From f643ebc2f923ba4d7231e5aeaf1d91d1a9d1d0df Mon Sep 17 00:00:00 2001
From: raja-grewal <rg_public@proton.me>
Date: Sun, 16 Mar 2025 03:28:39 +0000
Subject: [PATCH 1/4] Disable pstore processing by systemd-pstore service

---
 README.md                                           | 5 +++++
 usr/lib/systemd/pstore.conf.d/30_security-misc.conf | 5 +++++
 2 files changed, 10 insertions(+)
 create mode 100644 usr/lib/systemd/pstore.conf.d/30_security-misc.conf

diff --git a/README.md b/README.md
index 2b4904a..d47cf1d 100644
--- a/README.md
+++ b/README.md
@@ -413,6 +413,11 @@ Miscellaneous modules:
 
 `/lib/systemd/coredump.conf.d/30_security-misc.conf`
 
+- PStore is disabled as crash logs can contain sensitive system data such as
+  kernel version, hostname, and users. See:
+
+  `/usr/lib/systemd/pstore.conf.d/30_security-misc.conf`
+
 - An initramfs hook sets the sysctl values in `/etc/sysctl.conf` and
   `/etc/sysctl.d` before init is executed so sysctl hardening is enabled as
   early as possible. This is implemented for `initramfs-tools` only because
diff --git a/usr/lib/systemd/pstore.conf.d/30_security-misc.conf b/usr/lib/systemd/pstore.conf.d/30_security-misc.conf
new file mode 100644
index 0000000..9e513c6
--- /dev/null
+++ b/usr/lib/systemd/pstore.conf.d/30_security-misc.conf
@@ -0,0 +1,5 @@
+## Copyright (C) 2025 - 2025 ENCRYPTED SUPPORT LLC <adrelanos@whonix.org>
+## See the file COPYING for copying conditions.
+
+[PStore]
+Storage=none

From df2fc2cf6b0437d23c7641118ebd24d2e3a670ce Mon Sep 17 00:00:00 2001
From: raja-grewal <rg_public@proton.me>
Date: Sun, 16 Mar 2025 03:30:04 +0000
Subject: [PATCH 2/4] Set `efi_pstore.pstore_disable=1`

---
 README.md                                  |  3 +++
 etc/default/grub.d/40_kernel_hardening.cfg | 12 ++++++++++++
 2 files changed, 15 insertions(+)

diff --git a/README.md b/README.md
index d47cf1d..ebcfef5 100644
--- a/README.md
+++ b/README.md
@@ -226,6 +226,9 @@ Kernel space:
 - Optional - Disable support for all x86 processes and syscalls (when using Linux kernel >= 6.7)
   to reduce attack surface.
 
+- Disable EFI persistent storage feature, preventing the kernel from writing crash logs and
+  other persistent data to the EFI variable store.
+  
 Direct memory access:
 
 - Enable strict IOMMU translation to protect against some DMA attacks via the use
diff --git a/etc/default/grub.d/40_kernel_hardening.cfg b/etc/default/grub.d/40_kernel_hardening.cfg
index 748bf47..99f2d16 100644
--- a/etc/default/grub.d/40_kernel_hardening.cfg
+++ b/etc/default/grub.d/40_kernel_hardening.cfg
@@ -223,6 +223,18 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX vdso32=0"
 ##
 #GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX ia32_emulation=0"
 
+## Disable EFI persistent storage feature.
+## Prevents the kernel from writing crash logs and other persistent data to the EFI variable store.
+##
+## https://blogs.oracle.com/linux/post/pstore-linux-kernel-persistent-storage-file-system
+## https://www.ais.com/understanding-pstore-linux-kernel-persistent-storage-file-system/
+## https://lwn.net/Articles/434821/
+## https://manpages.debian.org/testing/systemd/systemd-pstore.service.8.en.html
+## https://gitlab.tails.boum.org/tails/tails/-/issues/20813
+## https://github.com/Kicksecure/security-misc/issues/299
+##
+GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX efi_pstore.pstore_disable=1"
+
 ## 2. Direct Memory Access:
 ##
 ## https://madaidans-insecurities.github.io/guides/linux-hardening.html#dma-attacks

