Merge remote-tracking branch 'raja/kargs'

README.md

@@ -101,36 +101,56 @@ Various networking components of the TCP/IP stack are hardened for IPv4/6.
 
 ### Boot parameters
 
-Boot parameters are outlined in configuration files located in the
-`etc/default/grub.d/` directory.
+Mitigations for known CPU vulnerabilities are enabled in their strictest form
+and simultaneous multithreading (SMT) is disabled. See the 
+`/etc/default/grub.d/40_cpu_mitigations.cfg` configuration file.
 
--   Slab merging is disabled which significantly increases the difficulty of
-    heap exploitation by preventing overwriting objects from merged caches and
-    by making it harder to influence slab cache layout.
+Boot parameters relating to kernel hardening, DMA mitigations, and entropy
+generation are outlined in the `/etc/default/grub.d/40_kernel_hardening.cfg`
+configuration file.
 
--   Memory zeroing at allocation and free time is enabled to mitigate some
-    use-after-free vulnerabilities and erase sensitive information in memory.
+-   Disable merging of slabs with similar size which reduces the risk of 
+    triggering heap overflows and limits influencing slab cache layout.
 
--   Page allocator freelist randomization is enabled.
+-   Enable memory zeroing at both allocation and free time which mitigate some
+    use-after-free vulnerabilities by erasing sensitive information in memory.
 
--   Kernel Page Table Isolation is enabled to mitigate Meltdown and increase
-    KASLR effectiveness.
+-   Enable the kernel page allocator to randomise free lists to limit some data 
+    exfiltration and ROP attacks especially during the early boot process.
 
--   vsyscalls are disabled as they are obsolete, are at fixed addresses and
-    thus, are a potential target for ROP.
+-   Enable kernel page table isolation increase KASLR effectiveness and also
+    mitigate the Meltdown CPU vulnerability.
 
--   The kernel panics on oopses to thwart certain kernel exploits.
+-   Enables randomisation of the kernel stack offset on syscall entries to harden
+    against memory corruption attacks.
 
--   Enables randomisation of the kernel stack offset on syscall entries.
+-   Disable vsyscalls as they are vulnerable to ROP attacks and have now been 
+    replaced by vDSO.
 
--   Mitigations for known CPU vulnerabilities are enabled and SMT is
-    disabled.
+-   Restrict access to debugfs by not registering the file system since it can 
+    contain sensitive information.
 
--   IOMMU is enabled to prevent DMA attacks along with strict enforcement of
-    IOMMU TLB invalidation so devices will never be able to access stale data
-    contents.
+-   Force kernel panics on "oopses" to potentially indicate and thwart certain 
+    kernel exploitation attempts.
 
--   Distrust the 'randomly' generated CPU and bootloader seeds.
+-   Provide option to modify machine check exception handler.
+
+-   Provide option to disable support for all x86 processes and syscalls to reduce
+    attack surface (when using Linux kernel version >= 6.7).
+
+-   Enable strict IOMMU translation to protect against DMA attacks and disable
+    the busmaster bit on all PCI bridges during the early boot process.
+
+-   Do not credit the CPU or bootloader as entropy sources at boot in order to
+    maximise the absolute quantity of entropy in the combined pool.
+
+-   Obtain more entropy at boot from RAM as the runtime memory allocator is 
+    being initialised.
+
+-   Provide option to disable the entire IPv6 stack to reduce attack surface.
+
+Disallow sensitive kernel information leaks in the console during boot. See
+the `/etc/default/grub.d/41_quiet_boot.cfg` configuration file.
 
 ### Kernel Modules
 
@@ -143,7 +163,7 @@ Not yet due to issues:
 
 See:
 
--   `/etc/default/grub.d/40_only_allow_signed_modules.cfg`
+-   `/etc/default/grub.d/40_signed_modules.cfg`
 
 #### Disables the loading of new modules to the kernel after the fact
 
@@ -285,8 +305,9 @@ See:
     `/usr/lib/modules-load.d/30_security-misc.conf` configuration file.
 
