Merge 73d3da104b into 84408cb1a5

README.md

@@ -46,12 +46,12 @@ configuration file and significant hardening is applied to a myriad of component
 
 - Restrict kernel profiling and the performance events system to `CAP_PERFMON`.
 
-- Force the kernel to immediately panic on both "oopses" (which can potentially indicate
-  and thwart certain kernel exploitation attempts) and kernel warnings in the `WARN()` path.
-
 - Force immediate system reboot on the occurrence of a single kernel panic, reducing the
   risk and impact of denial-of-service attacks and both cold and warm boot attacks.
 
+- Force the kernel to immediately panic on both "oopses" (which can potentially indicate
+  and thwart certain kernel exploitation attempts) and kernel warnings in the `WARN()` path.
+
 - Optional - Force immediate kernel panic on OOM (out of memory) which with the above setting
   will force an immediate system reboot as opposed to placing any reliance on the oom_killer
   to avoid arbitrarily terminating security features based on their OOM score. Note this
@@ -224,9 +224,6 @@ Kernel space:
 - Enable the kernel page allocator to randomize free lists to limit some data
   exfiltration and ROP attacks, especially during the early boot process.
 
-- Enable kernel page table isolation on x86_64 and ARM64 CPUs to increase
-  KASLR effectiveness and also mitigate the Meltdown CPU vulnerability.
-
 - Enable randomization of the kernel stack offset on syscall entries to harden
   against memory corruption attacks.
 
@@ -236,15 +233,15 @@ Kernel space:
 - Restrict access to debugfs by not registering the file system since it can
   contain sensitive information.
 
-- Force the kernel to immediately panic on both "oopses" (which can potentially indicate
-  and thwart certain kernel exploitation attempts) and kernel warnings in the `WARN()` path.
-
 - Force immediate system reboot on the occurrence of a single kernel panic, reducing the
   risk and impact of denial-of-service attacks and both cold and warm boot attacks.
 
+- Force the kernel to immediately panic on both "oopses" (which can potentially indicate
+  and thwart certain kernel exploitation attempts) and kernel warnings in the `WARN()` path.
+
 - Optional - Force the kernel to immediately panic if it becomes tainted. Some reasons include
   upon using out of specification hardware, bad page states, ACPI tables being overridden,
-  severe firmware bugs, in-kernel tests run, or mutating fwctl debug operations. It can also
+  severe firmware bugs, in-kernel tests run, or mutating `fwctl` debug operations. It can also
   include the loading of proprietary or out-of-tree modules.
 
 - Prevent sensitive kernel information leaks in the console during boot.
@@ -262,14 +259,14 @@ Kernel space:
 - Disable the EFI persistent storage feature which prevents the kernel from writing crash logs
   and other persistent data to either the UEFI variable storage or ACPI ERST backends.
 
-- Optional - On compatible AMD CPUs enable Secure Memory Encryption (SME) to protect against
-  cold boot attacks and Secure Encrypted Virtualization (SEV) for further guest memory isolation.
+- Restrict processes from modifying their own memory mappings unless actively done via
+  `ptrace()` for debugging in order to limit self-modification which can trigger exploits.
 
 - Prevent runaway privileged processes from writing to block devices that are mounted by
   filesystems to protect against filesystem corruption and kernel crashes.
 
-- Restrict processes from modifying their own memory mappings unless actively done via
-  `ptrace()` in order to limit self-modification which can trigger exploits.
+- Optional - On compatible AMD CPUs enable Secure Memory Encryption (SME) to protect against
+  cold boot attacks and Secure Encrypted Virtualization (SEV) for further guest memory isolation.
 
 Direct memory access:
 
@@ -283,16 +280,13 @@ Entropy:
 
 - Do not credit the CPU seeds as an entropy source at boot in order to maximize the
   absolute quantity of entropy in the combined pool. This is desirable for all
-  cryptographic operations, to avoid reliance on proprietary RDRAND and RDSEED CPU
+  cryptographic operations to avoid reliance on proprietary RDRAND and RDSEED CPU
   instructions for random number generation that have long history of being defective.
 
 - Do not credit the bootloader seeds as an entropy source at boot to maximize the
   absolute quantity of entropy in the combined pool. This is desirable for all
   cryptographic operations as seeds passed by the bootloader could be tampered.
 
-- Obtain more entropy at boot from RAM as the runtime memory allocator is
-  being initialized.
-
 - Obtain more entropy at boot from RAM as the runtime memory allocator is being
   initialized to maximize the absolute quantity of entropy in the combined pool.
 
