do not set kernel boot parameter page_poison=1 in Qubes since does not work

https://github.com/QubesOS/qubes-issues/issues/5212#issuecomment-533873012
2025-02-02 13:14:42 -05:00 · 2019-11-05 10:02:55 -05:00 · 2019-11-05 10:02:55 -05:00 · 94d40c68d4
commit 94d40c68d4
parent f57702c158
1 changed files with 7 additions and 2 deletions
--- a/etc/default/grub.d/40_kernel_hardening.cfg
+++ b/etc/default/grub.d/40_kernel_hardening.cfg
@ -7,8 +7,13 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX slab_nomerge"
 ## Enables sanity checks (F), redzoning (Z) and poisoning (P).
 GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX slub_debug=FZP"

-## Wipes free memory so it can't leak in various ways and prevents some use-after-free vulnerabilites.
-GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX page_poison=1"
+if command -v "qubesdb-read" >/dev/null 2>&1 ; then
+   ## https://github.com/QubesOS/qubes-issues/issues/5212#issuecomment-533873012
+   true "skip adding page_poison=1 in Qubes"
+else
+   ## Wipes free memory so it can't leak in various ways and prevents some use-after-free vulnerabilites.
+   GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX page_poison=1"
+fi

 ## Makes the kernel panic on uncorrectable errors in ECC memory that an attacker could exploit.
 GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX mce=0"