mirror of
https://github.com/Kicksecure/security-misc.git
synced 2024-12-25 06:39:26 -05:00
Merge remote-tracking branch 'github-kicksecure/master'
This commit is contained in:
commit
8a28c1bc38
@ -1,21 +1,30 @@
|
||||
## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
|
||||
## See the file COPYING for copying conditions.
|
||||
|
||||
## Enables all known mitigations for CPU vulnerabilities.
|
||||
## Enables known mitigations for CPU vulnerabilities.
|
||||
##
|
||||
## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/index.html
|
||||
## https://www.kernel.org/doc/html/latest/admin-guide/kernel-parameters.html
|
||||
## https://forums.whonix.org/t/should-all-kernel-patches-for-cpu-bugs-be-unconditionally-enabled-vs-performance-vs-applicability/7647
|
||||
|
||||
## Enable known mitigations for CPU vulnerabilities and disable SMT.
|
||||
## Check for potential updates directly from AMD and Intel.
|
||||
##
|
||||
## https://www.amd.com/en/resources/product-security.html
|
||||
## https://www.intel.com/content/www/us/en/developer/topic-technology/software-security-guidance/advisory-guidance.html
|
||||
## https://www.intel.com/content/www/us/en/developer/topic-technology/software-security-guidance/disclosure-documentation.html
|
||||
|
||||
## Enable a subset of known mitigations for CPU vulnerabilities and disable SMT.
|
||||
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX mitigations=auto,nosmt"
|
||||
|
||||
## Enable mitigations for Spectre variant 2 (indirect branch speculation).
|
||||
## Enable mitigations for both Spectre Variant 2 (indirect branch speculation)
|
||||
## and Intel branch history injection (BHI) vulnerabilities.
|
||||
##
|
||||
## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/spectre.html
|
||||
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX spectre_v2=on"
|
||||
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX spectre_v2=on spectre_bhi=on"
|
||||
|
||||
## Disable Speculative Store Bypass.
|
||||
## Disable Speculative Store Bypass (Spectre Variant 4).
|
||||
##
|
||||
## https://www.suse.com/support/kb/doc/?id=000019189
|
||||
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX spec_store_bypass_disable=on"
|
||||
|
||||
## Enable mitigations for the L1TF vulnerability through disabling SMT
|
||||
@ -67,6 +76,7 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX mmio_stale_data=full,nosmt"
|
||||
## Enable mitigations for RETBleed (Arbitrary Speculative Code Execution with
|
||||
## Return Instructions) vulnerability and disable SMT.
|
||||
##
|
||||
## https://www.suse.com/support/kb/doc/?id=000020693
|
||||
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX retbleed=auto,nosmt"
|
||||
|
||||
## Control RAS overflow mitigation on AMD Zen CPUs.
|
||||
@ -75,8 +85,15 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX retbleed=auto,nosmt"
|
||||
##
|
||||
## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/srso.html
|
||||
|
||||
## Enables mitigation of Branch History Injection vulnerabilities on Intel CPUs.
|
||||
## Mitigates Gather Data Sampling (GDS) vulnerability.
|
||||
## Note for systems that have not received a suitable microcode update this will
|
||||
## entirely disable use of the AVX instructions set.
|
||||
##
|
||||
## https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=2bb69f5fc72183e1c62547d900f560d0e9334925
|
||||
## TODO: update the above link with better alternative when possible
|
||||
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX spectre_bhi=on"
|
||||
## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/gather_data_sampling.html
|
||||
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX gather_data_sampling=force"
|
||||
|
||||
## Register File Data Sampling (RFDS) mitigation on Intel Atom CPUs which
|
||||
## encompasses E-cores on hybrid architectures.
|
||||
##
|
||||
## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/reg-file-data-sampling.html
|
||||
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX reg_file_data_sampling=on"
|
||||
|
@ -21,6 +21,7 @@ options nf_conntrack nf_conntrack_helper=0
|
||||
install thunderbolt /usr/bin/disabled-thunderbolt-by-security-misc
|
||||
install firewire-core /usr/bin/disabled-firewire-by-security-misc
|
||||
install firewire_core /usr/bin/disabled-firewire-by-security-misc
|
||||
install firewire-net /usr/bin/disabled-firewire-by-security-misc
|
||||
install firewire-ohci /usr/bin/disabled-firewire-by-security-misc
|
||||
install firewire_ohci /usr/bin/disabled-firewire-by-security-misc
|
||||
install firewire_sbp2 /usr/bin/disabled-firewire-by-security-misc
|
||||
@ -88,6 +89,14 @@ install vivid /usr/bin/disabled-vivid-by-security-misc
|
||||
install mei /usr/bin/disabled-intelme-by-security-misc
|
||||
install mei-me /usr/bin/disabled-intelme-by-security-misc
|
||||
|
||||
# Disable GPS modules like GNSS (Global Navigation Satellite System)
|
||||
install gnss /usr/bin/disabled-gps-by-security-misc
|
||||
install gnss-mtk /usr/bin/disabled-gps-by-security-misc
|
||||
install gnss-serial /usr/bin/disabled-gps-by-security-misc
|
||||
install gnss-sirf /usr/bin/disabled-gps-by-security-misc
|
||||
install gnss-usb /usr/bin/disabled-gps-by-security-misc
|
||||
install gnss-ubx /usr/bin/disabled-gps-by-security-misc
|
||||
|
||||
## Blacklist automatic loading of the Atheros 5K RF MACs madwifi driver
|
||||
## https://git.launchpad.net/ubuntu/+source/kmod/tree/debian/modprobe.d/blacklist-ath_pci.conf?h=ubuntu/disco
|
||||
blacklist ath_pci
|
||||
|
10
usr/bin/disabled-gps-by-security-misc
Normal file
10
usr/bin/disabled-gps-by-security-misc
Normal file
@ -0,0 +1,10 @@
|
||||
#!/bin/bash
|
||||
|
||||
## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
|
||||
## See the file COPYING for copying conditions.
|
||||
|
||||
## Alerts the user that a kernel module failed to load due to it being blacklisted by default.
|
||||
|
||||
echo "$0: ERROR: This GNSS (Global Navigation Satellite System) kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc.conf | args: $@" >&2
|
||||
|
||||
exit 1
|
@ -81,8 +81,9 @@ kernel.io_uring_disabled=2
|
||||
|
||||
## A martian packet is a one with a source address which is blatantly wrong
|
||||
## Recommended to keep a log of these to identify these suspicious packets
|
||||
net.ipv4.conf.all.log_martians=1
|
||||
net.ipv4.conf.default.log_martians=1
|
||||
## Good for troubleshooting and diagnostics but not necessary by default
|
||||
#net.ipv4.conf.all.log_martians=1
|
||||
#net.ipv4.conf.default.log_martians=1
|
||||
|
||||
## Protects against time-wait assassination.
|
||||
## It drops RST packets for sockets in the time-wait state.
|
||||
|
Loading…
Reference in New Issue
Block a user