@@ -321,15 +315,24 @@ there are a few cases of partial or non-compliance due to technical limitations.
 More than 30 kernel boot parameters and over 30 sysctl settings are fully aligned with
 the KSPP's recommendations.
 
+**Partial compliance:**
+
+1. Kernel boot parameter `proc_mem.force_override=never`
+
+Restrict processes from modifying their own memory mappings by completely disables use of
+`/proc/PID/mem` to write to protected pages. Can be enabled easily if required.
+
+* [security-misc pull request #332](https://github.com/Kicksecure/security-misc/pull/332)
+
 **Non-compliance:**
 
-1. `sysctl user.max_user_namespaces=0`
+2. `sysctl user.max_user_namespaces=0`
 
 Disables user namespaces entirely. Not recommended due to the potential for widespread breakages.
 
 * [security-misc pull request #263](https://github.com/Kicksecure/security-misc/pull/263)
 
-2. `sysctl fs.binfmt_misc.status=0`
+3. `sysctl fs.binfmt_misc.status=0`
 
 Disables the registration of interpreters for miscellaneous binary formats. Currently not
 feasible due to compatibility issues with Firefox.
@@ -337,7 +340,7 @@ feasible due to compatibility issues with Firefox.
 * [security-misc pull request #249](https://github.com/Kicksecure/security-misc/pull/249)
 * [security-misc issue #267](https://github.com/Kicksecure/security-misc/issues/267)
 
-3. Kernel boot parameter `hash_pointers=always`
+4. Kernel boot parameter `hash_pointers=always`
 
 Force all exposed pointers to be hashed and must be used in combination with the already enabled
 `slab_debug=FZ` kernel boot parameter. Currently is not possible as requires Linux kernel >= 6.17.

etc/default/grub.d/40_cpu_mitigations.cfg#security-misc-shared

@@ -9,8 +9,8 @@
 
 ## Enable known mitigations for CPU vulnerabilities.
 ## Note, the mitigations for SSB and Retbleed are not currently mentioned in the first link.
-## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/index.html
-## https://www.kernel.org/doc/html/latest/admin-guide/kernel-parameters.html
+## https://docs.kernel.org/admin-guide/hw-vuln/index.html
+## https://docs.kernel.org/admin-guide/kernel-parameters.html
 ## https://forums.whonix.org/t/should-all-kernel-patches-for-cpu-bugs-be-unconditionally-enabled-vs-performance-vs-applicability/7647
 
 ## Check for potential updates directly from AMD and Intel.
@@ -41,7 +41,7 @@
 ##
 ## https://github.com/Kicksecure/security-misc/issues/199#issuecomment-3327391859
 ## https://github.com/secureblue/secureblue/issues/1405
-## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/attack_vector_controls.html
+## https://docs.kernel.org/admin-guide/hw-vuln/attack_vector_controls.html
 ##
 ## KSPP=yes
 ## KSPP sets the kernel parameters.
@@ -56,7 +56,7 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX mitigations=auto,nosmt"
 ## Disabling will significantly decrease system performance on multi-threaded tasks.
 ## Note, this setting will prevent re-enabling SMT via the sysfs interface.
 ##
-## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/core-scheduling.html
+## https://docs.kernel.org/admin-guide/hw-vuln/core-scheduling.html
 ## https://forums.whonix.org/t/should-all-kernel-patches-for-cpu-bugs-be-unconditionally-enabled-vs-performance-vs-applicability/7647/17
 ## https://github.com/anthraxx/linux-hardened/issues/37#issuecomment-619597365
 ##
@@ -76,24 +76,25 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX nosmt=force"
 ## Enable mitigation for the Intel branch history injection vulnerability.
 ## Currently affects both AMD and Intel CPUs.
 ##
-## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/spectre.html
+## https://docs.kernel.org/admin-guide/hw-vuln/spectre.html
 ##
 GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX spectre_v2=on"
 GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX spectre_bhi=on"
 
