Do not credit the bootloader seeds as an entropy sources at boot to maximize the + absolute quantity of entropy in the combined pool. This is desirable for all + cryptographic operations as seeds passed by the bootloader could be tampered. - Obtain more entropy at boot from RAM as the runtime memory allocator is being initialized. diff --git a/etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared b/etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared index 4894a29..2b7d217 100644 --- a/etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared +++ b/etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared @@ -286,31 +286,42 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX efi=disable_early_pci_dma" ## ## https://madaidans-insecurities.github.io/guides/linux-hardening.html#rdrand -## Do not credit the CPU or bootloader seeds as entropy sources at boot. +## Do not credit the CPU seeds as an entropy sources at boot. ## The RDRAND and RDSEED CPU (RNG) instructions are proprietary and closed-source. ## Numerous implementations of RDRAND and RDSEED have a long history of being defective. -## The RNG seed passed by the bootloader could also potentially be tampered. ## Maximizing the entropy pool at boot is desirable for all cryptographic operations. -## These settings ensure additional entropy is obtained from other sources to initialize the Linux CRNG. -## Note that distrusting these (relatively fast) sources of entropy will increase boot time. +## This ensures additional entropy is obtained from other sources to initialize the Linux CRNG. +## Note that distrusting this (relatively fast) source of entropy will increase boot time. ## -## https://en.wikipedia.org/wiki/RDRAND#Reception +## https://en.wikipedia.org/wiki/RDRAND ## https://systemd.io/RANDOM_SEEDS/ ## https://www.kicksecure.com/wiki/Dev/Entropy#RDRAND -## https://arstechnica.com/gadgets/2019/10/how-a-months-old-amd-microcode-bug-destroyed-my-weekend/ ## https://archive.nytimes.com/www.nytimes.com/interactive/2013/09/05/us/documents-reveal-nsa-campaign-against-encryption.html ## https://forums.whonix.org/t/entropy-config-random-trust-cpu-yes-or-no-rng-core-default-quality/8566 -## https://github.com/NixOS/nixpkgs/pull/165355 ## https://lkml.org/lkml/2022/6/5/271 ## https://lwn.net/Articles/961121/ ## https://lore.kernel.org/lkml/aPFDn-4Cm6n0_3_e@gourry-fedora-PF4VCD3F/ ## https://www.amd.com/en/resources/product-security/bulletin/amd-sb-7055.html ## ## KSPP=yes -## KSPP sets CONFIG_RANDOM_TRUST_BOOTLOADER=y and CONFIG_RANDOM_TRUST_CPU=y. +## KSPP sets CONFIG_RANDOM_TRUST_CPU=y. +## +GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX random.trust_cpu=off" + +## Do not credit the bootloader seeds as an entropy source at boot. +## The RNG seed passed by the bootloader could potentially be tampered. +## Maximizing the entropy pool at boot is desirable for all cryptographic operations. +## This ensures additional entropy is obtained from other sources to initialize the Linux CRNG. +## Note that distrusting this (relatively fast) source of entropy will increase boot time. +## +## https://systemd.io/RANDOM_SEEDS/ +## https://github.com/NixOS/nixpkgs/pull/165355 +## https://lkml.org/lkml/2022/6/5/271 +## +## KSPP=yes +## KSPP sets CONFIG_RANDOM_TRUST_BOOTLOADER=y. ## GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX random.trust_bootloader=off" -GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX random.trust_cpu=off" ## Obtain more entropy during boot as the runtime memory allocator is being initialized. ## Entropy will be extracted from up to the first 4GB of RAM. From a46f678c7f8715fd1cedd1102f9815b9d845ccb3 Mon Sep 17 00:00:00 2001 From: raja-grewal Date: Wed, 5 Nov 2025 00:05:17 +0000 Subject: [PATCH 16/31] Update docs on latent entropy --- README.md | 3 +++ .../grub.d/40_kernel_hardening.cfg#security-misc-shared | 3 ++- 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index dc9649d..35005e7 100644 --- a/README.md +++ b/README.md @@ -261,6 +261,9 @@ Entropy: - Obtain more entropy at boot from RAM as the runtime memory allocator is being initialized. +- Obtain more entropy at boot from RAM as the runtime memory allocator is being + initialized to maximize the absolute quantity of entropy in the combined pool. + Networking: - Optional - Disable the entire IPv6 stack to reduce attack surface. diff --git a/etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared b/etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared index 2b7d217..db65fea 100644 --- a/etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared +++ b/etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared @@ -324,8 +324,9 