 -   Distrusts the CPU for initial entropy at boot as it is not possible to
-    audit, may contain weaknesses or a backdoor. For references, see:
-    `/etc/default/grub.d/40_distrust_cpu.cfg`
+    audit, may contain weaknesses or a backdoor. Similarly, do not credit the 
+    bootloader seed for initial entropy. For references, see:
+    `/etc/default/grub.d/40_kernel_hardening.cfg`
 
 -   Gathers more entropy during boot if using the linux-hardened kernel patch.
 

debian/security-misc.maintscript

@@ -67,3 +67,17 @@ rm_conffile /etc/permission-hardening.d/25_default_whitelist_sudo.conf
 rm_conffile /etc/permission-hardening.d/25_default_whitelist_unix_chkpwd.conf
 rm_conffile /etc/permission-hardening.d/25_default_whitelist_virtualbox.conf
 rm_conffile /etc/permission-hardening.d/30_default.conf
+
+## merged into 1 file /etc/default/grub.d/40_kernel_hardening.cfg
+rm_conffile /etc/default/grub.d/40_distrust_bootloader.cfg
+rm_conffile /etc/default/grub.d/40_distrust_cpu.cfg
+rm_conffile /etc/default/grub.d/40_enable_iommu.cfg
+
+## renamed to /etc/default/grub.d/40_remount_secure.cfg
+rm_conffile /etc/default/grub.d/40_remmount-secure.cfg
+
+## renamed to /etc/default/grub.d/40_signed_modules.cfg
+rm_conffile /etc/default/grub.d/40_only_allow_signed_modules.cfg
+
+## renamed to /etc/default/grub.d/41_quiet_boot.cfg
+rm_conffile /etc/default/grub.d/41_quiet.cfg

etc/default/grub.d/40_cpu_mitigations.cfg

@@ -1,99 +1,117 @@
 ## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
 ## See the file COPYING for copying conditions.
 
-## Enables known mitigations for CPU vulnerabilities.
-##
+## Enable known mitigations for CPU vulnerabilities.
 ## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/index.html
 ## https://www.kernel.org/doc/html/latest/admin-guide/kernel-parameters.html
 ## https://forums.whonix.org/t/should-all-kernel-patches-for-cpu-bugs-be-unconditionally-enabled-vs-performance-vs-applicability/7647
 
 ## Check for potential updates directly from AMD and Intel.
-##
 ## https://www.amd.com/en/resources/product-security.html
 ## https://www.intel.com/content/www/us/en/developer/topic-technology/software-security-guidance/advisory-guidance.html
 ## https://www.intel.com/content/www/us/en/developer/topic-technology/software-security-guidance/disclosure-documentation.html
 
 ## Enable a subset of known mitigations for CPU vulnerabilities and disable SMT.
+##
 GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX mitigations=auto,nosmt"
 
+## Disable SMT as it has been the cause of and amplified numerous CPU exploits.
+## The only full mitigation of cross-HT attacks is to disable SMT.
+## Disabling will significantly decrease system performance on multi-threaded tasks.
+## To enable SMT, remove this line all other occurrences of "nosmt" in this file.
+##
+## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/core-scheduling.html
+## https://forums.whonix.org/t/should-all-kernel-patches-for-cpu-bugs-be-unconditionally-enabled-vs-performance-vs-applicability/7647/17
+## https://github.com/anthraxx/linux-hardened/issues/37#issuecomment-619597365
+##
+GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX nosmt=force"
+
 ## Enable mitigations for both Spectre Variant 2 (indirect branch speculation)
 ## and Intel branch history injection (BHI) vulnerabilities.
 ##
 ## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/spectre.html
-GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX spectre_v2=on spectre_bhi=on"
+##
+GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX spectre_v2=on"
+GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX spectre_bhi=on"
 
 ## Disable Speculative Store Bypass (Spectre Variant 4).
 ##
 ## https://www.suse.com/support/kb/doc/?id=000019189
+##
 GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX spec_store_bypass_disable=on"
 
 ## Enable mitigations for the L1TF vulnerability through disabling SMT
 ## and L1D flush runtime control.
 ##
 ## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/l1tf.html
+##
 GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX l1tf=full,force"
 
 ## Enable mitigations for the MDS vulnerability through clearing buffer cache
 ## and disabling SMT.
 ##
 ## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/mds.html
+##
 GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX mds=full,nosmt"
 
-## Patches the TAA vulnerability by disabling TSX and enables mitigations using
+## Patches the TAA vulnerability by disabling TSX and enable mitigations using
 ## TSX Async Abort along with disabling SMT.
 ##
 ## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/tsx_async_abort.html
-GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX tsx=off tsx_async_abort=full,nosmt"
+##
+GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX tsx=off"
+GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX tsx_async_abort=full,nosmt"
 