 ## Meltdown:
 ## Mitigate Spectre Variant 3 using kernel page table isolation (PTI).
-## Force enable PTI of user and kernel address spaces on all cores.
-## Mitigations for X86_64 CPUs are done in /etc/default/grub.d/40_kernel_hardening.cfg using "pti=on".
-## Currently affects ARM64 CPUs.
+## Enables kernel PTI to harden against kernel ASLR (KASLR) bypasses.
+## Force enables PTI of user and kernel address spaces on all ARM cores.
+## Currently affects AMD, ARM64, and Intel CPUs.
 ##
 ## https://en.wikipedia.org/wiki/Meltdown_(security_vulnerability)
 ## https://en.wikipedia.org/wiki/Kernel_page-table_isolation
 ##
 ## KSPP=yes
-## KSPP sets CONFIG_UNMAP_KERNEL_AT_EL0=y.
+## KSPP sets the second kernel parameter, CONFIG_MITIGATION_PAGE_TABLE_ISOLATION=y, and CONFIG_UNMAP_KERNEL_AT_EL0=y.
 ##
 GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX kpti=1"
+GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX pti=on"
 
 ## Speculative Store Bypass (SSB):
 ## Mitigate Spectre Variant 4 by disabling speculative store bypass system-wide.
@@ -111,7 +112,7 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX ssbd=force-on"
 ## If L1D flushing is conditional, mitigate the vulnerability for certain KVM hypervisor configurations.
 ## Currently affects Intel CPUs.
 ##
-## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/l1tf.html
+## https://docs.kernel.org/admin-guide/hw-vuln/l1tf.html
 ##
 GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX l1tf=full,force"
 GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX kvm-intel.vmentry_l1d_flush=always"
@@ -120,7 +121,7 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX kvm-intel.vmentry_l1d_flush=always"
 ## Mitigate the vulnerability by clearing the CPU buffer cache and disabling SMT.
 ## Currently affects Intel CPUs.
 ##
-## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/mds.html
+## https://docs.kernel.org/admin-guide/hw-vuln/mds.html
 ##
 GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX mds=full,nosmt"
 
@@ -129,7 +130,7 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX mds=full,nosmt"
 ## If TSX is enabled, clear CPU buffer rings on transitions and disable SMT.
 ## Currently affects Intel CPUs.
 ##
-## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/tsx_async_abort.html
+## https://docs.kernel.org/admin-guide/hw-vuln/tsx_async_abort.html
 ##
 GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX tsx=off"
 GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX tsx_async_abort=full,nosmt"
@@ -138,7 +139,7 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX tsx_async_abort=full,nosmt"
 ## Mitigate the vulnerability by marking all huge pages in the EPT as non-executable.
 ## Currently affects Intel CPUs.
 ##
-## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/multihit.html
+## https://docs.kernel.org/admin-guide/hw-vuln/multihit.html
 ##
 GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX kvm.nx_huge_pages=force"
 
@@ -146,14 +147,14 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX kvm.nx_huge_pages=force"
 ## Mitigation of the vulnerability is only possible via microcode update from Intel.
 ## Currently affects Intel CPUs.
 ##
-## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/special-register-buffer-data-sampling.html
+## https://docs.kernel.org/admin-guide/hw-vuln/special-register-buffer-data-sampling.html
 ## https://access.redhat.com/solutions/5142691
 
 ## L1D Flushing:
 ## Mitigate leaks from the L1D cache on context switches by enabling the prctl() interface.
 ## Currently affects Intel CPUs.
 ##
-## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/l1d_flush.html
+## https://docs.kernel.org/admin-guide/hw-vuln/l1d_flush.html
 ##
 GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX l1d_flush=on"
 
@@ -161,7 +162,7 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX l1d_flush=on"
 ## Mitigate the vulnerabilities by appropriately clearing the CPU buffer and disabling SMT.
 ## Currently affects Intel CPUs.
 ##
-## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/processor_mmio_stale_data.html
+## https://docs.kernel.org/admin-guide/hw-vuln/processor_mmio_stale_data.html
 ##
 GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX mmio_stale_data=full,nosmt"
 
@@ -180,7 +181,7 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX retbleed=auto,nosmt"
 ## Mitigate the vulnerability for certain KVM hypervisor configurations.
 ## Currently affects AMD Zen 1-2 CPUs.
 ##
-## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/cross-thread-rsb.html
+## https://docs.kernel.org/admin-guide/hw-vuln/cross-thread-rsb.html
 ##
 GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX kvm.mitigate_smt_rsb=1"
 
@@ -188,7 +189,7 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX kvm.mitigate_smt_rsb=1"
 ## Mitigate the vulnerability by ensuring all RET instructions speculate to a controlled location.
 ## Currently affects AMD Zen 1-4 CPUs.
 ##
-## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/srso.html
+## https://docs.kernel.org/admin-guide/hw-vuln/srso.html
 ##
 ## The default kernel setting will be utilized until provided sufficient evidence to modify.
 ## Using "spec_rstack_overflow=ibpb" may provide superior protection to the default software-based approach.
@@ -201,7 +202,7 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX kvm.mitigate_smt_rsb=1"
 ## Note, without a suitable microcode update, this will entirely disable use of the AVX instructions set.
 ## Currently affects Intel CPUs.
 ##
-## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/gather_data_sampling.html
+## https://docs.kernel.org/admin-guide/hw-vuln/gather_data_sampling.html
 ##
 GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX gather_data_sampling=force"
 
