Add option to disable support for x86 processes and syscalls in the future

2024-10-01 08:25:45 -04:00 · 2024-07-15 02:02:01 +10:00 · 2024-07-15 02:02:01 +10:00 · 99038c7a06
commit 99038c7a06
parent f550fbe07c
2 changed files with 12 additions and 0 deletions
--- a/README.md
+++ b/README.md
@ -104,6 +104,9 @@ configuration file.

 -   Provide option to modify machine check exception handler.

+-   Provide option to disable support for all x86 processes and syscalls to reduce
+    attack surface (when using Linux kernel version >= 6.7).
+
 -   Enable strict IOMMU translation to protect against DMA attacks and disable
    the busmaster bit on all PCI bridges during the early boot process.

--- a/etc/default/grub.d/40_kernel_hardening.cfg
+++ b/etc/default/grub.d/40_kernel_hardening.cfg
@ -109,6 +109,15 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX debugfs=off"
 ##
 #GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX mce=0"

+## Disable support for x86 processes and syscalls.
+## Unconditionally disables IA32 emulation to substantially reduce attack surface.
+##
+## https://lore.kernel.org/all/20230623111409.3047467-7-nik.borisov@suse.com/
+##
+## Applicable when using Linux kernel >= 6.7 (retained here for future-proofing and completeness).
+##
+#ia32_emulation=0
+
 ## 2. Direct Memory Access:
 ##
 ## https://madaidans-insecurities.github.io/guides/linux-hardening.html#dma-attacks