From f0d17c7e4134d8a54ce7331c1e9d3ce932278987 Mon Sep 17 00:00:00 2001
From: raja-grewal <rg_public@proton.me>
Date: Sun, 16 Mar 2025 03:31:24 +0000
Subject: [PATCH 3/4] README: Fix a few links

---
 README.md | 19 +++++++++----------
 1 file changed, 9 insertions(+), 10 deletions(-)

diff --git a/README.md b/README.md
index ebcfef5..c51b776 100644
--- a/README.md
+++ b/README.md
@@ -228,7 +228,7 @@ Kernel space:
 
 - Disable EFI persistent storage feature, preventing the kernel from writing crash logs and
   other persistent data to the EFI variable store.
-  
+
 Direct memory access:
 
 - Enable strict IOMMU translation to protect against some DMA attacks via the use
@@ -403,7 +403,7 @@ Miscellaneous modules:
 
 `/etc/kernel/postinst.d/30_remove-system-map`
 
-`/lib/systemd/system/remove-system-map.service`
+`/usr/lib/systemd/system/remove-system-map.service`
 
 `/usr/libexec/security-misc/remove-system.map`
 
@@ -412,21 +412,20 @@ Miscellaneous modules:
 
 `/etc/security/limits.d/30_security-misc.conf`
 
-`/etc/sysctl.d/30_security-misc.conf`
+`/usr/lib/sysctl.d/30_security-misc.conf`
 
-`/lib/systemd/coredump.conf.d/30_security-misc.conf`
+`/usr/lib/systemd/coredump.conf.d/30_security-misc.conf`
 
 - PStore is disabled as crash logs can contain sensitive system data such as
   kernel version, hostname, and users. See:
 
   `/usr/lib/systemd/pstore.conf.d/30_security-misc.conf`
 
-- An initramfs hook sets the sysctl values in `/etc/sysctl.conf` and
-  `/etc/sysctl.d` before init is executed so sysctl hardening is enabled as
-  early as possible. This is implemented for `initramfs-tools` only because
-  this is not needed for `dracut` as `dracut` does that by default, at
-  least on `systemd` enabled systems. Not researched for non-`systemd` systems
-  by the author of this part of the readme.
+- An initramfs hook sets the sysctl values in `/usr/lib/sysctl.d/` before init
+  is executed so sysctl hardening is enabled as early as possible. This is
+  implemented for `initramfs-tools` only because this is not needed for `dracut`
+  as `dracut` does that by default, at least on `systemd` enabled systems. Not 
+  researched for non-`systemd` systems by the author of this part of the readme.
 
 ## Network hardening
 

From aa0ffff42753f68e67bc92680a22986a5b9ef9e0 Mon Sep 17 00:00:00 2001
From: raja-grewal <rg_public@proton.me>
Date: Thu, 10 Apr 2025 11:49:45 +1000
Subject: [PATCH 4/4] README.md: Revert error

---
 README.md | 11 ++++++-----
 1 file changed, 6 insertions(+), 5 deletions(-)

diff --git a/README.md b/README.md
index c51b776..38cc8e0 100644
--- a/README.md
+++ b/README.md
@@ -421,11 +421,12 @@ Miscellaneous modules:
 
   `/usr/lib/systemd/pstore.conf.d/30_security-misc.conf`
 
-- An initramfs hook sets the sysctl values in `/usr/lib/sysctl.d/` before init
-  is executed so sysctl hardening is enabled as early as possible. This is
-  implemented for `initramfs-tools` only because this is not needed for `dracut`
-  as `dracut` does that by default, at least on `systemd` enabled systems. Not 
-  researched for non-`systemd` systems by the author of this part of the readme.
+- An initramfs hook sets the sysctl values in `/etc/sysctl.conf` and
+  `/etc/sysctl.d` before init is executed so sysctl hardening is enabled as
+  early as possible. This is implemented for `initramfs-tools` only because
+  this is not needed for `dracut` as `dracut` does that by default, at
+  least on `systemd` enabled systems. Not researched for non-`systemd` systems
+  by the author of this part of the readme.
 
 ## Network hardening