@@ -209,7 +210,7 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX gather_data_sampling=force"
 ## Mitigate the vulnerability by appropriately clearing the CPU buffer.
 ## Currently affects Intel Atom CPUs (which encompasses E-cores on hybrid architectures).
 ##
-## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/reg-file-data-sampling.html
+## https://docs.kernel.org/admin-guide/hw-vuln/reg-file-data-sampling.html
 ##
 GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX reg_file_data_sampling=on"
 
@@ -217,7 +218,7 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX reg_file_data_sampling=on"
 ## Mitigate the vulnerability by not allowing indirect branches in the lower half of the cacheline.
 ## Currently affects Intel CPUs.
 ##
-## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/indirect-target-selection.html
+## https://docs.kernel.org/admin-guide/hw-vuln/indirect-target-selection.html
 ##
 GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX indirect_target_selection=force"
 
@@ -226,6 +227,6 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX indirect_target_selection=force"
 ## Comprehensive protection may also require disabling SMT to limit cross-thread attacks.
 ## Currently affects both AMD and Intel CPUs.
 ##
-## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/vmscape.html
+## https://docs.kernel.org/admin-guide/hw-vuln/vmscape.html
 ##
 GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX vmscape=force"

etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared

@@ -18,7 +18,7 @@ kver="$(dpkg-query --show --showformat='${Version}' "$kpkg")" 2>/dev/null || tru
 ## 4. Networking
 
 ## See the documentation below for details on the majority of the selected commands:
-## https://www.kernel.org/doc/html/latest/admin-guide/kernel-parameters.html
+## https://docs.kernel.org/admin-guide/kernel-parameters.html
 ## https://wiki.archlinux.org/title/Kernel_parameters#GRUB
 
 ## 1. Kernel Space:
@@ -45,7 +45,7 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX slab_nomerge"
 ## Enabling this (for now) will therefore leak exact and all kernel memory addresses to root.
 ## Introduces a noticeable performance overhead during all memory allocation and deallocation operations.
 ##
-## https://www.kernel.org/doc/html/latest/mm/slub.html
+## https://docs.kernel.org/mm/slub.html
 ## https://www.kernel.org/doc/Documentation/vm/slub.txt
 ## https://lore.kernel.org/all/20210601182202.3011020-5-swboyd@chromium.org/T/#u
 ## https://blogs.oracle.com/linux/post/linux-slub-allocator-internals-and-debugging-2
@@ -86,18 +86,6 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX init_on_free=1"
 ##
 GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX page_alloc.shuffle=1"
 
-## Enable kernel page table isolation to harden against kernel ASLR (KASLR) bypasses.
-## Mitigates the Meltdown (Spectre Variant 3) CPU vulnerability.
-## Mitigations for ARM64 CPUs are done in /etc/default/grub.d/40_cpu_mitigations.cfg using "kpti=1".
-##
-## https://en.wikipedia.org/wiki/Meltdown_(security_vulnerability)
-## https://en.wikipedia.org/wiki/Kernel_page-table_isolation
-##
-## KSPP=yes
-## KSPP sets the kernel parameter and CONFIG_MITIGATION_PAGE_TABLE_ISOLATION=y.
-##
-GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX pti=on"
-
 ## Enable randomization of the kernel stack offset on syscall entries.
 ## Hardens against memory corruption attacks due to increased entropy.
 ## Limits attacks relying on deterministic stack addresses or cross-syscall address exposure.
@@ -128,6 +116,20 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX vsyscall=none"
 ##
 GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX debugfs=off"
 
+## Force immediate system reboots on the occurrence of a single kernel panic.
+## Increases resilience and limits impact of denial of service attacks as system automatically restarts.
+## Ensures the system does not hang forever if a panic occurs, reducing susceptibility to both cold and warm boot attacks.
+## Immediate rebooting also prevents persistent information disclosure on panic details that were dumped to screen.
+##
+## KSPP=yes
+## KSPP sets CONFIG_PANIC_TIMEOUT=-1.
+##
+## Note that this must be used with panic=-1 for it to function as intended.
+##
+## See /usr/libexec/security-misc/panic-on-oops for implementation.
+##
+#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX panic=-1"
+
 ## Force the kernel to immediately panic on "oopses" and kernel warnings in the WARN() path.
 ## Panics may be due to false-positives such as bad drivers.
 ## Both allowed limits are set to one so that panics occur on the single first instance of either scenario.
@@ -151,18 +153,6 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX debugfs=off"
 #GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX oops=panic"
 #GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX panic_on_warn=1"
 