 ## Mark all huge pages in the EPT as non-executable to mitigate iTLB multihit.
 ##
 ## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/multihit.html
+##
 GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX kvm.nx_huge_pages=force"
 
-## Enables mitigations for SRBDS to prevent MDS attacks on RDRAND and RDSEED instructions.
-## Only mitigated through microcode updates from Intel.
+## Mitigations for SRBDS to prevent MDS attacks on RDRAND and RDSEED instructions
+## are only possible through microcode updates from Intel.
 ##
 ## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/special-register-buffer-data-sampling.html
 ## https://access.redhat.com/solutions/5142691
 
-## Force disable SMT as it has caused numerous CPU vulnerabilities.
-## The only full mitigation of cross-HT attacks is to disable SMT.
-##
-## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/core-scheduling.html
-## https://forums.whonix.org/t/should-all-kernel-patches-for-cpu-bugs-be-unconditionally-enabled-vs-performance-vs-applicability/7647/17
-GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX nosmt=force"
-
-## Enables the prctl interface to prevent leaks from L1D on context switches.
+## Enable the prctl() interface to prevent leaks from L1D on context switches.
 ##
 ## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/l1d_flush.html
+##
 GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX l1d_flush=on"
 
-## Mitigates numerous MMIO Stale Data vulnerabilities and disables SMT.
+## Mitigate numerous MMIO Stale Data vulnerabilities and disable SMT.
 ##
 ## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/processor_mmio_stale_data.html
+##
 GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX mmio_stale_data=full,nosmt"
 
 ## Enable mitigations for RETBleed (Arbitrary Speculative Code Execution with
 ## Return Instructions) vulnerability and disable SMT.
 ##
 ## https://www.suse.com/support/kb/doc/?id=000020693
+##
 GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX retbleed=auto,nosmt"
 
 ## Control RAS overflow mitigation on AMD Zen CPUs.
-## The current default kernel parameter is 'spec_rstack_overflow=safe-ret'
-## This default will used until provided sufficient evidence to modify.
 ##
 ## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/srso.html
+##
+## The default kernel setting will be utilised until provided sufficient evidence to modify.
+##
+#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX spec_rstack_overflow=safe-ret"
 
-## Mitigates Gather Data Sampling (GDS) vulnerability.
+## Enable Gather Data Sampling (GDS) mitigation.
 ## Note for systems that have not received a suitable microcode update this will
 ## entirely disable use of the AVX instructions set.
 ##
 ## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/gather_data_sampling.html
+##
 GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX gather_data_sampling=force"
 
-## Register File Data Sampling (RFDS) mitigation on Intel Atom CPUs which 
+## Enable Register File Data Sampling (RFDS) mitigation on Intel Atom CPUs which 
 ## encompasses E-cores on hybrid architectures.
 ##
 ## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/reg-file-data-sampling.html
-GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX reg_file_data_sampling=on"
+##
+GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX reg_file_data_sampling=on"

etc/default/grub.d/40_distrust_bootloader.cfg

@@ -1,7 +0,0 @@
-## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
-## See the file COPYING for copying conditions.
-
-## Distrusts the bootloader for initial entropy at boot.
-##
-## https://lkml.org/lkml/2022/6/5/271
-GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX random.trust_bootloader=off"

etc/default/grub.d/40_distrust_cpu.cfg

@@ -1,12 +0,0 @@
-## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
-## See the file COPYING for copying conditions.
-
-## Distrusts the CPU for initial entropy at boot as it is not possible to
-## audit, may contain weaknesses or a backdoor.
-##
-## https://en.wikipedia.org/wiki/RDRAND#Reception
-## https://twitter.com/pid_eins/status/1149649806056280069
-## https://archive.nytimes.com/www.nytimes.com/interactive/2013/09/05/us/documents-reveal-nsa-campaign-against-encryption.html
-## https://forums.whonix.org/t/entropy-config-random-trust-cpu-yes-or-no-rng-core-default-quality/8566
-## https://lkml.org/lkml/2022/6/5/271
-GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX random.trust_cpu=off"

etc/default/grub.d/40_enable_iommu.cfg

@@ -1,17 +0,0 @@
-## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
-## See the file COPYING for copying conditions.
-
-## Enables IOMMU to prevent DMA attacks.
-GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX intel_iommu=on amd_iommu=force_isolation"
-
-## Disable the busmaster bit on all PCI bridges during very
-## early boot to avoid holes in IOMMU.
-##
-## https://mjg59.dreamwidth.org/54433.html
-## https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=4444f8541dad16fefd9b8807ad1451e806ef1d94
-GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX efi=disable_early_pci_dma"
-
-## Enables strict enforcement of IOMMU TLB invalidation so devices will never be able to access stale data contents
-## https://github.com/torvalds/linux/blob/master/drivers/iommu/Kconfig#L97
-## Page 11 of https://lenovopress.lenovo.com/lp1467.pdf
-GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX iommu=force iommu.passthrough=0 iommu.strict=1"

etc/default/grub.d/40_kernel_hardening.cfg

@@ -5,58 +5,196 @@ kpkg="linux-image-$(dpkg --print-architecture)" || true
 kver="$(dpkg-query --show --showformat='${Version}' "$kpkg")" 2>/dev/null || true
 #echo "## kver: $kver"
 
-## Disables the merging of slabs of similar sizes.
-## Sometimes a slab can be used in a vulnerable way which an attacker can exploit.
+## This configuration file is split into 3 sections:
+## 1. Kernel Space
+## 2. Direct Memory Access
+## 3. Entropy
+## 4. Networking
+
+## See the documentation below for details on the majority of the selected commands.
+## https://www.kernel.org/doc/html/latest/admin-guide/kernel-parameters.html
+## https://wiki.archlinux.org/title/Kernel_parameters#GRUB
+
+## 1. Kernel Space:
+##
+## https://madaidans-insecurities.github.io/guides/linux-hardening.html#boot-parameters
+
+## Disable merging of slabs with similar size.
+## Reduces the risk of triggering heap overflows.
+## Prevents overwriting objects from merged caches and limits influencing slab cache layout.
+##
+## https://www.openwall.com/lists/kernel-hardening/2017/06/19/33
+## https://www.openwall.com/lists/kernel-hardening/2017/06/20/10
+##
 GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX slab_nomerge"
 
-## Enables sanity checks (F) and redzoning (Z).
-## Disabled due to kernel deciding to implicitly disable kernel pointer hashing
-## https://github.com/torvalds/linux/commit/792702911f581f7793962fbeb99d5c3a1b28f4c3
-#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX slub_debug=FZ"
+## Zero memory at allocation time and free time.
+## Fills newly allocated pages, freed pages, and heap objects with zeros.
+## Mitigates use-after-free exploits by erasing sensitive information in memory.
+##
+## https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=6471384af2a6530696fc0203bafe4de41a23c9ef
+##
+GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX init_on_alloc=1"
+GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX init_on_free=1"
 
-## Zero memory at allocation and free time.
-GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX init_on_alloc=1 init_on_free=1"
-
-## Machine check exception handler decides whether the system should panic or not based on the exception that happened.
-## https://forums.whonix.org/t/kernel-hardening/7296/494
-#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX mce=0"
-
-## Enables Kernel Page Table Isolation which mitigates Meltdown and improves KASLR.
-GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX pti=on"
-
-## Vsyscalls are obsolete, are at fixed addresses and are a target for ROP.
-GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX vsyscall=none"
-
-## Enables page allocator freelist randomization.
+## Enable the kernel page allocator to randomise free lists.
+## During early boot the page allocator has predictable FIFO behaviour for physical pages.
+## Limits some data exfiltration and ROP attacks that rely on inferring sensitive data location.
+## Also improves performance by optimising memory-side cache utilisation.
+##
+## https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=e900a918b0984ec8f2eb150b8477a47b75d17692
+## https://en.wikipedia.org/wiki/Return-oriented_programming#Attacks
+##
 GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX page_alloc.shuffle=1"
 
-## Enables randomisation of the kernel stack offset on syscall entries (introduced in kernel 5.13).
+## Enable kernel page table isolation to harden against kernel ASLR (KASLR) bypasses.
+## Mitigates the Meltdown CPU vulnerability.
+##
+## https://en.wikipedia.org/wiki/Kernel_page-table_isolation
+##
+GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX pti=on"
+
+## Enable randomisation of the kernel stack offset on syscall entries.
+## Hardens against memory corruption attacks due to increased entropy.
+## Limits attacks relying on deterministic stack addresses or cross-syscall address exposure.
+##
 ## https://lkml.org/lkml/2019/3/18/246
+## https://a13xp0p0v.github.io/2020/02/15/CVE-2019-18683.html
+##
 GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX randomize_kstack_offset=on"
 
