Merge remote-tracking branch 'github-kicksecure/master'

This commit is contained in:
Patrick Schleizer 2024-05-10 06:48:04 -04:00
commit 8a28c1bc38
No known key found for this signature in database
GPG Key ID: CB8D50BB77BB3C48
4 changed files with 48 additions and 11 deletions

View File

@ -1,21 +1,30 @@
## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org> ## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
## See the file COPYING for copying conditions. ## See the file COPYING for copying conditions.
## Enables all known mitigations for CPU vulnerabilities. ## Enables known mitigations for CPU vulnerabilities.
## ##
## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/index.html ## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/index.html
## https://www.kernel.org/doc/html/latest/admin-guide/kernel-parameters.html ## https://www.kernel.org/doc/html/latest/admin-guide/kernel-parameters.html
## https://forums.whonix.org/t/should-all-kernel-patches-for-cpu-bugs-be-unconditionally-enabled-vs-performance-vs-applicability/7647 ## https://forums.whonix.org/t/should-all-kernel-patches-for-cpu-bugs-be-unconditionally-enabled-vs-performance-vs-applicability/7647
## Enable known mitigations for CPU vulnerabilities and disable SMT. ## Check for potential updates directly from AMD and Intel.
##
## https://www.amd.com/en/resources/product-security.html
## https://www.intel.com/content/www/us/en/developer/topic-technology/software-security-guidance/advisory-guidance.html
## https://www.intel.com/content/www/us/en/developer/topic-technology/software-security-guidance/disclosure-documentation.html
## Enable a subset of known mitigations for CPU vulnerabilities and disable SMT.
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX mitigations=auto,nosmt" GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX mitigations=auto,nosmt"
## Enable mitigations for Spectre variant 2 (indirect branch speculation). ## Enable mitigations for both Spectre Variant 2 (indirect branch speculation)
## and Intel branch history injection (BHI) vulnerabilities.
## ##
## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/spectre.html ## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/spectre.html
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX spectre_v2=on" GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX spectre_v2=on spectre_bhi=on"
## Disable Speculative Store Bypass. ## Disable Speculative Store Bypass (Spectre Variant 4).
##
## https://www.suse.com/support/kb/doc/?id=000019189
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX spec_store_bypass_disable=on" GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX spec_store_bypass_disable=on"
## Enable mitigations for the L1TF vulnerability through disabling SMT ## Enable mitigations for the L1TF vulnerability through disabling SMT
@ -67,6 +76,7 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX mmio_stale_data=full,nosmt"
## Enable mitigations for RETBleed (Arbitrary Speculative Code Execution with ## Enable mitigations for RETBleed (Arbitrary Speculative Code Execution with
## Return Instructions) vulnerability and disable SMT. ## Return Instructions) vulnerability and disable SMT.
## ##
## https://www.suse.com/support/kb/doc/?id=000020693
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX retbleed=auto,nosmt" GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX retbleed=auto,nosmt"
## Control RAS overflow mitigation on AMD Zen CPUs. ## Control RAS overflow mitigation on AMD Zen CPUs.
@ -75,8 +85,15 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX retbleed=auto,nosmt"
## ##
## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/srso.html ## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/srso.html
## Enables mitigation of Branch History Injection vulnerabilities on Intel CPUs. ## Mitigates Gather Data Sampling (GDS) vulnerability.
## Note for systems that have not received a suitable microcode update this will
## entirely disable use of the AVX instructions set.
## ##
## https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=2bb69f5fc72183e1c62547d900f560d0e9334925 ## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/gather_data_sampling.html
## TODO: update the above link with better alternative when possible GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX gather_data_sampling=force"
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX spectre_bhi=on"
## Register File Data Sampling (RFDS) mitigation on Intel Atom CPUs which
## encompasses E-cores on hybrid architectures.
##
## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/reg-file-data-sampling.html
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX reg_file_data_sampling=on"

View File

@ -21,6 +21,7 @@ options nf_conntrack nf_conntrack_helper=0
install thunderbolt /usr/bin/disabled-thunderbolt-by-security-misc install thunderbolt /usr/bin/disabled-thunderbolt-by-security-misc
install firewire-core /usr/bin/disabled-firewire-by-security-misc install firewire-core /usr/bin/disabled-firewire-by-security-misc
install firewire_core /usr/bin/disabled-firewire-by-security-misc install firewire_core /usr/bin/disabled-firewire-by-security-misc
install firewire-net /usr/bin/disabled-firewire-by-security-misc
install firewire-ohci /usr/bin/disabled-firewire-by-security-misc install firewire-ohci /usr/bin/disabled-firewire-by-security-misc
install firewire_ohci /usr/bin/disabled-firewire-by-security-misc install firewire_ohci /usr/bin/disabled-firewire-by-security-misc
install firewire_sbp2 /usr/bin/disabled-firewire-by-security-misc install firewire_sbp2 /usr/bin/disabled-firewire-by-security-misc
@ -88,6 +89,14 @@ install vivid /usr/bin/disabled-vivid-by-security-misc
install mei /usr/bin/disabled-intelme-by-security-misc install mei /usr/bin/disabled-intelme-by-security-misc
install mei-me /usr/bin/disabled-intelme-by-security-misc install mei-me /usr/bin/disabled-intelme-by-security-misc
# Disable GPS modules like GNSS (Global Navigation Satellite System)
install gnss /usr/bin/disabled-gps-by-security-misc
install gnss-mtk /usr/bin/disabled-gps-by-security-misc
install gnss-serial /usr/bin/disabled-gps-by-security-misc
install gnss-sirf /usr/bin/disabled-gps-by-security-misc
install gnss-usb /usr/bin/disabled-gps-by-security-misc
install gnss-ubx /usr/bin/disabled-gps-by-security-misc
## Blacklist automatic loading of the Atheros 5K RF MACs madwifi driver ## Blacklist automatic loading of the Atheros 5K RF MACs madwifi driver
## https://git.launchpad.net/ubuntu/+source/kmod/tree/debian/modprobe.d/blacklist-ath_pci.conf?h=ubuntu/disco ## https://git.launchpad.net/ubuntu/+source/kmod/tree/debian/modprobe.d/blacklist-ath_pci.conf?h=ubuntu/disco
blacklist ath_pci blacklist ath_pci

View File

@ -0,0 +1,10 @@
#!/bin/bash
## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
## See the file COPYING for copying conditions.
## Alerts the user that a kernel module failed to load due to it being blacklisted by default.
echo "$0: ERROR: This GNSS (Global Navigation Satellite System) kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc.conf | args: $@" >&2
exit 1

View File

@ -81,8 +81,9 @@ kernel.io_uring_disabled=2
## A martian packet is a one with a source address which is blatantly wrong ## A martian packet is a one with a source address which is blatantly wrong
## Recommended to keep a log of these to identify these suspicious packets ## Recommended to keep a log of these to identify these suspicious packets
net.ipv4.conf.all.log_martians=1 ## Good for troubleshooting and diagnostics but not necessary by default
net.ipv4.conf.default.log_martians=1 #net.ipv4.conf.all.log_martians=1
#net.ipv4.conf.default.log_martians=1
## Protects against time-wait assassination. ## Protects against time-wait assassination.
## It drops RST packets for sockets in the time-wait state. ## It drops RST packets for sockets in the time-wait state.