-## Force immediate system reboots on the occurrence of a single kernel panic.
-## Increases resilience and limits impact of denial of service attacks as system automatically restarts.
-## Ensures the system does not hang forever if a panic occurs, reducing susceptibility to both cold and warm boot attacks.
-## Immediate rebooting also prevents persistent information disclosure on panic details that were dumped to screen.
-##
-## KSPP=yes
-## KSPP sets CONFIG_PANIC_TIMEOUT=-1.
-##
-## See /usr/libexec/security-misc/panic-on-oops for implementation.
-##
-#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX panic=-1"
-
 ## Force the kernel to immediately panic if it becomes tainted.
 ## Using kernel documentation, one can select a subset of taints to create a security policy.
 ## Requires summing the numbers for each taint state and then converting it to a hexadecimal bitmask.
@@ -177,7 +167,7 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX debugfs=off"
 ## All must first be tested to ensure there are no pre-existing issues on user hardware.
 ## After confirming stability this reduces attack surface.
 ##
-## https://www.kernel.org/doc/html/latest/admin-guide/tainted-kernels.html
+## https://docs.kernel.org/admin-guide/tainted-kernels.html
 ## https://support.scc.suse.com/s/kb/Tainted-kernel-1583239310621?language=en_US
 ## https://lore.kernel.org/all/20200515175502.146720-1-aquini@redhat.com/T/
 ## https://github.com/Kicksecure/security-misc/pull/339
@@ -190,7 +180,7 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX debugfs=off"
 ## Must be used in combination with the kernel.printk sysctl.
 ## See /usr/lib/sysctl.d/30_silent-kernel-printk.conf for implementation.
 ##
-## https://www.kernel.org/doc/html/latest/core-api/printk-basics.html
+## https://docs.kernel.org/core-api/printk-basics.html
 ## https://wiki.archlinux.org/title/silent_boot
 ##
 ## See /etc/default/grub.d/41_quiet_boot.cfg for implementation.
@@ -203,7 +193,7 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX debugfs=off"
 ## Aims to have very low processing overhead at each sampling interval.
 ## Sampling interval is set to occur every 100 milliseconds as per KSPP recommendation.
 ##
-## https://www.kernel.org/doc/html/latest/dev-tools/kfence.html
+## https://docs.kernel.org/dev-tools/kfence.html
 ## https://google.github.io/kernel-sanitizers/KFENCE.html
 ## https://blogs.oracle.com/linux/post/linux-slub-allocator-internals-and-debugging-4
 ## https://lwn.net/Articles/835542/
@@ -275,6 +265,33 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX ia32_emulation=0"
 GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX efi_pstore.pstore_disable=1"
 GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX erst_disable"
 
+## Restrict processes from modifying their own memory mappings.
+## Prevents using /proc/PID/mem to write to protected pages unless via ptrace() for debugging.
+## Increases the difficulty in tricking applications into overwriting their own memory.
+## Limit self-modification which can be used trigger race condition vulnerabilities.
+##
+## https://lore.kernel.org/lkml/20240712-vfs-procfs-ce7e6c7cf26b@brauner/
+## https://lwn.net/Articles/983169/
+## https://github.com/a13xp0p0v/kernel-hardening-checker/pull/201
+## https://github.com/Kicksecure/security-misc/issues/330
+##
+## KSPP=partial
+## KSPP sets the stricter kernel parameter proc_mem.force_override=never.
+##
+GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX proc_mem.force_override=ptrace"
+
+## Prevent processes from writing to block devices that are mounted by filesystems.
+## Enhances system stability and security by protecting against runaway privileged processes.
+## Allowing processes to write to the buffer cache can cause filesystem corruption and kernel crashes.
+## Does not prevent data modifications using direct SCSI commands or lower-level storage stack access.
+## May lead to breakages in certain limited scenarios.
+##
+## https://github.com/torvalds/linux/commit/ed5cc702d311c14b653323d76062b0294effa66e
+## https://lore.kernel.org/lkml/20240105-vfs-super-4092d802972c@brauner/
+## https://github.com/a13xp0p0v/kernel-hardening-checker/issues/186
+##
+GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX bdev_allow_write_mounted=0"
+
 ## Enable AMD Secure Memory Encryption (SME) and Secure Encrypted Virtualization (SEV).
 ## SME encrypts memory with a single key at the kernel level to protect against cold boot attacks.
 ## SEV extends SME to VMs by encrypting the memory of each with a unique key for guest isolation.
@@ -287,7 +304,7 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX erst_disable"
 ## May cause boot failure on certain hardware with incompatible DMA masks especially if IOMMU is disabled.
 ##
 ## https://www.kernel.org/doc/html/next/x86/amd-memory-encryption.html
-## https://www.kernel.org/doc/html/latest/virt/kvm/x86/amd-memory-encryption.html
+## https://docs.kernel.org/virt/kvm/x86/amd-memory-encryption.html
 ## https://docs.amd.com/v/u/en-US/memory-encryption-white-paper
 ## https://docs.amd.com/v/u/en-US/SEV-SNP-strengthening-vm-isolation-with-integrity-protection-and-more
 ## https://github.com/AMDESE/AMDSEV
@@ -304,32 +321,6 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX erst_disable"
 #GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX kvm_amd.sev_es=1"
 #GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX kvm_amd.sev_snp=1"
 