-## Enables kernel lockdown.
+## Disable vsyscalls to reduce attack surface as they have been replaced by vDSO.
+## Vulnerable to ROP attacks as vsyscalls are located at fixed addresses in memory.
 ##
-## Disabled for now as it enforces module signature verification which breaks
-## too many things.
-## https://forums.whonix.org/t/enforce-kernel-module-software-signature-verification-module-signing-disallow-kernel-module-loading-by-default/7880
+## https://lwn.net/Articles/446528/
+## https://en.wikipedia.org/wiki/VDSO
 ##
-#if dpkg --compare-versions "${kver}" ge "5.4"; then
-#  GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX lockdown=confidentiality"
-#fi
+GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX vsyscall=none"
 
-## Gather more entropy during boot.
+## Restrict access to debugfs by not registering the file system.
+## Deactivated since the file system can contain sensitive information.
 ##
-## Requires linux-hardened kernel patch.
-## https://github.com/anthraxx/linux-hardened
-GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX extra_latent_entropy"
-
-## Restrict access to debugfs since it can contain a lot of sensitive information.
 ## https://lkml.org/lkml/2020/7/16/122
-## https://github.com/torvalds/linux/blob/fb1201aececc59990b75ef59fca93ae4aa1e1444/Documentation/admin-guide/kernel-parameters.txt#L835-L848
+##
 GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX debugfs=off"
 
-## Force the kernel to panic on "oopses" (which may be due to false positives)
+## Force the kernel to panic on "oopses".
+## Can sometimes potentially indicate and thwart certain kernel exploitation attempts.
+## Also cause panics on machine check exceptions.
+## Panics may be due to false-positives such as bad drivers.
+## 
 ## https://forums.whonix.org/t/set-oops-panic-kernel-parameter-or-kernel-panic-on-oops-1-sysctl-for-better-security/7713
-## Implemented differently:
-## /usr/libexec/security-misc/panic-on-oops
+##
+## See /usr/libexec/security-misc/panic-on-oops for implementation.
+##
 #GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX oops=panic"
+
+## Modify machine check exception handler.
+## Can decide whether the system should panic or not based on the occurrence of an exception.
+##
+## https://www.kernel.org/doc/html/latest/arch/x86/x86_64/machinecheck.html
+## https://www.kernel.org/doc/html/latest/arch/x86/x86_64/boot-options.html#machine-check
+## https://forums.whonix.org/t/kernel-hardening/7296/494
+##
+## The default kernel setting will be utilised until provided sufficient evidence to modify.
+##
+#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX mce=0"
+
+## Prevent sensitive kernel information leaks in the console during boot.
+## Must be used in combination with the kernel.printk sysctl.
+## See /usr/lib/sysctl.d/30_silent-kernel-printk.conf for implementation.
+##
+## https://www.kernel.org/doc/html/latest/core-api/printk-basics.html
+## https://wiki.archlinux.org/title/silent_boot
+##
+## See /etc/default/grub.d/41_quiet_boot.cfg for implementation.
+##
+#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX loglevel=0"
+#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX quiet"
+
+## Disable support for x86 processes and syscalls.
+## Unconditionally disables IA32 emulation to substantially reduce attack surface.
+##
+## https://lore.kernel.org/all/20230623111409.3047467-7-nik.borisov@suse.com/
+##
+## Applicable when using Linux kernel >= 6.7 (retained here for future-proofing and completeness).
+##
+#ia32_emulation=0
+
+## 2. Direct Memory Access:
+##
+## https://madaidans-insecurities.github.io/guides/linux-hardening.html#dma-attacks
+
+## Enable CPU manufacturer-specific IOMMU drivers to protect against DMA attacks.
+##
+GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX amd_iommu=force_isolation"
+GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX intel_iommu=on"
+
+## Enable and force use of IOMMU translation to protect against DMA attacks.
+## Strictly force DMA unmap operations to synchronously invalidate IOMMU hardware TLBs.
+## Ensures devices will never be able to access stale data contents.
+##
+## https://en.wikipedia.org/wiki/Input%E2%80%93output_memory_management_unit
+## https://en.wikipedia.org/wiki/DMA_attack
+## https://lenovopress.lenovo.com/lp1467.pdf
+##
+GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX iommu=force"
+GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX iommu.passthrough=0"
+GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX iommu.strict=1"
+
+## Disable the busmaster bit on all PCI bridges during the early boot process.
+## Patches weak-point in some existing IOMMU implementations.
+## May lead to issues such as complete system boot failure on certain devices.
+##
+## https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=4444f8541dad16fefd9b8807ad1451e806ef1d94
+## https://mjg59.dreamwidth.org/54433.html
+##
+GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX efi=disable_early_pci_dma"
+
+## 3. Entropy:
+##
+## https://madaidans-insecurities.github.io/guides/linux-hardening.html#rdrand
+
+## Do not credit the CPU or bootloader seeds as entropy sources at boot.
+## The RDRAND CPU (RNG) instructions are proprietary and closed-source.
+## Numerous implementations of RDRAND have a long history of being defective. 
+## The RNG seed passed by the bootloader could also potentially be tampered.
+## Maximising the entropy pool at boot is desirable for all cryptographic operations.
+## These settings ensure additional entropy is obtained from other sources to initialise the RNG.
+## Note that distrusting these (relatively fast) sources of entropy will increase boot time.
+##
+## https://en.wikipedia.org/wiki/RDRAND#Reception
+## https://systemd.io/RANDOM_SEEDS/
+## https://arstechnica.com/gadgets/2019/10/how-a-months-old-amd-microcode-bug-destroyed-my-weekend/
+## https://x.com/pid_eins/status/1149649806056280069
+## https://archive.nytimes.com/www.nytimes.com/interactive/2013/09/05/us/documents-reveal-nsa-campaign-against-encryption.html
+## https://forums.whonix.org/t/entropy-config-random-trust-cpu-yes-or-no-rng-core-default-quality/8566
+## https://github.com/NixOS/nixpkgs/pull/165355
+## https://lkml.org/lkml/2022/6/5/271
+##
+GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX random.trust_bootloader=off"
+GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX random.trust_cpu=off"
+
+## Obtain more entropy during boot as the runtime memory allocator is being initialised.
+## Entropy will be extracted from up to the first 4GB of RAM.
+## Requires the linux-hardened kernel patch.
+##
+## https://www.kicksecure.com/wiki/Hardened-kernel#linux-hardened
+## https://github.com/anthraxx/linux-hardened/commit/c3e7df1dba1eb8105d6d5143079a6a0ad9e9ebc7
+## https://github.com/anthraxx/linux-hardened/commit/a04458f97fe1f7e95888c77c0165b646375db9c4
+##
+GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX extra_latent_entropy"
+
+## 4. Networking
+##
+## https://madaidans-insecurities.github.io/guides/linux-hardening.html#kasr-boot-parameters
+
+## Disable the entire IPv6 stack functionality.
+## Removes attack surface associated with the IPv6 module.
+## 
+## https://www.kernel.org/doc/html/latest/networking/ipv6.html
+## https://wiki.archlinux.org/title/IPv6#Disable_IPv6
+##
+## Enabling makes redundant many network hardening sysctl's in usr/lib/sysctl.d/990-security-misc.conf.
+##
+#ipv6.disable=1