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX random.trust_cpu=off" GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX random.trust_bootloader=off" ## Obtain more entropy during boot as the runtime memory allocator is being initialized. -## Entropy will be extracted from up to the first 4GB of RAM. +## Entropy will be extracted from up to the first 4GB of RAM as another source. ## Note that entropy extracted this way is not cryptographically secure and so is not credited. +## Maximizing the entropy pool at boot is desirable for all cryptographic operations. ## This will increase boot time due to interrupting the boot process. ## Requires the linux-hardened kernel patch. ## From a3830db09e3f567237caefb687ef2da877573b03 Mon Sep 17 00:00:00 2001 From: raja-grewal Date: Sun, 9 Nov 2025 13:42:31 +0000 Subject: [PATCH 17/31] Update docs relating to panic on OOM --- README.md | 7 ++++--- .../sysctl.d/990-security-misc.conf#security-misc-shared | 5 +++-- 2 files changed, 7 insertions(+), 5 deletions(-) diff --git a/README.md b/README.md index 8111c5f..0acc17b 100644 --- a/README.md +++ b/README.md @@ -52,9 +52,10 @@ configuration file and significant hardening is applied to a myriad of component - Force immediate system reboot on the occurrence of a single kernel panic, reducing the risk and impact of denial-of-service attacks and both cold and warm boot attacks. -- Optional - Force immediate kernel panic on OOM. This is to avoid security features such as the screen - locker, kloak, emerg-shutdown from being arbitrarily terminated when the system starts - running out of memory. +- Optional - Force immediate kernel panic on OOM (out of memory) which with the above setting + will force an immediate system reboot as opposed to placing any reliance on the oom_killer + to avoid arbitrarily terminating security features based on their OOM score. Note this + creates the risk of userspace-based denial-of-service attacks that maliciously fill memory. - Disable the use of legacy TIOCSTI operations which can be used to inject keypresses. diff --git a/usr/lib/sysctl.d/990-security-misc.conf#security-misc-shared b/usr/lib/sysctl.d/990-security-misc.conf#security-misc-shared index 9f2220d..84c038d 100644 --- a/usr/lib/sysctl.d/990-security-misc.conf#security-misc-shared +++ b/usr/lib/sysctl.d/990-security-misc.conf#security-misc-shared @@ -204,13 +204,14 @@ kernel.perf_event_paranoid=3 ## Note that this must be used with kernel.panic=-1 for it to be function as intended. ## This prevents security features such as the screen locker, kloak, and emerg-shutdown from being arbitrarily terminated. ## Enabling these two together creates a risk of userspace-based denial-of-service attacks that maliciously fill memory. -## This opinionated default forces immediate system reboot rather than placing any reliance on the oom_killer. +## This forces immediate system reboot rather than placing any reliance on the oom_killer. +## Known to cause extreme user experience problems with certain applications as the Tor Browser. +## Enabling by default requires improved upstream handling of user space OOM better accounting for desktop users. ## ## https://en.wikipedia.org/wiki/Out_of_memory ## https://forums.whonix.org/t/screen-locker-in-security-can-we-disable-these-at-least-4-backdoors/8128/14 ## https://github.com/KSPP/kspp.github.io/issues/9 ## https://github.com/Kicksecure/security-misc/issues/324 -## Needs more work. ## #vm.panic_on_oom=2 From b89aaea61e83aea6b23ea34a01dbb1e6bce1e2df Mon Sep 17 00:00:00 2001 From: raja-grewal Date: Mon, 10 Nov 2025 06:03:33 +0000 Subject: [PATCH 18/31] Add docs on logging martian packets --- usr/lib/sysctl.d/990-security-misc.conf#security-misc-shared | 2 ++ 1 file changed, 2 insertions(+) diff --git a/usr/lib/sysctl.d/990-security-misc.conf#security-misc-shared b/usr/lib/sysctl.d/990-security-misc.conf#security-misc-shared index 84c038d..594ea33 100644 --- a/usr/lib/sysctl.d/990-security-misc.conf#security-misc-shared +++ b/usr/lib/sysctl.d/990-security-misc.conf#security-misc-shared @@ -579,6 +579,8 @@ net.ipv4.tcp_timestamps=0 ## Known to cause performance issues, especially on systems with multiple interfaces. ## ## https://wiki.archlinux.org/title/Sysctl#Log_martian_packets +## https://www.cyberciti.biz/faq/linux-log-suspicious-martian-packets-un-routable-source-addresses/ +## https://support.scc.suse.com/s/kb/Martian-sources-errors-showing-in-messages-log?language=en_US ## https://github.com/Kicksecure/security-misc/issues/214 ## ## The logging of martian packets is currently disabled. From 5ac02d2d528a37fe1c162c4808b3d874a8c53159 Mon Sep 17 00:00:00 2001 From: raja-grewal Date: Mon, 10 Nov 