-## Prevent processes from writing to block devices that are mounted by filesystems.
-## Enhances system stability and security by protecting against runaway privileged processes.
-## Allowing processes to write to the buffer cache can cause filesystem corruption and kernel crashes.
-## Does not prevent data modifications using direct SCSI commands or lower-level storage stack access.
-## May lead to breakages in certain limited scenarios.
-##
-## https://github.com/torvalds/linux/commit/ed5cc702d311c14b653323d76062b0294effa66e
-## https://lore.kernel.org/lkml/20240105-vfs-super-4092d802972c@brauner/
-## https://github.com/a13xp0p0v/kernel-hardening-checker/issues/186
-##
-GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX bdev_allow_write_mounted=0"
-
-## Restrict processes from modifying their own memory mappings.
-## Prevents the use of /proc/PID/mem to write to protected pages via the kernel's
-## mem_rw() FOLL_FORCE flag. This makes it harder to trick applications into
-## overwriting their own memory.
-##
-## https://lore.kernel.org/lkml/20240712-vfs-procfs-ce7e6c7cf26b@brauner/
-## https://lwn.net/Articles/983169/
-## https://github.com/a13xp0p0v/kernel-hardening-checker/pull/201
-## https://github.com/Kicksecure/security-misc/issues/330
-##
-## Using "proc_mem.force_override=never" provides superior protection by never allowing overrides.
-##
-GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX proc_mem.force_override=ptrace"
-
 ## 2. Direct Memory Access:
 ##
 ## https://madaidans-insecurities.github.io/guides/linux-hardening.html#dma-attacks
@@ -349,6 +340,7 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX intel_iommu=on"
 ## https://en.wikipedia.org/wiki/Input%E2%80%93output_memory_management_unit
 ## https://en.wikipedia.org/wiki/DMA_attack
 ## https://lenovopress.lenovo.com/lp1467.pdf
+## https://www.kb.cert.org/vuls/id/382314
 ##
 ## KSPP=yes
 ## KSPP sets the kernel parameters, CONFIG_IOMMU_SUPPORT=y, CONFIG_IOMMU_DEFAULT_DMA_STRICT=y, and does not set CONFIG_IOMMU_DEFAULT_PASSTHROUGH.
@@ -432,7 +424,7 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX extra_latent_entropy"
 ## Disable the entire IPv6 stack functionality.
 ## Removes attack surface associated with the IPv6 module.
 ##
-## https://www.kernel.org/doc/html/latest/networking/ipv6.html
+## https://docs.kernel.org/networking/ipv6.html
 ## https://wiki.archlinux.org/title/IPv6#Disable_IPv6
 ##
 ## Enabling makes redundant many network hardening sysctl's in /usr/lib/sysctl.d/990-security-misc.conf.

etc/default/grub.d/41_quiet_boot.cfg#security-misc-shared

@@ -19,7 +19,7 @@ GRUB_CMDLINE_LINUX_DEFAULT="$(echo "$GRUB_CMDLINE_LINUX_DEFAULT" | str_replace "
 ## Must be used in combination with the kernel.printk sysctl.
 ## See /usr/lib/sysctl.d/30_silent-kernel-printk.conf for implementation.
 ##
-## https://www.kernel.org/doc/html/latest/core-api/printk-basics.html
+## https://docs.kernel.org/core-api/printk-basics.html
 ## https://wiki.archlinux.org/title/silent_boot
 ##
 ## For easier debugging, these are not applied to the recovery boot option.

