Git-Mirrors/security-misc
1
0
Fork 0
mirror of https://github.com/Kicksecure/security-misc.git synced 2025-05-13 08:02:16 -04:00
Code Issues Projects Releases Packages Wiki Activity

README.md: Organise kernel boot parameters

Browse source
This commit is contained in:
Raja Grewal 2024-08-21 12:52:48 +10:00 committed by Patrick Schleizer
parent e962153f84
commit af87a84b4f
No known key found for this signature in database
GPG key ID: CB8D50BB77BB3C48
1 changed files with 8 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

8
README.md
View file

@ -121,6 +121,8 @@ Boot parameters relating to kernel hardening, DMA mitigations, and entropy
generation are outlined in the `/etc/default/grub.d/40_kernel_hardening.cfg` generation are outlined in the `/etc/default/grub.d/40_kernel_hardening.cfg`
configuration file. configuration file.
Kernel space:
- Disable merging of slabs with similar size, which reduces the risk of - Disable merging of slabs with similar size, which reduces the risk of
triggering heap overflows and limits influencing slab cache layout. triggering heap overflows and limits influencing slab cache layout.
@ -164,18 +166,24 @@ configuration file.
- Optional - Disable support for all x86 processes and syscalls (when using Linux kernel >= 6.7) - Optional - Disable support for all x86 processes and syscalls (when using Linux kernel >= 6.7)
to reduce attack surface. to reduce attack surface.
Direct memory access:
- Enable strict IOMMU translation to protect against some DMA attacks via the use - Enable strict IOMMU translation to protect against some DMA attacks via the use
of both CPU manufacturer-specific drivers and kernel settings. of both CPU manufacturer-specific drivers and kernel settings.
- Clear the busmaster bit on all PCI bridges during the EFI hand-off, which disables - Clear the busmaster bit on all PCI bridges during the EFI hand-off, which disables
DMA before the IOMMU is configured. May cause boot failure on certain hardware. DMA before the IOMMU is configured. May cause boot failure on certain hardware.
Entropy:
- Do not credit the CPU or bootloader as entropy sources at boot in order to - Do not credit the CPU or bootloader as entropy sources at boot in order to
maximize the absolute quantity of entropy in the combined pool. maximize the absolute quantity of entropy in the combined pool.
- Obtain more entropy at boot from RAM as the runtime memory allocator is - Obtain more entropy at boot from RAM as the runtime memory allocator is
being initialized. being initialized.
Networking:
- Optional - Disable the entire IPv6 stack to reduce attack surface. - Optional - Disable the entire IPv6 stack to reduce attack surface.
### Kernel Modules ### Kernel Modules