diff --git a/etc/default/grub.d/40_cpu_mitigations.cfg b/etc/default/grub.d/40_cpu_mitigations.cfg index 667480e..fd997e4 100644 --- a/etc/default/grub.d/40_cpu_mitigations.cfg +++ b/etc/default/grub.d/40_cpu_mitigations.cfg @@ -1,21 +1,30 @@ ## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. -## Enables all known mitigations for CPU vulnerabilities. +## Enables known mitigations for CPU vulnerabilities. ## ## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/index.html ## https://www.kernel.org/doc/html/latest/admin-guide/kernel-parameters.html ## https://forums.whonix.org/t/should-all-kernel-patches-for-cpu-bugs-be-unconditionally-enabled-vs-performance-vs-applicability/7647 -## Enable known mitigations for CPU vulnerabilities and disable SMT. +## Check for potential updates directly from AMD and Intel. +## +## https://www.amd.com/en/resources/product-security.html +## https://www.intel.com/content/www/us/en/developer/topic-technology/software-security-guidance/advisory-guidance.html +## https://www.intel.com/content/www/us/en/developer/topic-technology/software-security-guidance/disclosure-documentation.html + +## Enable a subset of known mitigations for CPU vulnerabilities and disable SMT. GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX mitigations=auto,nosmt" -## Enable mitigations for Spectre variant 2 (indirect branch speculation). +## Enable mitigations for both Spectre Variant 2 (indirect branch speculation) +## and Intel branch history injection (BHI) vulnerabilities. ## ## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/spectre.html -GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX spectre_v2=on" +GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX spectre_v2=on spectre_bhi=on" -## Disable Speculative Store Bypass. +## Disable Speculative Store Bypass (Spectre Variant 4). +## +## https://www.suse.com/support/kb/doc/?id=000019189 GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX spec_store_bypass_disable=on" ## Enable mitigations for the L1TF vulnerability through disabling SMT @@ -67,6 +76,7 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX mmio_stale_data=full,nosmt" ## Enable mitigations for RETBleed (Arbitrary Speculative Code Execution with ## Return Instructions) vulnerability and disable SMT. ## +## https://www.suse.com/support/kb/doc/?id=000020693 GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX retbleed=auto,nosmt" ## Control RAS overflow mitigation on AMD Zen CPUs. @@ -75,8 +85,15 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX retbleed=auto,nosmt" ## ## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/srso.html -## Enables mitigation of Branch History Injection vulnerabilities on Intel CPUs. +## Mitigates Gather Data Sampling (GDS) vulnerability. +## Note for systems that have not received a suitable microcode update this will +## entirely disable use of the AVX instructions set. ## -## https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=2bb69f5fc72183e1c62547d900f560d0e9334925 -## TODO: update the above link with better alternative when possible -GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX spectre_bhi=on" +## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/gather_data_sampling.html +GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX gather_data_sampling=force" + +## Register File Data Sampling (RFDS) mitigation on Intel Atom CPUs which +## encompasses E-cores on hybrid architectures. +## +## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/reg-file-data-sampling.html +GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX reg_file_data_sampling=on" diff --git a/etc/modprobe.d/30_security-misc.conf b/etc/modprobe.d/30_security-misc.conf index 8b5af64..421c8be 100644 --- a/etc/modprobe.d/30_security-misc.conf +++ b/etc/modprobe.d/30_security-misc.conf @@ -21,6 +21,7 @@ options nf_conntrack nf_conntrack_helper=0 install thunderbolt /usr/bin/disabled-thunderbolt-by-security-misc install firewire-core /usr/bin/disabled-firewire-by-security-misc install firewire_core /usr/bin/disabled-firewire-by-security-misc +install firewire-net /usr/bin/disabled-firewire-by-security-misc install firewire-ohci /usr/bin/disabled-firewire-by-security-misc install firewire_ohci /usr/bin/disabled-firewire-by-security-misc install firewire_sbp2 /usr/bin/disabled-firewire-by-security-misc @@ -88,6 +89,14 @@ install vivid /usr/bin/disabled-vivid-by-security-misc install mei /usr/bin/disabled-intelme-by-security-misc install mei-me /usr/bin/disabled-intelme-by-security-misc +# Disable GPS modules like GNSS (Global Navigation Satellite System) +install gnss /usr/bin/disabled-gps-by-security-misc +install gnss-mtk /usr/bin/disabled-gps-by-security-misc +install gnss-serial /usr/bin/disabled-gps-by-security-misc +install gnss-sirf /usr/bin/disabled-gps-by-security-misc +install gnss-usb /usr/bin/disabled-gps-by-security-misc +install gnss-ubx /usr/bin/disabled-gps-by-security-misc + ## Blacklist automatic loading of the Atheros 5K RF MACs madwifi driver ## https://git.launchpad.net/ubuntu/+source/kmod/tree/debian/modprobe.d/blacklist-ath_pci.conf?h=ubuntu/disco blacklist ath_pci diff --git a/usr/bin/disabled-gps-by-security-misc b/usr/bin/disabled-gps-by-security-misc new file mode 100644 index 0000000..460e39c --- /dev/null +++ b/usr/bin/disabled-gps-by-security-misc @@ -0,0 +1,10 @@ +#!/bin/bash + +## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP +## See the file COPYING for copying conditions. + +## Alerts the user that a kernel module failed to load due to it being blacklisted by default. + +echo "$0: ERROR: This GNSS (Global Navigation Satellite System) kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc.conf | args: $@" >&2 + +exit 1 diff --git a/usr/lib/sysctl.d/990-security-misc.conf b/usr/lib/sysctl.d/990-security-misc.conf index 321f3b8..95b44ff 100644 --- a/usr/lib/sysctl.d/990-security-misc.conf +++ b/usr/lib/sysctl.d/990-security-misc.conf @@ -81,8 +81,9 @@ kernel.io_uring_disabled=2 ## A martian packet is a one with a source address which is blatantly wrong ## Recommended to keep a log of these to identify these suspicious packets -net.ipv4.conf.all.log_martians=1 -net.ipv4.conf.default.log_martians=1 +## Good for troubleshooting and diagnostics but not necessary by default +#net.ipv4.conf.all.log_martians=1 +#net.ipv4.conf.default.log_martians=1 ## Protects against time-wait assassination. ## It drops RST packets for sockets in the time-wait state.