From c1a0da60beacd027c1c7c94ae44a9d7b1ab708b9 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Thu, 30 Jan 2020 00:46:48 -0500 Subject: [PATCH] set kernel boot parameter `l1tf=full,force` and `nosmt=force` https://forums.whonix.org/t/should-all-kernel-patches-for-cpu-bugs-be-unconditionally-enabled-vs-performance-vs-applicability/7647/17 --- debian/control | 2 ++ etc/default/grub.d/40_kernel_hardening.cfg | 6 ++++++ 2 files changed, 8 insertions(+) diff --git a/debian/control b/debian/control index b194240..6a97d69 100644 --- a/debian/control +++ b/debian/control @@ -70,6 +70,8 @@ Description: enhances misc security settings vulnerabilities. . * All mitigations for the MDS vulnerability are enabled. + . + * Enables mitigations for the L1TF (L1 Terminal Fault) vulnerability. . * A systemd service clears System.map on boot as these contain kernel symbols that could be useful to an attacker. diff --git a/etc/default/grub.d/40_kernel_hardening.cfg b/etc/default/grub.d/40_kernel_hardening.cfg index b741b20..e8da9a2 100644 --- a/etc/default/grub.d/40_kernel_hardening.cfg +++ b/etc/default/grub.d/40_kernel_hardening.cfg @@ -40,6 +40,12 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX pti=on" ## Disables smt which can be used to exploit the MDS vulnerability. GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX mds=full,nosmt" +## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/l1tf.html +GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX l1tf=full,force" + +## https://forums.whonix.org/t/should-all-kernel-patches-for-cpu-bugs-be-unconditionally-enabled-vs-performance-vs-applicability/7647/17 +GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX nosmt=force" + ## Vsyscalls are obsolete, are at fixed addresses and are a target for ROP. GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX vsyscall=none"