From ba0043b8a7249e55e0a0d3b87f6c54de5283f057 Mon Sep 17 00:00:00 2001 From: madaidan <50278627+madaidan@users.noreply.github.com> Date: Wed, 12 Feb 2020 18:36:05 +0000 Subject: [PATCH 1/3] Update 40_kernel_hardening.cfg --- etc/default/grub.d/40_kernel_hardening.cfg | 21 --------------------- 1 file changed, 21 deletions(-) diff --git a/etc/default/grub.d/40_kernel_hardening.cfg b/etc/default/grub.d/40_kernel_hardening.cfg index e9f7aae..e456416 100644 --- a/etc/default/grub.d/40_kernel_hardening.cfg +++ b/etc/default/grub.d/40_kernel_hardening.cfg @@ -36,27 +36,6 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX mce=0" ## Enables Kernel Page Table Isolation which mitigates Meltdown and improves KASLR. GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX pti=on" -GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX spectre_v2=on" - -GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX spec_store_bypass_disable=on" - -GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX tsx=off" - -GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX tsx_async_abort=full,nosmt" - -## Enables all mitigations for the MDS vulnerability. -## Disables smt which can be used to exploit the MDS vulnerability. -GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX mds=full,nosmt" - -## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/l1tf.html -GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX l1tf=full,force" - -## https://forums.whonix.org/t/should-all-kernel-patches-for-cpu-bugs-be-unconditionally-enabled-vs-performance-vs-applicability/7647/17 -GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX nosmt=force" - -## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/multihit.html#mitigation-control-on-the-kernel-command-line-and-kvm-module-parameter -GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX kvm.nx_huge_pages=force" - ## Vsyscalls are obsolete, are at fixed addresses and are a target for ROP. GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX vsyscall=none" From 700c7ed9085f2c9f0f271ddf8781f119e8ac5714 Mon Sep 17 00:00:00 2001 From: madaidan <50278627+madaidan@users.noreply.github.com> Date: Wed, 12 Feb 2020 18:42:13 +0000 Subject: [PATCH 2/3] Create 40_cpu_mitigations.cfg --- etc/default/grub.d/40_cpu_mitigations.cfg | 42 +++++++++++++++++++++++ 1 file changed, 42 insertions(+) create mode 100644 etc/default/grub.d/40_cpu_mitigations.cfg diff --git a/etc/default/grub.d/40_cpu_mitigations.cfg b/etc/default/grub.d/40_cpu_mitigations.cfg new file mode 100644 index 0000000..c18d80c --- /dev/null +++ b/etc/default/grub.d/40_cpu_mitigations.cfg @@ -0,0 +1,42 @@ +## Copyright (C) 2019 - 2019 ENCRYPTED SUPPORT LP +## See the file COPYING for copying conditions. + +## Enables all mitigations for CPU vulnerabilities. +## +## https://forums.whonix.org/t/should-all-kernel-patches-for-cpu-bugs-be-unconditionally-enabled-vs-performance-vs-applicability/7647 + +## Enable all mitigations for Spectre Variant 2. +## +## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/spectre.html +GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX spectre_v2=on" + +## Disable Speculative Store Bypass. +GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX spec_store_bypass_disable=on" + +## Disable TSX, enable all mitigations for the TSX Async Abort +## vulnerability and disable SMT. +## +## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/tsx_async_abort.html +GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX tsx=off tsx_async_abort=full,nosmt" + +## Enable all mitigations for the MDS vulnerability and disable +## SMT. +## +## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/mds.html +GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX mds=full,nosmt" + +## Enable all mitigations for the L1TF vulnerability and disable SMT +## and L1D flush runtime control. +## +## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/l1tf.html +GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX l1tf=full,force" + +## Force disable SMT as it has caused numerous CPU vulnerabilities. +## +## https://forums.whonix.org/t/should-all-kernel-patches-for-cpu-bugs-be-unconditionally-enabled-vs-performance-vs-applicability/7647/17 +GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX nosmt=force" + +## Mark all huge pages in the EPT as non-executable to mitigate iTLB multihit. +## +## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/multihit.html#mitigation-control-on-the-kernel-command-line-and-kvm-module-parameter +GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX kvm.nx_huge_pages=force" From 2796c2dd00fca0bb458bdb4ea5c2cdbd35854bef Mon Sep 17 00:00:00 2001 From: madaidan <50278627+madaidan@users.noreply.github.com> Date: Wed, 12 Feb 2020 18:43:19 +0000 Subject: [PATCH 3/3] Update control --- debian/control | 7 +------ 1 file changed, 1 insertion(+), 6 deletions(-) diff --git a/debian/control b/debian/control index 6a97d69..7407373 100644 --- a/debian/control +++ b/debian/control @@ -66,12 +66,7 @@ Description: enhances misc security settings * Kernel Page Table Isolation is enabled to mitigate Meltdown and increase KASLR effectiveness. . - * SMT is disabled as it can be used to exploit the MDS and other - vulnerabilities. - . - * All mitigations for the MDS vulnerability are enabled. - . - * Enables mitigations for the L1TF (L1 Terminal Fault) vulnerability. + * Enables all mitigations for CPU vulnerabilities and disables SMT. . * A systemd service clears System.map on boot as these contain kernel symbols that could be useful to an attacker.