Git-Mirrors/security-misc
1
0
Fork 0
mirror of https://github.com/Kicksecure/security-misc.git synced 2026-01-18 13:08:48 -05:00
Code Issues Projects Releases Packages Wiki Activity

Merge Meltdown mitigtions for ARM64 and X86_64 CPUs

Browse source
This commit is contained in:
raja-grewal 2025-12-29 07:24:32 +00:00 committed by GitHub
parent 61170e1c6a
commit cd0a59fd14
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
3 changed files with 5 additions and 19 deletions
Download patch file Download diff file Expand all files Collapse all files

3
README.md
View file

@ -224,9 +224,6 @@ Kernel space:
- Enable the kernel page allocator to randomize free lists to limit some data
exfiltration and ROP attacks, especially during the early boot process.
- Enable kernel page table isolation on x86_64 and ARM64 CPUs to increase
KASLR effectiveness and also mitigate the Meltdown CPU vulnerability.
- Enable randomization of the kernel stack offset on syscall entries to harden
against memory corruption attacks.

9
etc/default/grub.d/40_cpu_mitigations.cfg#security-misc-shared
View file

@ -83,17 +83,18 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX spectre_bhi=on"
## Meltdown:
## Mitigate Spectre Variant 3 using kernel page table isolation (PTI).
## Force enable PTI of user and kernel address spaces on all cores.
## Mitigations for X86_64 CPUs are done in /etc/default/grub.d/40_kernel_hardening.cfg using "pti=on".
## Currently affects ARM64 CPUs.
## Enables kernel PTI to harden against kernel ASLR (KASLR) bypasses.
## Force enables PTI of user and kernel address spaces on all ARM cores.
## Currently affects AMD, ARM64, and Intel CPUs.
##
## https://en.wikipedia.org/wiki/Meltdown_(security_vulnerability)
## https://en.wikipedia.org/wiki/Kernel_page-table_isolation
##
## KSPP=yes
## KSPP sets CONFIG_UNMAP_KERNEL_AT_EL0=y.
## KSPP sets the second kernel parameter, CONFIG_MITIGATION_PAGE_TABLE_ISOLATION=y, and CONFIG_UNMAP_KERNEL_AT_EL0=y.
##
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX kpti=1"
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX pti=on"
## Speculative Store Bypass (SSB):
## Mitigate Spectre Variant 4 by disabling speculative store bypass system-wide.

12
etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared
View file

@ -86,18 +86,6 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX init_on_free=1"
##
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX page_alloc.shuffle=1"
## Enable kernel page table isolation to harden against kernel ASLR (KASLR) bypasses.
## Mitigates the Meltdown (Spectre Variant 3) CPU vulnerability.
## Mitigations for ARM64 CPUs are done in /etc/default/grub.d/40_cpu_mitigations.cfg using "kpti=1".
##
## https://en.wikipedia.org/wiki/Meltdown_(security_vulnerability)
## https://en.wikipedia.org/wiki/Kernel_page-table_isolation
##
## KSPP=yes
## KSPP sets the kernel parameter and CONFIG_MITIGATION_PAGE_TABLE_ISOLATION=y.
##
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX pti=on"
## Enable randomization of the kernel stack offset on syscall entries.
## Hardens against memory corruption attacks due to increased entropy.
## Limits attacks relying on deterministic stack addresses or cross-syscall address exposure.