From a1bde21ccb475fc21a084559dbe766f6315d9287 Mon Sep 17 00:00:00 2001
From: raja-grewal <rg_public@proton.me>
Date: Sat, 17 May 2025 04:41:06 +0000
Subject: [PATCH] Set `erst_disable`

---
 README.md                                  | 4 ++--
 etc/default/grub.d/40_kernel_hardening.cfg | 5 ++++-
 2 files changed, 6 insertions(+), 3 deletions(-)

diff --git a/README.md b/README.md
index 38cc8e0..628f732 100644
--- a/README.md
+++ b/README.md
@@ -226,8 +226,8 @@ Kernel space:
 - Optional - Disable support for all x86 processes and syscalls (when using Linux kernel >= 6.7)
   to reduce attack surface.
 
-- Disable EFI persistent storage feature, preventing the kernel from writing crash logs and
-  other persistent data to the EFI variable store.
+- Disable the EFI persistent storage feature which prevents the kernel from writing crash logs
+  and other persistent data to either the UEFI variable storage or ACPI ERST backends.
 
 Direct memory access:
 
diff --git a/etc/default/grub.d/40_kernel_hardening.cfg b/etc/default/grub.d/40_kernel_hardening.cfg
index 99f2d16..ee79f81 100644
--- a/etc/default/grub.d/40_kernel_hardening.cfg
+++ b/etc/default/grub.d/40_kernel_hardening.cfg
@@ -224,7 +224,9 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX vdso32=0"
 #GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX ia32_emulation=0"
 
 ## Disable EFI persistent storage feature.
-## Prevents the kernel from writing crash logs and other persistent data to the EFI variable store.
+## Disable Error Record Serialization Table (ERST) support as a form of defense-in-depth.
+## Prevents the kernel from writing crash logs and other persistent data to the storage backend.
+## Both the UEFI variable storage and ACPI ERST backends are inactivated.
 ##
 ## https://blogs.oracle.com/linux/post/pstore-linux-kernel-persistent-storage-file-system
 ## https://www.ais.com/understanding-pstore-linux-kernel-persistent-storage-file-system/
@@ -234,6 +236,7 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX vdso32=0"
 ## https://github.com/Kicksecure/security-misc/issues/299
 ##
 GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX efi_pstore.pstore_disable=1"
+GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX erst_disable"
 
 ## 2. Direct Memory Access:
 ##