2025 06:13:35 +0000 Subject: [PATCH 19/31] Set `net.ipv4.tcp_tw_reuse=0` --- README.md | 3 +++ .../990-security-misc.conf#security-misc-shared | 10 ++++++++++ 2 files changed, 13 insertions(+) diff --git a/README.md b/README.md index 8c232ae..da9becd 100644 --- a/README.md +++ b/README.md @@ -132,6 +132,9 @@ configuration file and significant hardening is applied to a myriad of component - Disable TCP timestamps as they can allow detecting the system time. +- Disable reuse of `TIME_WAIT` sockets for new outgoing connections as the above + setting disables TCP timestamps. + - Optional - Log packets with impossible source or destination addresses to enable further inspection and analysis. diff --git a/usr/lib/sysctl.d/990-security-misc.conf#security-misc-shared b/usr/lib/sysctl.d/990-security-misc.conf#security-misc-shared index a4914da..c9a3f97 100644 --- a/usr/lib/sysctl.d/990-security-misc.conf#security-misc-shared +++ b/usr/lib/sysctl.d/990-security-misc.conf#security-misc-shared @@ -565,6 +565,16 @@ net.ipv6.conf.*.accept_ra=0 ## net.ipv4.tcp_timestamps=0 +## Disable reuse of TIME_WAIT sockets for new outgoing connections. +## The safety of reusing of TIME_WAIT sockets requires enabling TCP timestamps. +## The kernel uses timestamps to verify a new connection is not a duplicate segment from an older connection. +## Hence TIME-WAIT sockets should wait the full timeout period before being made available again. +## Can lead to port exhaustion on high-traffic networks with numerous short-lived connections. +## +## https://vincent.bernat.ch/en/blog/2014-tcp-time-wait-state-linux +## +net.ipv4.tcp_tw_reuse=0 + ## Enable logging of packets with impossible source or destination addresses. ## Martian and unroutable packets may be used for malicious purposes. ## Recommended to keep a (kernel dmesg) log of these to identify suspicious packets. From 0b9b9ffb1e87850e3296d0420c305062b66868d5 Mon Sep 17 00:00:00 2001 From: raja-grewal Date: Tue, 11 Nov 2025 11:32:47 +0000 Subject: [PATCH 20/31] Improve clarity for panic on OOM --- usr/lib/sysctl.d/990-security-misc.conf#security-misc-shared | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/usr/lib/sysctl.d/990-security-misc.conf#security-misc-shared b/usr/lib/sysctl.d/990-security-misc.conf#security-misc-shared index 594ea33..121ee5c 100644 --- a/usr/lib/sysctl.d/990-security-misc.conf#security-misc-shared +++ b/usr/lib/sysctl.d/990-security-misc.conf#security-misc-shared @@ -201,7 +201,6 @@ kernel.perf_event_paranoid=3 ## Force immediate kernel panic on OOM (out of memory) scenarios. ## Registers a kernel panic whenever the oom_killer is triggered to kill some rouge process based on their OOM score. -## Note that this must be used with kernel.panic=-1 for it to be function as intended. ## This prevents security features such as the screen locker, kloak, and emerg-shutdown from being arbitrarily terminated. ## Enabling these two together creates a risk of userspace-based denial-of-service attacks that maliciously fill memory. ## This forces immediate system reboot rather than placing any reliance on the oom_killer. @@ -213,6 +212,8 @@ kernel.perf_event_paranoid=3 ## https://github.com/KSPP/kspp.github.io/issues/9 ## https://github.com/Kicksecure/security-misc/issues/324 ## +## Note that this must be used with kernel.panic=-1 for it to function as intended. +## #vm.panic_on_oom=2 ## Disable the use of legacy TIOCSTI operations which can be used to inject keypresses. From d891313d57b469c28c08993b05d355b29ea08397 Mon Sep 17 00:00:00 2001 From: raja-grewal Date: Tue, 11 Nov 2025 11:39:21 +0000 Subject: [PATCH 21/31] Provide options to panic upon receiving NMIs --- README.md | 4 ++++ ...90-security-misc.conf#security-misc-shared | 21 +++++++++++++++++++ 2 files changed, 25 insertions(+) diff --git a/README.md b/README.md index 8c232ae..a1acb1c 100644 --- a/README.md +++ b/README.md @@ -56,6 +56,10 @@ configuration file and significant hardening is applied to a myriad of component locker, kloak, emerg-shutdown from being arbitrarily terminated when the system starts running out of memory. +- Optional - Force immediate kernel panics upon receiving NMIs (Non-Maskable Interrupts) + indicating serious hardware-level I/O issues, uncorrectable memory and hardware errors, + and undefined or unknowsources in order to prevent data corruption. + - Disable the use of legacy TIOCSTI operations which can be used to inject keypresses. - Disable asynchronous I/O as `io_uring` has been the source of numerous kernel exploits. diff --git a/usr/lib/sysctl.d/990-security-misc.conf#security-misc-shared b/usr/lib/sysctl.d/990-security-misc.conf#security-misc-shared index a4914da..7422c54 