Git-Mirrors/security-misc
1
0
Fork 0
mirror of https://github.com/Kicksecure/security-misc.git synced 2025-03-13 10:26:30 -04:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #296 from raja-grewal/cpu_details

Browse Source 
Hardware-related Documentation
This commit is contained in:
Patrick Schleizer 2025-01-29 09:35:50 -05:00 committed by GitHub
commit b9dee26331
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
2 changed files with 45 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

41
README.md
View File

@ -138,9 +138,44 @@ configuration file and significant hardening is applied to a myriad of component
Mitigations for known CPU vulnerabilities are enabled in their strictest form
and simultaneous multithreading (SMT) is disabled. See the
`/etc/default/grub.d/40_cpu_mitigations.cfg` configuration file. Note, to achieve
complete protection for known CPU vulnerabilities, the latest security microcode
(BIOS/UEFI) updates must also be installed on the system.
`/etc/default/grub.d/40_cpu_mitigations.cfg` configuration file.
Note, to achieve complete protection for known CPU vulnerabilities, the latest
security microcode (BIOS/UEFI) updates must be installed on the system. Furthermore,
if using Secure Boot, the Secure Boot Forbidden Signature Database (DBX) must be kept
up to date through [UEFI Revocation List](https://uefi.org/revocationlistfile) updates.
CPU mitigations:
- Disable Simultaneous Multithreading (SMT)
- Spectre Side Channels (BTI and BHI)
- Speculative Store Bypass (SSB)
- L1 Terminal Fault (L1TF)
- Microarchitectural Data Sampling (MDS)
- TSX Asynchronous Abort (TAA)
- iTLB Multihit
- Special Register Buffer Data Sampling (SRBDS)
- L1D Flushing
- Processor MMIO Stale Data
- Arbitrary Speculative Code Execution with Return Instructions (Retbleed)
- Cross-Thread Return Address Predictions
- Speculative Return Stack Overflow (SRSO)
- Gather Data Sampling (GDS)
- Register File Data Sampling (RFDS)
Boot parameters relating to kernel hardening, DMA mitigations, and entropy
generation are outlined in the `/etc/default/grub.d/40_kernel_hardening.cfg`

7
etc/default/grub.d/40_cpu_mitigations.cfg
View File

@ -26,6 +26,13 @@
## Note that incorrectly performing system BIOS/UEFI updates can potentially lead to serious functionality issues.
## The parameters below only provide (partial) protection at both the kernel and user space level.
## If using Secure Boot, users must also ensure the Secure Boot Forbidden Signature Database (DBX) is up to date.
## The UEFI Revocation List contains signatures of now revoked firmware and software used in booting systems.
## If using compatible hardware, the database can be updated directly in user space using fwupd.
## Note that incorrectly performing DBX updates can potentially lead to serious functionality issues.
## https://uefi.org/revocationlistfile
## https://github.com/fwupd/fwupd
## Enable a subset of known mitigations for some CPU vulnerabilities and disable SMT.
##
## KSPP=yes