diff --git a/debian/control b/debian/control index 8d62e4a..2d10db3 100644 --- a/debian/control +++ b/debian/control @@ -56,7 +56,9 @@ Description: enhances misc security settings * Slab merging is disabled as sometimes a slab can be used in a vulnerable way which an attacker can exploit. . - * Sanity checks, redzoning, and memory poisoning are enabled. + * Sanity checks and redzoning are enabled. + . + * Memory zeroing at allocation and free time is enabled. . * Machine checks (MCE) are disabled which makes the kernel panic on uncorrectable errors in ECC memory that could be exploited. @@ -106,6 +108,14 @@ Description: enhances misc security settings . * The MSR kernel module is blacklisted to prevent CPU MSRs from being abused to write to arbitrary memory. + . + * Vsyscalls are disabled as they are obsolete, are at fixed addresses and are + a target for ROP. + . + * Page allocator freelist randomization is enabled. + . + * Kernel lockdown is enabled. + . . Improve Entropy Collection . diff --git a/etc/default/grub.d/40_kernel_hardening.cfg b/etc/default/grub.d/40_kernel_hardening.cfg index 7a50db8..c6fc47c 100644 --- a/etc/default/grub.d/40_kernel_hardening.cfg +++ b/etc/default/grub.d/40_kernel_hardening.cfg @@ -1,18 +1,29 @@ ## Copyright (C) 2019 - 2019 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. -## Disables the merging of slabs of similar sizes. Sometimes a slab can be used in a vulnerable way which an attacker can exploit. +kver="$(uname -r)" + +## Disables the merging of slabs of similar sizes. +## Sometimes a slab can be used in a vulnerable way which an attacker can exploit. GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX slab_nomerge" -## Enables sanity checks (F), redzoning (Z) and poisoning (P). -GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX slub_debug=FZP" +## Enables sanity checks (F) and redzoning (Z). +GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX slub_debug=FZ" -if command -v "qubesdb-read" >/dev/null 2>&1 ; then - ## https://github.com/QubesOS/qubes-issues/issues/5212#issuecomment-533873012 - true "skip adding page_poison=1 in Qubes" +## Zero memory at allocation and free time. +if dpkg --compare-versions "${kver}" ge "5.3"; then + GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX init_on_alloc=1 init_on_free=1" else - ## Wipes free memory so it can't leak in various ways and prevents some use-after-free vulnerabilites. - GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX page_poison=1" + ## SLUB poisoning and page poisoning is used if the kernel + ## does not yet support init_on_{,alloc,free}. + GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX slub_debug=P" + + if command -v "qubesdb-read" >/dev/null 2>&1 ; then + ## https://github.com/QubesOS/qubes-issues/issues/5212#issuecomment-533873012 + true "skip adding page_poison=1 in Qubes" + else + GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX page_poison=1" + fi fi ## Makes the kernel panic on uncorrectable errors in ECC memory that an attacker could exploit. @@ -24,3 +35,16 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX pti=on" ## Enables all mitigations for the MDS vulnerability. ## Disables smt which can be used to exploit the MDS vulnerability. GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX mds=full,nosmt" + +## Vsyscalls are obsolete, are at fixed addresses and are a target for ROP. +GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX vsyscall=none" + +## Enables page allocator freelist randomization. +if dpkg --compare-versions "${kver}" ge "5.2"; then + GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX page_alloc.shuffle=1" +fi + +## Enables kernel lockdown. +if dpkg --compare-versions "${kver}" ge "5.4"; then + GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX lockdown=confidentiality" +fi