100644 --- a/usr/lib/sysctl.d/990-security-misc.conf#security-misc-shared +++ b/usr/lib/sysctl.d/990-security-misc.conf#security-misc-shared @@ -208,6 +208,27 @@ kernel.perf_event_paranoid=3 ## #vm.panic_on_oom=2 +## Force immediate kernel panic on certain NMIs (Non-Maskable Interrupts). +## NMIs are hardware interrupts that cannot be ignored by standard interrupt-masking techniques. +## NMIs are reserved for critical events that require immediate attention. +## Panic upon a NMI indicating a serious hardware-level I/O issue to prevent data corruption. +## Panic upon a NMI indicating uncorrectable memory and hardware errors to prevent data corruption. +## Panic upon receiving an undefined or unknown NMI. +## All three must first be tested to ensure there are no pre-existing issues on user hardware. +## After confirming stability of each they can then be used and prevent data corruption from hardware sources. +## These are valuable for high-reliability systems where data integrity is critical. +## +## https://en.wikipedia.org/wiki/Non-maskable_interrupt +## https://www.kernel.org/doc/html/latest//trace/events-nmi.html +## https://0xax.gitbooks.io/linux-insides/content/Interrupts/linux-interrupts-6.html +## https://docs.redhat.com/en/documentation/red_hat_enterprise_linux_for_real_time/7/html/reference_guide/non-maskable_interrupts +## +## Note that these must be used with kernel.panic=-1 for them to function as intended. +## +#kernel.panic_on_io_nmi=1 +#kernel.panic_on_unrecovered_nmi=1 +#kernel.unknown_nmi_panic=1 + ## Disable the use of legacy TIOCSTI operations which can be used to inject keypresses. ## Can lead to privilege escalation by pushing characters into a controlling TTY. ## Will break out-dated screen readers that continue to rely on this legacy functionality. From 99e993b885ca1fa30a871120b545f9334371cd5a Mon Sep 17 00:00:00 2001 From: raja-grewal Date: Sat, 15 Nov 2025 03:16:07 +0000 Subject: [PATCH 22/31] Provide options to enable AMD SME and SEV --- README.md | 3 +++ ..._kernel_hardening.cfg#security-misc-shared | 21 +++++++++++++++++++ 2 files changed, 24 insertions(+) diff --git a/README.md b/README.md index 8c232ae..3596f74 100644 --- a/README.md +++ b/README.md @@ -238,6 +238,9 @@ Kernel space: - Disable the EFI persistent storage feature which prevents the kernel from writing crash logs and other persistent data to either the UEFI variable storage or ACPI ERST backends. +- Optional - On compatible AMD CPUs enable Secure Memory Encryption (SME) to protect against + cold boot attacks and Secure Encrypted Virtualization (SEV) for further guest memory isolation. + Direct memory access: - Enable strict IOMMU translation to protect against some DMA attacks via the use diff --git a/etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared b/etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared index 2eef877..962e37d 100644 --- a/etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared +++ b/etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared @@ -237,6 +237,27 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX ia32_emulation=0" GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX efi_pstore.pstore_disable=1" GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX erst_disable" +## Enable AMD Secure Memory Encryption (SME) and Secure Encrypted Virtualization (SEV). +## SME encrypts memory with a single key at the kernel level to protect against cold boot attacks. +## SEV extends SME to VMs by encrypting the memory of each with a unique key for guest isolation. +## This is hardware-based encryption managed by the proprietary and closed-source AMD Platform Security Processor (PSP). +## Both require a compatible AMD CPU and support for SME to first be enabled in the BIOS/UEFI. +## Likely unavailable in consumer-grade AMD CPUs where Transparent SME (TSME) can be enabled in the BIOS/UEFI to achieve SME. +## May cause boot failure on certain hardware with incompatible DMA masks. +## +## https://www.kernel.org/doc/html/next/x86/amd-memory-encryption.html +## https://www.kernel.org/doc/html/latest/virt/kvm/x86/amd-memory-encryption.html +## https://docs.amd.com/v/u/en-US/memory-encryption-white-paper +## https://docs.amd.com/v/u/en-US/SEV-SNP-strengthening-vm-isolation-with-integrity-protection-and-more +## https://en.wikichip.org/wiki/x86/sme +## https://lore.kernel.org/lkml/YWvy9bSRaC+m1sV+@zn.tnic/T/#m01bcb37040b6b0d119d385d9a34b9c7ac4ce5f84 +## https://mricher.fr/post/amd-memory-encryption/ +## https://www.kicksecure.com/wiki/Dev/confidential_computing#AMD +## https://forums.whonix.org/t/enable-secure-memory-encryption-sme-kernel-parameter-mem-encrypt-by-default/10393 +## +#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX mem_encrypt=on" +#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX kvm_amd.sev=1" + ## 2. Direct Memory Access: ## ## https://madaidans-insecurities.github.io/guides/linux-hardening.html#dma-attacks From b6fe1a5a6e164c7a7505b5e27ece582a1b928d82 Mon Sep 17 00:00:00 2001 From: raja-grewal Date: Sat, 15 Nov 2025 04:51:01 +0000 Subject: [PATCH 23/31] Make panic related settings consistent Ensures the `sysctl` and boot parameters are equivalent in settings and in description. This should prevent future questions regarding having omitted boot parameters that were actually redundant. --- README.md | 7 +++-- ..._kernel_hardening.cfg#security-misc-shared | 26 ++++++++++++++++--- 2 files changed, 27 insertions(+), 6 deletions(-) diff --git a/README.md b/README.md index 0acc17b..9d069d5 100644 --- a/README.md +++ b/README.md @@ -219,8 +219,11 @@ Kernel space: - Restrict access to debugfs by not registering the file system since it can contain sensitive information. -- Force kernel panics on "oopses" to potentially indicate and thwart certain - kernel exploitation attempts. +- Force the kernel to immediately panic on both "oopses" (which can potentially indicate + and thwart certain kernel exploitation attempts) and kernel warnings in the `WARN()` path. + +- Force immediate system reboot on the occurrence of a single kernel panic, reducing the + risk and impact of denial-of-service attacks and both cold and warm boot attacks. - Optional - Modify the machine check exception handler. diff --git a/etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared b/etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared index db65fea..f67c6c3 100644 --- a/etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared +++ b/etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared @@ -126,22 +126,40 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX vsyscall=none" ## GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX debugfs=off" -## Force the kernel to immediately panic on "oopses". +## Force the kernel to immediately panic on "oopses" and kernel warnings in the WARN() path. ## Panics may be due to false-positives such as bad drivers. +## Both allowed limits are set to one so that panics occur on the single first instance of either scenario. ## Oopses are serious but non-fatal errors. ## Certain "oopses" can sometimes indicate and thwart potential kernel exploitation attempts. -## Note that by forcing kernel panics on oopses, this exposes the system to targeted denial-of-service attacks. +## Warnings are messages generated by the kernel to indicate unexpected conditions or errors. +## By default, code execution continues regardless of warnings emitted by macros like WARN() and WARN_ON(). +## Note that by forcing kernel panics on oopses and warnings, this exposes the system to targeted denial of service attacks. ## ## https://en.wikipedia.org/wiki/Kernel_panic#Linux ## https://en.wikipedia.org/wiki/Linux_kernel_oops -## https://forums.whonix.org/t/set-oops-panic-kernel-parameter-or-kernel-panic-on-oops-1-sysctl-for-better-security/7713 +## https://lwn.net/Articles/876209/ +## https://git.sr.ht/~gregkh/presentation-security/tree/3fdaf81a2f8b2c8d64cdb2f529cc714624868aa8/item/security-stuff.pdf +## https://forums.whonix.org/t/set-oops-panic-kernel-parameter-or-kernel-panisc-on-oops-1-sysctl-for-better-security/7713 ## ## KSPP=yes -## KSPP sets CONFIG_PANIC_ON_OOPS=y and CONFIG_PANIC_TIMEOUT=-1. +## KSPP sets CONFIG_PANIC_ON_OOPS=y. ## ## See /usr/libexec/security-misc/panic-on-oops for implementation. ## #GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX oops=panic" +#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX panic_on_warn=1" + +## Force immediate system reboots on the occurrence of a single kernel panic. +## Increases resilience and limits impact of denial of service attacks as system automatically restarts. +## Ensures the system does not hang forever if a panic occurs, reducing susceptibility to both cold and warm boot attacks. +## Immediate rebooting also prevents persistent information disclosure on panic details that were dumped to screen. +## +## KSPP=yes +## KSPP sets CONFIG_PANIC_TIMEOUT=-1. +## +## See /usr/libexec/security-misc/panic-on-oops for implementation. +## +#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX panic=-1" ## Modify machine check exception handler. ## Can decide whether the system should panic or not based on the occurrence of an exception. From 9f897c5ccda781d010077446abb3d176cf929c94 Mon Sep 17 00:00:00 2001 From: raja-grewal Date: Sat, 15 Nov 2025 05:48:33 +0000 Subject: [PATCH 24/31] Update docs on reducing the MCE tolerance level --- README.md | 3 ++- .../40_kernel_hardening.cfg#security-misc-shared | 16 ++++++++++++---- 2 files changed, 14 insertions(+), 5 deletions(-) diff --git a/README.md b/README.md index 9d069d5..4ee2d0b 100644 --- a/README.md +++ b/README.md @@ -225,7 +225,8 @@ Kernel space: - Force immediate system reboot on the occurrence of a single kernel panic, reducing the risk and impact of denial-of-service attacks and both cold and warm boot attacks. -- Optional - Modify the machine check exception handler. +- Optional - Reduce the the Machine Check Exception (MCE) handler tolerance level to + always force kernel panics on any uncorrected hardware errors detected by the CPU. - Prevent sensitive kernel information leaks in the console during boot. diff --git a/etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared b/etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared index f67c6c3..da6b63a 100644 --- a/etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared +++ b/etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared @@ -161,14 +161,22 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX debugfs=off" ## #GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX panic=-1" -## Modify machine check exception handler. -## Can decide whether the system should panic or not based on the occurrence of an exception. +## Reduce the Machine Check Exception (MCE) handler tolerance level. +## Machine checks report internal hardware error conditions detected by the CPU. +## Force the kernel to always panic on any uncorrected errors. +## Improves security using ECC memory against vulnerabilities like Rowhammer. +## Note current x86 CPUs generally do not allow recovery from MCEs. +## Must first be tested to ensure there are no pre-existing issues on user hardware. +## The default kernel setting should be utilized until provided sufficient evidence to modify. ## ## https://www.kernel.org/doc/html/latest/arch/x86/x86_64/machinecheck.html -## https://www.kernel.org/doc/html/latest/arch/x86/x86_64/boot-options.html#machine-check +## https://www.kernel.org/doc/Documentation/x86/x86_64/boot-options.txt +## https://www.kernel.org/doc/Documentation/x86/x86_64/machinecheck +## https://en.wikipedia.org/wiki/Machine-check_exception#Linux +## https://groups.google.com/g/rowhammer-discuss/c/9Vgso6u2GP0 ## https://forums.whonix.org/t/kernel-hardening/7296/494 ## -## The default kernel setting will be utilized until provided sufficient evidence to modify. +## Note that this must be used with panic=-1 for it to function as intended. ## #GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX mce=0" From 29176d2ed29b07c4da9b9c0df1eefd2bda70b984 Mon Sep 17 00:00:00 2001 From: raja-grewal Date: Sat, 15 Nov 2025 06:30:11 +0000 Subject: [PATCH 25/31] Remove the option to reduce the MCE tolerance level --- README.md | 3 --- ..._kernel_hardening.cfg#security-misc-shared | 19 ------------------- 2 files changed, 22 deletions(-) diff --git a/README.md b/README.md index 4ee2d0b..112ab3b 100644 --- a/README.md +++ b/README.md @@ -225,9 +225,6 @@ Kernel space: - Force immediate system reboot on the occurrence of a single kernel panic, reducing the risk and impact of denial-of-service attacks and both cold and warm boot attacks. -- Optional - Reduce the the Machine Check Exception (MCE) handler tolerance level to - always force kernel panics on any uncorrected hardware errors detected by the CPU. - - Prevent sensitive kernel information leaks in the console during boot. - Enable the kernel Electric-Fence sampling-based memory safety error detector diff --git a/etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared b/etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared index da6b63a..7ab1e46 100644 --- a/etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared +++ b/etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared @@ -161,25 +161,6 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX debugfs=off" ## #GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX panic=-1" -## Reduce the Machine Check Exception (MCE) handler tolerance level. -## Machine checks report internal hardware error conditions detected by the CPU. -## Force the kernel to always panic on any uncorrected errors. -## Improves security using ECC memory against vulnerabilities like Rowhammer. -## Note current x86 CPUs generally do not allow recovery from MCEs. -## Must first be tested to ensure there are no pre-existing issues on user hardware. -## The default kernel setting should be utilized until provided sufficient evidence to modify. -## -## https://www.kernel.org/doc/html/latest/arch/x86/x86_64/machinecheck.html -## https://www.kernel.org/doc/Documentation/x86/x86_64/boot-options.txt -## https://www.kernel.org/doc/Documentation/x86/x86_64/machinecheck -## https://en.wikipedia.org/wiki/Machine-check_exception#Linux -## https://groups.google.com/g/rowhammer-discuss/c/9Vgso6u2GP0 -## https://forums.whonix.org/t/kernel-hardening/7296/494 -## -## Note that this must be used with panic=-1 for it to function as intended. -## -#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX mce=0" - ## Prevent sensitive kernel information leaks in the console during boot. ## Must be used in combination with the kernel.printk sysctl. ## See /usr/lib/sysctl.d/30_silent-kernel-printk.conf for implementation. From 62dc2d448366d190812773ec9eeadd38e1223cbc Mon Sep 17 00:00:00 2001 From: raja-grewal Date: Tue, 18 Nov 2025 20:31:46 +1100 Subject: [PATCH 26/31] Add note about Intel TME --- etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared | 1 + 1 file changed, 1 insertion(+) diff --git a/etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared b/etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared index 962e37d..61aad7c 100644 --- a/etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared +++ b/etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared @@ -243,6 +243,7 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX erst_disable" ## This is hardware-based encryption managed by the proprietary and closed-source AMD Platform Security Processor (PSP). ## Both require a compatible AMD CPU and support for SME to first be enabled in the BIOS/UEFI. ## Likely unavailable in consumer-grade AMD CPUs where Transparent SME (TSME) can be enabled in the BIOS/UEFI to achieve SME. +## Note the corresponding Intel Total Memory Encryption (TME) can also be enabled via the BIOS/UEFI. ## May cause boot failure on certain hardware with incompatible DMA masks. ## ## https://www.kernel.org/doc/html/next/x86/amd-memory-encryption.html From ebc011e67bff659778cbca2240c5e57d663f3f41 Mon Sep 17 00:00:00 2001 From: raja-grewal Date: Wed, 19 Nov 2025 11:35:04 +1100 Subject: [PATCH 27/31] Typo --- usr/lib/sysctl.d/990-security-misc.conf#security-misc-shared | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/usr/lib/sysctl.d/990-security-misc.conf#security-misc-shared b/usr/lib/sysctl.d/990-security-misc.conf#security-misc-shared index 7422c54..f1288c3 100644 --- a/usr/lib/sysctl.d/990-security-misc.conf#security-misc-shared +++ b/usr/lib/sysctl.d/990-security-misc.conf#security-misc-shared @@ -215,7 +215,7 @@ kernel.perf_event_paranoid=3 ## Panic upon a NMI indicating uncorrectable memory and hardware errors to prevent data corruption. ## Panic upon receiving an undefined or unknown NMI. ## All three must first be tested to ensure there are no pre-existing issues on user hardware. -## After confirming stability of each they can then be used and prevent data corruption from hardware sources. +## After confirming stability of each they can then be used to prevent data corruption from hardware sources. ## These are valuable for high-reliability systems where data integrity is critical. ## ## https://en.wikipedia.org/wiki/Non-maskable_interrupt From 65c45fc3d799cdf6402328cc61cbdd1949a12945 Mon Sep 17 00:00:00 2001 From: Aaron Rainbolt Date: Fri, 28 Nov 2025 00:13:45 -0600 Subject: [PATCH 28/31] Minor fixes to NMI panic docs --- README.md | 4 ++-- usr/lib/sysctl.d/990-security-misc.conf#security-misc-shared | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index 0ffb261..1979306 100644 --- a/README.md +++ b/README.md @@ -57,8 +57,8 @@ configuration file and significant hardening is applied to a myriad of component running out of memory. - Optional - Force immediate kernel panics upon receiving NMIs (Non-Maskable Interrupts) - indicating serious hardware-level I/O issues, uncorrectable memory and hardware errors, - and undefined or unknowsources in order to prevent data corruption. + triggered by serious hardware-level I/O issues, uncorrectable memory and hardware errors, + and undefined or unknown sources in order to prevent data corruption. - Disable the use of legacy TIOCSTI operations which can be used to inject keypresses. diff --git a/usr/lib/sysctl.d/990-security-misc.conf#security-misc-shared b/usr/lib/sysctl.d/990-security-misc.conf#security-misc-shared index f1288c3..561bac9 100644 --- a/usr/lib/sysctl.d/990-security-misc.conf#security-misc-shared +++ b/usr/lib/sysctl.d/990-security-misc.conf#security-misc-shared @@ -219,8 +219,8 @@ kernel.perf_event_paranoid=3 ## These are valuable for high-reliability systems where data integrity is critical. ## ## https://en.wikipedia.org/wiki/Non-maskable_interrupt -## https://www.kernel.org/doc/html/latest//trace/events-nmi.html -## https://0xax.gitbooks.io/linux-insides/content/Interrupts/linux-interrupts-6.html +## https://www.kernel.org/doc/html/latest/trace/events-nmi.html +## https://0xax.gitbook.io/linux-insides/summary/interrupts/linux-interrupts-6 ## https://docs.redhat.com/en/documentation/red_hat_enterprise_linux_for_real_time/7/html/reference_guide/non-maskable_interrupts ## ## Note that these must be used with kernel.panic=-1 for them to function as intended. From f0d069c7968e2ee10d7104ce1ba502d3122b0ab2 Mon Sep 17 00:00:00 2001 From: Aaron Rainbolt Date: Sat, 29 Nov 2025 20:15:03 -0600 Subject: [PATCH 29/31] Minor README.md corrections --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 250fb0b..48a4db9 100644 --- a/README.md +++ b/README.md @@ -215,8 +215,8 @@ Kernel space: - Enable the kernel page allocator to randomize free lists to limit some data exfiltration and ROP attacks, especially during the early boot process. -- Enable kernel page table isolation on X86_64 CPUs to increase KASLR effectiveness - and also mitigate the Meltdown CPU vulnerability. +- Enable kernel page table isolation on x86_64 and ARM64 CPUs to increase + KASLR effectiveness and also mitigate the Meltdown CPU vulnerability. - Enable randomization of the kernel stack offset on syscall entries to harden against memory corruption attacks. From 17ab1bb00fe287c4c941d9cd3813ee3a3ae89ade Mon Sep 17 00:00:00 2001 From: Aaron Rainbolt Date: Sat, 29 Nov 2025 20:44:30 -0600 Subject: [PATCH 30/31] Documentation fix --- .../grub.d/40_kernel_hardening.cfg#security-misc-shared | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared b/etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared index b6f2a66..c6b878f 100644 --- a/etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared +++ b/etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared @@ -274,8 +274,9 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX erst_disable" GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX bdev_allow_write_mounted=0" ## Restrict processes from modifying their own memory mappings. -## Prevents the use of FULL_FORCE by a processes unless via ptrace() for debugging. -## Limit self-modification which can be used trigger race condition vulnerabilities. +## Prevents the use of /proc/PID/mem to write to protected pages via the kernel's +## mem_rw() FOLL_FORCE flag. This makes it harder to trick applications into +## overwriting their own memory. ## ## https://lore.kernel.org/lkml/20240712-vfs-procfs-ce7e6c7cf26b@brauner/ ## https://lwn.net/Articles/983169/ From b3eb739fe2662acfbd844de8d87af4720727fc7a Mon Sep 17 00:00:00 2001 From: Aaron Rainbolt Date: Sun, 30 Nov 2025 00:20:21 -0600 Subject: [PATCH 31/31] Link fix, change some wording --- README.md | 6 +++--- .../grub.d/40_kernel_hardening.cfg#security-misc-shared | 2 +- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index f63815a..41a9556 100644 --- a/README.md +++ b/README.md @@ -270,10 +270,10 @@ Direct memory access: Entropy: -- Do not credit the CPU seeds as an entropy sources at boot in order to maximize the +- Do not credit the CPU seeds as an entropy source at boot in order to maximize the absolute quantity of entropy in the combined pool. This is desirable for all - cryptographic operations reliant proprietary on RDRAND and RDSEED CPU instructions - for random number generation that have long history of being defective. + cryptographic operations, to avoid reliance on proprietary RDRAND and RDSEED CPU + instructions for random number generation that have long history of being defective. - Do not credit the bootloader seeds as an entropy sources at boot to maximize the absolute quantity of entropy in the combined pool. This is desirable for all diff --git a/etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared b/etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared index c11a46d..33722f6 100644 --- a/etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared +++ b/etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared @@ -141,7 +141,7 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX debugfs=off" ## https://en.wikipedia.org/wiki/Linux_kernel_oops ## https://lwn.net/Articles/876209/ ## https://git.sr.ht/~gregkh/presentation-security/tree/3fdaf81a2f8b2c8d64cdb2f529cc714624868aa8/item/security-stuff.pdf -## https://forums.whonix.org/t/set-oops-panic-kernel-parameter-or-kernel-panisc-on-oops-1-sysctl-for-better-security/7713 +## https://forums.whonix.org/t/set-oops-panic-kernel-parameter-or-kernel-panic-on-oops-1-sysctl-for-better-security/7713 ## ## KSPP=yes ## KSPP sets CONFIG_PANIC_ON_OOPS=y.