Git-Mirrors/security-misc
1
0
Fork 0
mirror of https://github.com/Kicksecure/security-misc.git synced 2025-11-25 08:36:13 -05:00
Code Issues Projects Releases Packages Wiki Activity

Update docs on reducing the MCE tolerance level

Browse source
This commit is contained in:
raja-grewal 2025-11-15 05:48:33 +00:00 committed by GitHub
parent b6fe1a5a6e
commit 9f897c5ccd
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
2 changed files with 14 additions and 5 deletions
Download patch file Download diff file Expand all files Collapse all files

3
README.md
View file

@ -225,7 +225,8 @@ Kernel space:
- Force immediate system reboot on the occurrence of a single kernel panic, reducing the
risk and impact of denial-of-service attacks and both cold and warm boot attacks.
- Optional - Modify the machine check exception handler.
- Optional - Reduce the the Machine Check Exception (MCE) handler tolerance level to
always force kernel panics on any uncorrected hardware errors detected by the CPU.
- Prevent sensitive kernel information leaks in the console during boot.

16
etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared
View file

@ -161,14 +161,22 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX debugfs=off"
##
#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX panic=-1"
## Modify machine check exception handler.
## Can decide whether the system should panic or not based on the occurrence of an exception.
## Reduce the Machine Check Exception (MCE) handler tolerance level.
## Machine checks report internal hardware error conditions detected by the CPU.
## Force the kernel to always panic on any uncorrected errors.
## Improves security using ECC memory against vulnerabilities like Rowhammer.
## Note current x86 CPUs generally do not allow recovery from MCEs.
## Must first be tested to ensure there are no pre-existing issues on user hardware.
## The default kernel setting should be utilized until provided sufficient evidence to modify.
##
## https://www.kernel.org/doc/html/latest/arch/x86/x86_64/machinecheck.html
## https://www.kernel.org/doc/html/latest/arch/x86/x86_64/boot-options.html#machine-check
## https://www.kernel.org/doc/Documentation/x86/x86_64/boot-options.txt
## https://www.kernel.org/doc/Documentation/x86/x86_64/machinecheck
## https://en.wikipedia.org/wiki/Machine-check_exception#Linux
## https://groups.google.com/g/rowhammer-discuss/c/9Vgso6u2GP0
## https://forums.whonix.org/t/kernel-hardening/7296/494
##
## The default kernel setting will be utilized until provided sufficient evidence to modify.
## Note that this must be used with panic=-1 for it to function as intended.
##
#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX mce=0"