Git-Mirrors/security-misc
1
0
Fork 0
mirror of https://github.com/Kicksecure/security-misc.git synced 2025-11-24 22:05:21 -05:00
Code Issues Projects Releases Packages Wiki Activity

Merge 30068ec8cd into 9f85a78c99

Browse source
This commit is contained in:
raja-grewal 2025-11-22 04:01:58 +00:00 committed by GitHub
commit 6fed89c1d0
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
2 changed files with 24 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

4
README.md
View file

@ -221,6 +221,10 @@ Kernel space:
- Force kernel panics on "oopses" to potentially indicate and thwart certain
kernel exploitation attempts.
- Optional - Force the kernel to immediately panic if it becomes tainted. Some reasons include
upon using out of specification hardware, bad page states, severe firmware bugs, and kernel
live patching. Can also include the loading of proprietary, out-of-tree, and unsigned modules.
- Optional - Modify the machine check exception handler.
- Prevent sensitive kernel information leaks in the console during boot.

20
etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared
View file

@ -139,6 +139,26 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX debugfs=off"
##
#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX oops=panic"
## Force the kernel to immediately panic if it becomes tainted.
## Using kernel documentation can select a subset of taints to create a security policy.
## Requires summing the numbers for each taint state and then converting it to a hexadecimal bitmask.
## Some example combinations are shown below.
## Panic on using out of specification hardware: 4 = 0x4.
## Panic on the above and bad page faults or some unexpected page flags: 36 = 0x24.
## Panic on the above and severe firmware bugs: 2084 = 0x824.
## Panic on the above and kernel live patching: 34852 = 0x8824.
## Panic on the above and the loading of proprietary, out-of-tree, or unsigned modules: 47141 = 0xB825.
## All must first be tested to ensure there are no pre-existing issues on user hardware.
## After confirming stability this enforces strict user-defined kernel operation and security at runtime.
##
## https://www.kernel.org/doc/html/latest/admin-guide/tainted-kernels.html
## https://support.scc.suse.com/s/kb/Tainted-kernel-1583239310621?language=en_US
## https://lore.kernel.org/all/20200515175502.146720-1-aquini@redhat.com/T/
##
## Note that this must be used with panic=-1 for it to function as intended.
##
#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX panic_on_taint=0x8824:
## Modify machine check exception handler.
## Can decide whether the system should panic or not based on the occurrence of an exception.
##