Git-Mirrors/security-misc
1
0
Fork 0
mirror of https://github.com/Kicksecure/security-misc.git synced 2025-03-13 10:56:27 -04:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #296 from raja-grewal/cpu_details

Browse Source 
Hardware-related Documentation
This commit is contained in:
Patrick Schleizer 2025-01-29 09:35:50 -05:00 committed by GitHub
commit b9dee26331
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
2 changed files with 45 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

41
README.md
View File

@ -138,9 +138,44 @@ configuration file and significant hardening is applied to a myriad of component
Mitigations for known CPU vulnerabilities are enabled in their strictest form Mitigations for known CPU vulnerabilities are enabled in their strictest form
and simultaneous multithreading (SMT) is disabled. See the and simultaneous multithreading (SMT) is disabled. See the
`/etc/default/grub.d/40_cpu_mitigations.cfg` configuration file. Note, to achieve `/etc/default/grub.d/40_cpu_mitigations.cfg` configuration file.
complete protection for known CPU vulnerabilities, the latest security microcode
(BIOS/UEFI) updates must also be installed on the system. Note, to achieve complete protection for known CPU vulnerabilities, the latest
security microcode (BIOS/UEFI) updates must be installed on the system. Furthermore,
if using Secure Boot, the Secure Boot Forbidden Signature Database (DBX) must be kept
up to date through [UEFI Revocation List](https://uefi.org/revocationlistfile) updates.
CPU mitigations:
- Disable Simultaneous Multithreading (SMT)
- Spectre Side Channels (BTI and BHI)
- Speculative Store Bypass (SSB)
- L1 Terminal Fault (L1TF)
- Microarchitectural Data Sampling (MDS)
- TSX Asynchronous Abort (TAA)
- iTLB Multihit
- Special Register Buffer Data Sampling (SRBDS)
- L1D Flushing
- Processor MMIO Stale Data
- Arbitrary Speculative Code Execution with Return Instructions (Retbleed)
- Cross-Thread Return Address Predictions
- Speculative Return Stack Overflow (SRSO)
- Gather Data Sampling (GDS)
- Register File Data Sampling (RFDS)
Boot parameters relating to kernel hardening, DMA mitigations, and entropy Boot parameters relating to kernel hardening, DMA mitigations, and entropy
generation are outlined in the `/etc/default/grub.d/40_kernel_hardening.cfg` generation are outlined in the `/etc/default/grub.d/40_kernel_hardening.cfg`

7
etc/default/grub.d/40_cpu_mitigations.cfg
View File

@ -26,6 +26,13 @@
## Note that incorrectly performing system BIOS/UEFI updates can potentially lead to serious functionality issues. ## Note that incorrectly performing system BIOS/UEFI updates can potentially lead to serious functionality issues.
## The parameters below only provide (partial) protection at both the kernel and user space level. ## The parameters below only provide (partial) protection at both the kernel and user space level.
## If using Secure Boot, users must also ensure the Secure Boot Forbidden Signature Database (DBX) is up to date.
## The UEFI Revocation List contains signatures of now revoked firmware and software used in booting systems.
## If using compatible hardware, the database can be updated directly in user space using fwupd.
## Note that incorrectly performing DBX updates can potentially lead to serious functionality issues.
## https://uefi.org/revocationlistfile
## https://github.com/fwupd/fwupd
## Enable a subset of known mitigations for some CPU vulnerabilities and disable SMT. ## Enable a subset of known mitigations for some CPU vulnerabilities and disable SMT.
## ##
## KSPP=yes ## KSPP=yes