diff --git a/README.md b/README.md index a55002e..238e2c1 100644 --- a/README.md +++ b/README.md @@ -104,6 +104,9 @@ configuration file. - Provide option to modify machine check exception handler. +- Provide option to disable support for all x86 processes and syscalls to reduce + attack surface (when using Linux kernel version >= 6.7). + - Enable strict IOMMU translation to protect against DMA attacks and disable the busmaster bit on all PCI bridges during the early boot process. diff --git a/etc/default/grub.d/40_kernel_hardening.cfg b/etc/default/grub.d/40_kernel_hardening.cfg index c4575b3..36cf099 100644 --- a/etc/default/grub.d/40_kernel_hardening.cfg +++ b/etc/default/grub.d/40_kernel_hardening.cfg @@ -109,6 +109,15 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX debugfs=off" ## #GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX mce=0" +## Disable support for x86 processes and syscalls. +## Unconditionally disables IA32 emulation to substantially reduce attack surface. +## +## https://lore.kernel.org/all/20230623111409.3047467-7-nik.borisov@suse.com/ +## +## Applicable when using Linux kernel >= 6.7 (retained here for future-proofing and completeness). +## +#ia32_emulation=0 + ## 2. Direct Memory Access: ## ## https://madaidans-insecurities.github.io/guides/linux-hardening.html#dma-attacks