mirror of
https://github.com/Kicksecure/security-misc.git
synced 2025-08-02 21:46:04 -04:00
Refactor existing kernel parameters for clarity
This commit is contained in:
Raja Grewal
parent
5ba5a85ad0
commit
a33d4cd099
11 changed files with 284 additions and 155 deletions
65
README.md
65
README.md
|
|
@ -67,36 +67,54 @@ configuration file.
|
|||
|
||||
### Boot parameters
|
||||
|
||||
Boot parameters are outlined in configuration files located in the
|
||||
`etc/default/grub.d/` directory.
|
||||
Mitigations for known CPU vulnerabilities are enabled in their strictest form
|
||||
and simultaneous multithreading (SMT) is disabled. See the
|
||||
`/etc/default/grub.d/40_cpu_mitigations.cfg` configuration file.
|
||||
|
||||
- Slab merging is disabled which significantly increases the difficulty of
|
||||
heap exploitation by preventing overwriting objects from merged caches and
|
||||
by making it harder to influence slab cache layout.
|
||||
Boot parameters relating to kernel hardening, DMA mitigations, and entropy
|
||||
generation are outlined in the `/etc/default/grub.d/40_kernel_hardening.cfg`
|
||||
configuration file.
|
||||
|
||||
- Memory zeroing at allocation and free time is enabled to mitigate some
|
||||
use-after-free vulnerabilities and erase sensitive information in memory.
|
||||
- Disable merging of slabs with similar size which reduces the risk of
|
||||
triggering heap overflows and limits influencing slab cache layout.
|
||||
|
||||
- Page allocator freelist randomization is enabled.
|
||||
- Provides option to enable sanity checks and red zoning via slab debugging.
|
||||
Not reccommened due to implicit disabling of kernel pointer hashing.
|
||||
|
||||
- Kernel Page Table Isolation is enabled to mitigate Meltdown and increase
|
||||
KASLR effectiveness.
|
||||
- Enable Memory zeroing at both allocation and free time which mitigate some
|
||||
use-after-free vulnerabilities by erasing sensitive information in memory.
|
||||
|
||||
- vsyscalls are disabled as they are obsolete, are at fixed addresses and
|
||||
thus, are a potential target for ROP.
|
||||
- Enable the kernel page allocator to randomise free lists to limit some data
|
||||
exfiltration and ROP attacks especially during the early boot process.
|
||||
|
||||
- The kernel panics on oopses to thwart certain kernel exploits.
|
||||
- Enable kernel page table isolation increase KASLR effectiveness and also
|
||||
mitigate the Meltdown CPU vulnerability.
|
||||
|
||||
- Enables randomisation of the kernel stack offset on syscall entries.
|
||||
- Enables randomisation of the kernel stack offset on syscall entries to harden
|
||||
against memory corruption attacks.
|
||||
|
||||
- Mitigations for known CPU vulnerabilities are enabled and SMT is
|
||||
disabled.
|
||||
- Disable vsyscalls as they are vulnerable to ROP attacks and have now been
|
||||
replaced by vDSO.
|
||||
|
||||
- IOMMU is enabled to prevent DMA attacks along with strict enforcement of
|
||||
IOMMU TLB invalidation so devices will never be able to access stale data
|
||||
contents.
|
||||
- Restrict access to debugfs by not registering the file system since it can
|
||||
contain sensitive information.
|
||||
|
||||
- Distrust the 'randomly' generated CPU and bootloader seeds.
|
||||
- Force kernel panics on "oopses" to potentially indicate and thwart certain
|
||||
kernel exploitation attempts.
|
||||
|
||||
- Provide option to modify machine check exception handler.
|
||||
|
||||
- Enable strict IOMMU translation to protect against DMA attacks and disable
|
||||
the busmaster bit on all PCI bridges during the early boot process.
|
||||
|
||||
- Do not credit the CPU or bootloader as entropy sources at boot in order to
|
||||
maximise the absolute quantity of entropy the pool.
|
||||
|
||||
- Obtain more entropy at boot from RAM as the runtime memory allocator is
|
||||
being initialised.
|
||||
|
||||
Disallow sensitive kernel information leaks in the console during boot. See
|
||||
the `/etc/default/grub.d/40_quiet_boot.cfg` configuration file.
|
||||
|
||||
### Kernel Modules
|
||||
|
||||
|
|
@ -109,7 +127,7 @@ Not yet due to issues:
|
|||
|
||||
See:
|
||||
|
||||
- `/etc/default/grub.d/40_only_allow_signed_modules.cfg`
|
||||
- `/etc/default/grub.d/40_signed_modules.cfg`
|
||||
|
||||
#### Disables the loading of new modules to the kernel after the fact
|
||||
|
||||
|
|
@ -259,8 +277,9 @@ See:
|
|||
`/usr/lib/modules-load.d/30_security-misc.conf` configuration file.
|
||||
|
||||
- Distrusts the CPU for initial entropy at boot as it is not possible to
|
||||
audit, may contain weaknesses or a backdoor. For references, see:
|
||||
`/etc/default/grub.d/40_distrust_cpu.cfg`
|
||||
audit, may contain weaknesses or a backdoor. Similarly, do not credit the
|
||||
bootloader seed for initial entropy. For references, see:
|
||||
`/etc/default/grub.d/40_kernel_hardening.cfg`
|
||||
|
||||
- Gathers more entropy during boot if using the linux-hardened kernel patch.
|
||||
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue