Merge remote-tracking branch 'github-kicksecure/master'

etc/default/grub.d/40_cpu_mitigations.cfg

@@ -1,21 +1,30 @@
 ## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
 ## See the file COPYING for copying conditions.
 
-## Enables all known mitigations for CPU vulnerabilities.
+## Enables known mitigations for CPU vulnerabilities.
 ##
 ## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/index.html
 ## https://www.kernel.org/doc/html/latest/admin-guide/kernel-parameters.html
 ## https://forums.whonix.org/t/should-all-kernel-patches-for-cpu-bugs-be-unconditionally-enabled-vs-performance-vs-applicability/7647
 
-## Enable known mitigations for CPU vulnerabilities and disable SMT.
+## Check for potential updates directly from AMD and Intel.
+##
+## https://www.amd.com/en/resources/product-security.html
+## https://www.intel.com/content/www/us/en/developer/topic-technology/software-security-guidance/advisory-guidance.html
+## https://www.intel.com/content/www/us/en/developer/topic-technology/software-security-guidance/disclosure-documentation.html
+
+## Enable a subset of known mitigations for CPU vulnerabilities and disable SMT.
 GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX mitigations=auto,nosmt"
 
-## Enable mitigations for Spectre variant 2 (indirect branch speculation).
+## Enable mitigations for both Spectre Variant 2 (indirect branch speculation)
+## and Intel branch history injection (BHI) vulnerabilities.
 ##
 ## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/spectre.html
-GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX spectre_v2=on"
+GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX spectre_v2=on spectre_bhi=on"
 
-## Disable Speculative Store Bypass.
+## Disable Speculative Store Bypass (Spectre Variant 4).
+##
+## https://www.suse.com/support/kb/doc/?id=000019189
 GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX spec_store_bypass_disable=on"
 
 ## Enable mitigations for the L1TF vulnerability through disabling SMT
@@ -67,6 +76,7 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX mmio_stale_data=full,nosmt"
 ## Enable mitigations for RETBleed (Arbitrary Speculative Code Execution with
 ## Return Instructions) vulnerability and disable SMT.
 ##
+## https://www.suse.com/support/kb/doc/?id=000020693
 GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX retbleed=auto,nosmt"
 
 ## Control RAS overflow mitigation on AMD Zen CPUs.
@@ -75,8 +85,15 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX retbleed=auto,nosmt"
 ##
 ## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/srso.html
 
-## Enables mitigation of Branch History Injection vulnerabilities on Intel CPUs.
+## Mitigates Gather Data Sampling (GDS) vulnerability.
+## Note for systems that have not received a suitable microcode update this will
+## entirely disable use of the AVX instructions set.
 ##
-## https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=2bb69f5fc72183e1c62547d900f560d0e9334925
-## TODO: update the above link with better alternative when possible
-GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX spectre_bhi=on"
+## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/gather_data_sampling.html
+GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX gather_data_sampling=force"
+
+## Register File Data Sampling (RFDS) mitigation on Intel Atom CPUs which 
+## encompasses E-cores on hybrid architectures.
+##
+## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/reg-file-data-sampling.html
+GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX reg_file_data_sampling=on"

etc/modprobe.d/30_security-misc.conf

@@ -21,6 +21,7 @@ options nf_conntrack nf_conntrack_helper=0
 install thunderbolt /usr/bin/disabled-thunderbolt-by-security-misc
 install firewire-core /usr/bin/disabled-firewire-by-security-misc
 install firewire_core /usr/bin/disabled-firewire-by-security-misc
+install firewire-net /usr/bin/disabled-firewire-by-security-misc
 install firewire-ohci /usr/bin/disabled-firewire-by-security-misc
 install firewire_ohci /usr/bin/disabled-firewire-by-security-misc
 install firewire_sbp2 /usr/bin/disabled-firewire-by-security-misc
@@ -88,6 +89,14 @@ install vivid /usr/bin/disabled-vivid-by-security-misc
 install mei /usr/bin/disabled-intelme-by-security-misc
 install mei-me /usr/bin/disabled-intelme-by-security-misc
 
+# Disable GPS modules like GNSS (Global Navigation Satellite System)
+install gnss /usr/bin/disabled-gps-by-security-misc
+install gnss-mtk /usr/bin/disabled-gps-by-security-misc
+install gnss-serial /usr/bin/disabled-gps-by-security-misc
+install gnss-sirf /usr/bin/disabled-gps-by-security-misc
+install gnss-usb /usr/bin/disabled-gps-by-security-misc
+install gnss-ubx /usr/bin/disabled-gps-by-security-misc
+
 ## Blacklist automatic loading of the Atheros 5K RF MACs madwifi driver
 ## https://git.launchpad.net/ubuntu/+source/kmod/tree/debian/modprobe.d/blacklist-ath_pci.conf?h=ubuntu/disco
 blacklist ath_pci

usr/bin/disabled-gps-by-security-misc

@@ -0,0 +1,10 @@
+#!/bin/bash
+
+## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
+## See the file COPYING for copying conditions.
+
+## Alerts the user that a kernel module failed to load due to it being blacklisted by default.
+
+echo "$0: ERROR: This GNSS (Global Navigation Satellite System) kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc.conf | args: $@" >&2
+
+exit 1

usr/lib/sysctl.d/990-security-misc.conf

@@ -81,8 +81,9 @@ kernel.io_uring_disabled=2
 
 ## A martian packet is a one with a source address which is blatantly wrong
 ## Recommended to keep a log of these to identify these suspicious packets
-net.ipv4.conf.all.log_martians=1
-net.ipv4.conf.default.log_martians=1
+## Good for troubleshooting and diagnostics but not necessary by default
+#net.ipv4.conf.all.log_martians=1
+#net.ipv4.conf.default.log_martians=1
 
 ## Protects against time-wait assassination.
 ## It drops RST packets for sockets in the time-wait state.