etc/modprobe.d/30_security-misc_disable.conf#security-misc-shared

@@ -87,7 +87,7 @@ install gnss-usb /usr/bin/disabled-gps-by-security-misc
 ## Disabling it may lead to breakages in various components without clear debugging/error messages.
 ## It may affect firmware updates, security, power management, display, and DRM.
 ##
-## https://www.kernel.org/doc/html/latest/driver-api/mei/mei.html
+## https://docs.kernel.org/driver-api/mei/mei.html
 ## https://en.wikipedia.org/wiki/Intel_Management_Engine#Security_vulnerabilities
 ## https://www.kicksecure.com/wiki/Out-of-band_Management_Technology#Intel_ME_Disabling_Disadvantages
 ## https://github.com/Kicksecure/security-misc/pull/236#issuecomment-2229092813

usr/lib/sysctl.d/30_security-misc_ptrace-disable.conf#security-misc-shared

@@ -12,7 +12,7 @@
 ## Prevents native code debugging which some programs use as a method to detect tampering.
 ## May cause breakages in 'anti-cheat' software and programs running under Proton/WINE.
 ##
-## https://www.kernel.org/doc/html/latest/admin-guide/LSM/Yama.html#ptrace-scope
+## https://docs.kernel.org/admin-guide/LSM/Yama.html#ptrace-scope
 ## https://en.wikipedia.org/wiki/Ptrace
 ## https://grapheneos.org/features#attack-surface-reduction
 ## https://github.com/GrapheneOS/os-issue-tracker/issues/651#issuecomment-917599928

usr/lib/sysctl.d/30_silent-kernel-printk.conf#security-misc-shared

@@ -11,7 +11,7 @@
 ## Must be used in conjunction with kernel boot parameters.
 ## See /etc/default/grub.d/41_quiet_boot.cfg for implementation.
 ##
-## https://www.kernel.org/doc/html/latest/core-api/printk-basics.html
+## https://docs.kernel.org/core-api/printk-basics.html
 ##
 kernel.printk=3 3 3 3
 

usr/lib/sysctl.d/990-security-misc.conf#security-misc-shared

@@ -20,12 +20,12 @@
 ## 5. Networking
 
 ## For detailed explanations of most of the selected commands, refer to:
-## https://www.kernel.org/doc/html/latest/admin-guide/sysctl/abi.html
-## https://www.kernel.org/doc/html/latest/admin-guide/sysctl/kernel.html
-## https://www.kernel.org/doc/html/latest/admin-guide/sysctl/fs.html
-## https://www.kernel.org/doc/html/latest/admin-guide/sysctl/net.html
-## https://www.kernel.org/doc/html/latest/admin-guide/sysctl/vm.html
-## https://www.kernel.org/doc/html/latest//networking/ip-sysctl.html
+## https://docs.kernel.org/admin-guide/sysctl/abi.html
+## https://docs.kernel.org/admin-guide/sysctl/kernel.html
+## https://docs.kernel.org/admin-guide/sysctl/fs.html
+## https://docs.kernel.org/admin-guide/sysctl/net.html
+## https://docs.kernel.org/admin-guide/sysctl/vm.html
+## https://docs.kernel.org//networking/ip-sysctl.html
 
 ## 1. Kernel Space:
 ##
@@ -55,7 +55,7 @@ kernel.dmesg_restrict=1
 ## Must be used in conjunction with kernel boot parameters.
 ## See /etc/default/grub.d/41_quiet_boot.cfg for implementation.
 ##
-## https://www.kernel.org/doc/html/latest/core-api/printk-basics.html
+## https://docs.kernel.org/core-api/printk-basics.html
 ##
 ## See /usr/lib/sysctl.d/30_silent-kernel-printk.conf for implementation.
 ##
@@ -109,7 +109,7 @@ vm.unprivileged_userfaultfd=0
 ## Disable the SysRq key to prevent leakage of kernel information.
 ## The Secure Attention Key (SAK) can no longer be utilized.
 ##
-## https://www.kernel.org/doc/html/latest/admin-guide/sysrq.html
+## https://docs.kernel.org/admin-guide/sysrq.html
 ## https://www.kicksecure.com/wiki/SysRq
 ## https://github.com/xairy/unlockdown
 ##
@@ -157,7 +157,7 @@ kernel.sysrq=0
 ## The performance events system should not be accessible by unprivileged users.
 ## Other distributions such as Ubuntu and Fedora may permit further restricting.
 ##
-## https://www.kernel.org/doc/html/latest/admin-guide/perf-security.html#unprivileged-users
+## https://docs.kernel.org/admin-guide/perf-security.html#unprivileged-users
 ## https://lore.kernel.org/kernel-hardening/1469630746-32279-1-git-send-email-jeffv@google.com/
 ##
 ## KSPP=yes
@@ -165,6 +165,16 @@ kernel.sysrq=0
 ##
 kernel.perf_event_paranoid=3
 
