Git-Mirrors/security-misc
1
0
Fork 0
mirror of https://github.com/Kicksecure/security-misc.git synced 2025-09-27 12:20:52 -04:00
Code Issues Projects Releases Packages Wiki Activity

Add option to disable support for x86 processes and syscalls in the future

Browse source
This commit is contained in:
Raja Grewal 2024-07-15 02:02:01 +10:00
parent f550fbe07c
commit 99038c7a06
No known key found for this signature in database
GPG key ID: 92CA473C156B64C4
2 changed files with 12 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

3
README.md
View file

@ -104,6 +104,9 @@ configuration file.
- Provide option to modify machine check exception handler. - Provide option to modify machine check exception handler.
- Provide option to disable support for all x86 processes and syscalls to reduce
attack surface (when using Linux kernel version >= 6.7).
- Enable strict IOMMU translation to protect against DMA attacks and disable - Enable strict IOMMU translation to protect against DMA attacks and disable
the busmaster bit on all PCI bridges during the early boot process. the busmaster bit on all PCI bridges during the early boot process.

9
etc/default/grub.d/40_kernel_hardening.cfg
View file

@ -109,6 +109,15 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX debugfs=off"
## ##
#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX mce=0" #GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX mce=0"
## Disable support for x86 processes and syscalls.
## Unconditionally disables IA32 emulation to substantially reduce attack surface.
##
## https://lore.kernel.org/all/20230623111409.3047467-7-nik.borisov@suse.com/
##
## Applicable when using Linux kernel >= 6.7 (retained here for future-proofing and completeness).
##
#ia32_emulation=0
## 2. Direct Memory Access: ## 2. Direct Memory Access:
## ##
## https://madaidans-insecurities.github.io/guides/linux-hardening.html#dma-attacks ## https://madaidans-insecurities.github.io/guides/linux-hardening.html#dma-attacks