From 15d13a8571d1f38b2bc36387f61bce24c86be97b Mon Sep 17 00:00:00 2001 From: raja-grewal Date: Tue, 21 Jan 2025 12:36:04 +0000 Subject: [PATCH 1/2] Add info on DBX updates via the UEFI Revocation List --- README.md | 9 ++++++--- etc/default/grub.d/40_cpu_mitigations.cfg | 7 +++++++ 2 files changed, 13 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 06f31d9..74bfa0f 100644 --- a/README.md +++ b/README.md @@ -138,9 +138,12 @@ configuration file and significant hardening is applied to a myriad of component Mitigations for known CPU vulnerabilities are enabled in their strictest form and simultaneous multithreading (SMT) is disabled. See the -`/etc/default/grub.d/40_cpu_mitigations.cfg` configuration file. Note, to achieve -complete protection for known CPU vulnerabilities, the latest security microcode -(BIOS/UEFI) updates must also be installed on the system. +`/etc/default/grub.d/40_cpu_mitigations.cfg` configuration file. + +Note, to achieve complete protection for known CPU vulnerabilities, the latest +security microcode (BIOS/UEFI) updates must be installed on the system. Furthermore, +if using Secure Boot, the Secure Boot Forbidden Signature Database (DBX) must be kept +up to date through [UEFI Revocation List](https://uefi.org/revocationlistfile) updates. Boot parameters relating to kernel hardening, DMA mitigations, and entropy generation are outlined in the `/etc/default/grub.d/40_kernel_hardening.cfg` diff --git a/etc/default/grub.d/40_cpu_mitigations.cfg b/etc/default/grub.d/40_cpu_mitigations.cfg index 06bcb88..9b29760 100644 --- a/etc/default/grub.d/40_cpu_mitigations.cfg +++ b/etc/default/grub.d/40_cpu_mitigations.cfg @@ -26,6 +26,13 @@ ## Note that incorrectly performing system BIOS/UEFI updates can potentially lead to serious functionality issues. ## The parameters below only provide (partial) protection at both the kernel and user space level. +## If using Secure Boot, users must also ensure the Secure Boot Forbidden Signature Database (DBX) is up to date. +## The UEFI Revocation List contains signatures of now revoked firmware and software used in booting systems. +## If using compatible hardware, the database can be updated directly in user space using fwupd. +## Note that incorrectly performing DBX updates can potentially lead to serious functionality issues. +## https://uefi.org/revocationlistfile +## https://github.com/fwupd/fwupd + ## Enable a subset of known mitigations for some CPU vulnerabilities and disable SMT. ## ## KSPP=yes From 4b1e530674146d4d2b62ff4a87fe3add5667403c Mon Sep 17 00:00:00 2001 From: raja-grewal Date: Tue, 21 Jan 2025 12:39:06 +0000 Subject: [PATCH 2/2] README.md: List CPU mitigations --- README.md | 32 ++++++++++++++++++++++++++++++++ 1 file changed, 32 insertions(+) diff --git a/README.md b/README.md index 74bfa0f..2b4904a 100644 --- a/README.md +++ b/README.md @@ -145,6 +145,38 @@ security microcode (BIOS/UEFI) updates must be installed on the system. Furtherm if using Secure Boot, the Secure Boot Forbidden Signature Database (DBX) must be kept up to date through [UEFI Revocation List](https://uefi.org/revocationlistfile) updates. +CPU mitigations: + +- Disable Simultaneous Multithreading (SMT) + +- Spectre Side Channels (BTI and BHI) + +- Speculative Store Bypass (SSB) + +- L1 Terminal Fault (L1TF) + +- Microarchitectural Data Sampling (MDS) + +- TSX Asynchronous Abort (TAA) + +- iTLB Multihit + +- Special Register Buffer Data Sampling (SRBDS) + +- L1D Flushing + +- Processor MMIO Stale Data + +- Arbitrary Speculative Code Execution with Return Instructions (Retbleed) + +- Cross-Thread Return Address Predictions + +- Speculative Return Stack Overflow (SRSO) + +- Gather Data Sampling (GDS) + +- Register File Data Sampling (RFDS) + Boot parameters relating to kernel hardening, DMA mitigations, and entropy generation are outlined in the `/etc/default/grub.d/40_kernel_hardening.cfg` configuration file.