+## Force immediate system reboots on the occurrence of a single kernel panic.
+## Increases resilience and limits impact of denial-of-service attacks as system automatically restarts.
+## Ensures the system does not hang forever if a panic occurs, reducing susceptibility to both cold and warm boot attacks.
+## Immediate rebooting also prevents persistent information disclosure on panic details that were dumped to screen.
+##
+## KSPP=yes
+## KSPP sets CONFIG_PANIC_TIMEOUT=-1.
+##
+kernel.panic=-1
+
 ## Force the kernel to immediately panic on "oopses" and kernel warnings in the WARN() path.
 ## Panics may be due to false-positives such as bad drivers.
 ## Both allowed limits are set to one so that panics occur on the single first instance of either scenario.
@@ -183,21 +193,13 @@ kernel.perf_event_paranoid=3
 ## KSPP=yes
 ## KSPP sets the sysctls and CONFIG_PANIC_ON_OOPS=y
 ##
+## Note that this must be used with kernel.panic=-1 for it to function as intended.
+##
 ## See /usr/libexec/security-misc/panic-on-oops for implementation.
 ##
 #kernel.oops_limit=1
 #kernel.warn_limit=1
 
-## Force immediate system reboots on the occurrence of a single kernel panic.
-## Increases resilience and limits impact of denial-of-service attacks as system automatically restarts.
-## Ensures the system does not hang forever if a panic occurs, reducing susceptibility to both cold and warm boot attacks.
-## Immediate rebooting also prevents persistent information disclosure on panic details that were dumped to screen.
-##
-## KSPP=yes
-## KSPP sets CONFIG_PANIC_TIMEOUT=-1.
-##
-kernel.panic=-1
-
 ## Force immediate kernel panic on OOM (out of memory) scenarios.
 ## Registers a kernel panic whenever the oom_killer is triggered to kill some rouge process based on their OOM score.
 ## This prevents security features such as the screen locker, kloak, and emerg-shutdown from being arbitrarily terminated.
@@ -226,7 +228,7 @@ kernel.panic=-1
 ## These are valuable for high-reliability systems where data integrity is critical.
 ##
 ## https://en.wikipedia.org/wiki/Non-maskable_interrupt
-## https://www.kernel.org/doc/html/latest/trace/events-nmi.html
+## https://docs.kernel.org/trace/events-nmi.html
 ## https://0xax.gitbook.io/linux-insides/summary/interrupts/linux-interrupts-6
 ## https://docs.redhat.com/en/documentation/red_hat_enterprise_linux_for_real_time/7/html/reference_guide/non-maskable_interrupts
 ##
@@ -282,7 +284,7 @@ abi.vsyscall32=0
 ## Prevents native code debugging which some programs use as a method to detect tampering.
 ## May cause breakages in 'anti-cheat' software and programs running under Proton/WINE.
 ##
-## https://www.kernel.org/doc/html/latest/admin-guide/LSM/Yama.html#ptrace-scope
+## https://docs.kernel.org/admin-guide/LSM/Yama.html#ptrace-scope
 ## https://en.wikipedia.org/wiki/Ptrace
 ## https://grapheneos.org/features#attack-surface-reduction
 ## https://github.com/GrapheneOS/os-issue-tracker/issues/651#issuecomment-917599928
@@ -378,7 +380,7 @@ vm.max_map_count=1048576
 ## Can stop maliciously crafted files with specific file extensions from automatically executing.
 ## Breaks many scripts that do not have appropriate shebang interpreter directives (#!/bin/...).
 ##
-## https://www.kernel.org/doc/html/latest/admin-guide/binfmt-misc.html
+## https://docs.kernel.org/admin-guide/binfmt-misc.html
 ## https://salsa.debian.org/debian/binfmt-support
 ## https://access.redhat.com/solutions/1985633
 ## https://en.wikipedia.org/wiki/Binfmt_misc