Git-Mirrors/security-misc
1
0
Fork 0
mirror of https://github.com/Kicksecure/security-misc.git synced 2025-11-25 21:36:37 -05:00
Code Issues Projects Releases Packages Wiki Activity

Merge 62dc2d4483 into 9f85a78c99

Browse source
This commit is contained in:
raja-grewal 2025-11-20 18:07:36 +11:00 committed by GitHub
commit a12262d06c
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
2 changed files with 25 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

3
README.md
View file

@ -238,6 +238,9 @@ Kernel space:
- Disable the EFI persistent storage feature which prevents the kernel from writing crash logs - Disable the EFI persistent storage feature which prevents the kernel from writing crash logs
and other persistent data to either the UEFI variable storage or ACPI ERST backends. and other persistent data to either the UEFI variable storage or ACPI ERST backends.
- Optional - On compatible AMD CPUs enable Secure Memory Encryption (SME) to protect against
cold boot attacks and Secure Encrypted Virtualization (SEV) for further guest memory isolation.
Direct memory access: Direct memory access:
- Enable strict IOMMU translation to protect against some DMA attacks via the use - Enable strict IOMMU translation to protect against some DMA attacks via the use

22
etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared
View file

@ -237,6 +237,28 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX ia32_emulation=0"
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX efi_pstore.pstore_disable=1" GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX efi_pstore.pstore_disable=1"
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX erst_disable" GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX erst_disable"
## Enable AMD Secure Memory Encryption (SME) and Secure Encrypted Virtualization (SEV).
## SME encrypts memory with a single key at the kernel level to protect against cold boot attacks.
## SEV extends SME to VMs by encrypting the memory of each with a unique key for guest isolation.
## This is hardware-based encryption managed by the proprietary and closed-source AMD Platform Security Processor (PSP).
## Both require a compatible AMD CPU and support for SME to first be enabled in the BIOS/UEFI.
## Likely unavailable in consumer-grade AMD CPUs where Transparent SME (TSME) can be enabled in the BIOS/UEFI to achieve SME.
## Note the corresponding Intel Total Memory Encryption (TME) can also be enabled via the BIOS/UEFI.
## May cause boot failure on certain hardware with incompatible DMA masks.
##
## https://www.kernel.org/doc/html/next/x86/amd-memory-encryption.html
## https://www.kernel.org/doc/html/latest/virt/kvm/x86/amd-memory-encryption.html
## https://docs.amd.com/v/u/en-US/memory-encryption-white-paper
## https://docs.amd.com/v/u/en-US/SEV-SNP-strengthening-vm-isolation-with-integrity-protection-and-more
## https://en.wikichip.org/wiki/x86/sme
## https://lore.kernel.org/lkml/YWvy9bSRaC+m1sV+@zn.tnic/T/#m01bcb37040b6b0d119d385d9a34b9c7ac4ce5f84
## https://mricher.fr/post/amd-memory-encryption/
## https://www.kicksecure.com/wiki/Dev/confidential_computing#AMD
## https://forums.whonix.org/t/enable-secure-memory-encryption-sme-kernel-parameter-mem-encrypt-by-default/10393
##
#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX mem_encrypt=on"
#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX kvm_amd.sev=1"
## 2. Direct Memory Access: ## 2. Direct Memory Access:
## ##
## https://madaidans-insecurities.github.io/guides/linux-hardening.html#dma-attacks ## https://madaidans-insecurities.github.io/guides/linux-hardening.html#dma-attacks