Git-Mirrors/security-misc
1
0
Fork 0
mirror of https://github.com/Kicksecure/security-misc.git synced 2025-11-25 12:56:23 -05:00
Code Issues Projects Releases Packages Wiki Activity

Merge 53d90b1128 into 5b97e7bd27

Browse source
This commit is contained in:
raja-grewal 2025-11-03 15:44:42 +11:00 committed by GitHub
commit b89e92c89f
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
3 changed files with 22 additions and 4 deletions
Download patch file Download diff file Expand all files Collapse all files

6
README.md
View file

@ -156,6 +156,8 @@ CPU mitigations:
- Spectre Side Channels (BTI and BHI) - Spectre Side Channels (BTI and BHI)
- Meltdown
- Speculative Store Bypass (SSB) - Speculative Store Bypass (SSB)
- L1 Terminal Fault (L1TF) - L1 Terminal Fault (L1TF)
@ -206,8 +208,8 @@ Kernel space:
- Enable the kernel page allocator to randomize free lists to limit some data - Enable the kernel page allocator to randomize free lists to limit some data
exfiltration and ROP attacks, especially during the early boot process. exfiltration and ROP attacks, especially during the early boot process.
- Enable kernel page table isolation to increase KASLR effectiveness and also - Enable kernel page table isolation on X86_64 CPUs to increase KASLR effectiveness
mitigate the Meltdown CPU vulnerability. and also mitigate the Meltdown CPU vulnerability.
- Enable randomization of the kernel stack offset on syscall entries to harden - Enable randomization of the kernel stack offset on syscall entries to harden
against memory corruption attacks. against memory corruption attacks.

16
etc/default/grub.d/40_cpu_mitigations.cfg#security-misc-shared
View file

@ -71,10 +71,24 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX nosmt=force"
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX spectre_v2=on" GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX spectre_v2=on"
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX spectre_bhi=on" GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX spectre_bhi=on"
## Meltdown:
## Mitigate Spectre Variant 3 using kernel page table isolation (PTI).
## Force enable PTI of user and kernel address spaces on all cores.
## Mitigations for X86_64 CPUs are done in /etc/default/grub.d/40_kernel_hardening.cfg using "pti=on".
## Currently affects ARM64 CPUs.
##
## https://en.wikipedia.org/wiki/Meltdown_(security_vulnerability)
## https://en.wikipedia.org/wiki/Kernel_page-table_isolation
##
## KSPP=yes
## KSPP sets CONFIG_UNMAP_KERNEL_AT_EL0=y.
##
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX kpti=1"
## Speculative Store Bypass (SSB): ## Speculative Store Bypass (SSB):
## Mitigate Spectre Variant 4 by disabling speculative store bypass system-wide. ## Mitigate Spectre Variant 4 by disabling speculative store bypass system-wide.
## Unconditionally enable the mitigation for both kernel and userspace. ## Unconditionally enable the mitigation for both kernel and userspace.
## Currently affects both AMD and Intel CPUs. ## Currently affects AMD, ARM64, and Intel CPUs.
## ##
## https://en.wikipedia.org/wiki/Speculative_Store_Bypass ## https://en.wikipedia.org/wiki/Speculative_Store_Bypass
## https://www.suse.com/support/kb/doc/?id=000019189 ## https://www.suse.com/support/kb/doc/?id=000019189

4
etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared
View file

@ -83,8 +83,10 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX init_on_free=1"
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX page_alloc.shuffle=1" GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX page_alloc.shuffle=1"
## Enable kernel page table isolation to harden against kernel ASLR (KASLR) bypasses. ## Enable kernel page table isolation to harden against kernel ASLR (KASLR) bypasses.
## Mitigates the Meltdown CPU vulnerability. ## Mitigates the Meltdown (Spectre Variant 3) CPU vulnerability.
## Mitigations for ARM64 CPUs are done in /etc/default/grub.d/40_cpu_mitigations.cfg using "kpti=1".
## ##
## https://en.wikipedia.org/wiki/Meltdown_(security_vulnerability)
## https://en.wikipedia.org/wiki/Kernel_page-table_isolation ## https://en.wikipedia.org/wiki/Kernel_page-table_isolation
## ##
## KSPP=yes ## KSPP=yes