etc/default/grub.d/40_only_allow_signed_modules.cfg

@@ -1,8 +0,0 @@
-## Requires every module to be signed before being loaded.
-## Any module that is unsigned or signed with an invalid key cannot be loaded.
-## This makes it harder to load a malicious module.
-##
-## Not enabled by default yet due to issues:
-## https://forums.whonix.org/t/enforce-kernel-module-software-signature-verification-module-signing-disallow-kernel-module-loading-by-default/7880/61
-## https://github.com/dell/dkms/issues/359
-#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX module.sig_enforce=1"

etc/default/grub.d/40_remount_secure.cfg

@@ -1,16 +1,25 @@
 ## Copyright (C) 2023 - 2024 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
 ## See the file COPYING for copying conditions.
 
+## Remount Secure provides enhanced security via mmount options: 
 ## https://www.kicksecure.com/wiki/Security-misc#Remount_Secure
 
+## Option A (No Security):
 ## Disable Remount Secure.
+##
 #GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX remountsecure=0"
 
-## Re-mount with nodev, nosuid only.
+## Option B (Low Security):
+## Re-mount with nodev and nosuid only.
+##
 #GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX remountsecure=1"
 
-## Re-mount with nodev, nosuid and most with noexec except for /home.
+## Option C (Medium Security):
+## Re-mount with nodev, nosuid, and noexec for most mount points, excluding /home.
+##
 #GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX remountsecure=2"
 
-## Re-mount with nodev, nosuid and all with noexec including /home.
+## Option D (Highest Security)
+## Re-mount with nodev, nosuid, and noexec for all mount points including /home. 
+##
 #GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX remountsecure=3"

etc/default/grub.d/40_signed_modules.cfg

@@ -0,0 +1,25 @@
+## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
+## See the file COPYING for copying conditions.
+
+## Require every kernel module to be signed before being loaded.
+## Any module that is unsigned or signed with an invalid key cannot be loaded.
+## This prevents all out-of-tree kernel modules unless signed.
+## This makes it harder to load a malicious module.
+##
+## https://forums.whonix.org/t/enforce-kernel-module-software-signature-verification-module-signing-disallow-kernel-module-loading-by-default/7880/61
+## https://github.com/dell/dkms/issues/359
+##
+## Not enabled by default yet due to several issues.
+##
+#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX module.sig_enforce=1"
+
+## Enable kernel lockdown to enforce security boundary between user and kernel space.
+## Confidentiality mode enforces module signature verification.
+##
+## https://forums.whonix.org/t/enforce-kernel-module-software-signature-verification-module-signing-disallow-kernel-module-loading-by-default/7880
+##
+## ## Not enabled by default yet due to several issues.
+##
+#if dpkg --compare-versions "${kver}" ge "5.4"; then
+#  GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX lockdown=confidentiality"
+#fi

etc/default/grub.d/41_quiet.cfg

@@ -1,27 +0,0 @@
-## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
-## See the file COPYING for copying conditions.
-
-## Prevent kernel info leaks in console during boot.
-## https://phabricator.whonix.org/T950
-
-## LANG=C str_replace is provided by package helper-scripts.
-
-## The following command actually removed "quiet" from the kernel command line.
-## If verbosity is desired, the user might want to keep this line.
-## Remove "quiet" from GRUB_CMDLINE_LINUX_DEFAULT because "quiet" must be first.
-GRUB_CMDLINE_LINUX_DEFAULT="$(echo "$GRUB_CMDLINE_LINUX_DEFAULT" | LANG=C str_replace "quiet" "")"
-
-## If verbosity is desired, the user might want to out-comment the following line.
-GRUB_CMDLINE_LINUX_DEFAULT="$GRUB_CMDLINE_LINUX_DEFAULT quiet loglevel=0"
-
-## NOTE:
-## After editing this file, running:
-## sudo update-grub
-## is required.
-##
-## If higher verbosity is desired, the user might also want to delete file
-## /etc/sysctl.d/30_silent-kernel-printk.conf
-## (or out-comment its settings).
-##
-## Alternatively, the user could consider to install the debug-misc package,
-## which will undo the settings found here.

etc/default/grub.d/41_quiet_boot.cfg

@@ -0,0 +1,29 @@
+## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
+## See the file COPYING for copying conditions.
+
+## Some default configuration files automatically include the "quiet" parameter.
+## Thefore, first remove "quiet" from GRUB_CMDLINE_LINUX_DEFAULT since "quiet" must be first.
+## LANG=C str_replace is provided by package helper-scripts.
+##
+## https://github.com/Kicksecure/security-misc/pull/233#issuecomment-2228792461
+##
+GRUB_CMDLINE_LINUX_DEFAULT="$(echo "$GRUB_CMDLINE_LINUX_DEFAULT" | LANG=C str_replace "quiet" "")"
+
+## Prevent sensitive kernel information leaks in the console during boot.
+## Must be used in combination with the kernel.printk sysctl.
+## See /usr/lib/sysctl.d/30_silent-kernel-printk.conf for implementation.
+##
+## https://www.kernel.org/doc/html/latest/core-api/printk-basics.html
+## https://wiki.archlinux.org/title/silent_boot
+##
+## For easier debugging, these are not applied to the recovery boot option.
+## Switch the pair of commands to universally apply parameters to all boot options.
+##
+GRUB_CMDLINE_LINUX_DEFAULT="$GRUB_CMDLINE_LINUX_DEFAULT loglevel=0"
+GRUB_CMDLINE_LINUX_DEFAULT="$GRUB_CMDLINE_LINUX_DEFAULT quiet"
+#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX loglevel=0"
+#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX quiet"
+
+## For Increased Log Verbosity:
+## Adjust (or comment out) the kernel.printk sysctl in /usr/lib/sysctl.d/30_silent-kernel-printk.conf.
+## Alternatively, installing the debug-misc package will undo these settings.