This commit is contained in:
Patrick Schleizer 2024-07-17 08:39:20 -04:00
parent a2802f352f
commit d29a616142
No known key found for this signature in database
GPG Key ID: CB8D50BB77BB3C48
4 changed files with 9 additions and 9 deletions

View File

@ -109,9 +109,9 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX retbleed=auto,nosmt"
##
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX gather_data_sampling=force"
## Enable Register File Data Sampling (RFDS) mitigation on Intel Atom CPUs which
## Enable Register File Data Sampling (RFDS) mitigation on Intel Atom CPUs which
## encompasses E-cores on hybrid architectures.
##
## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/reg-file-data-sampling.html
##
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX reg_file_data_sampling=on"
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX reg_file_data_sampling=on"

View File

@ -82,7 +82,7 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX debugfs=off"
## Can sometimes potentially indicate and thwart certain kernel exploitation attempts.
## Also cause panics on machine check exceptions.
## Panics may be due to false-positives such as bad drivers.
##
##
## https://forums.whonix.org/t/set-oops-panic-kernel-parameter-or-kernel-panic-on-oops-1-sysctl-for-better-security/7713
##
## See /usr/libexec/security-misc/panic-on-oops for implementation.
@ -157,7 +157,7 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX efi=disable_early_pci_dma"
## Do not credit the CPU or bootloader seeds as entropy sources at boot.
## The RDRAND CPU (RNG) instructions are proprietary and closed-source.
## Numerous implementations of RDRAND have a long history of being defective.
## Numerous implementations of RDRAND have a long history of being defective.
## The RNG seed passed by the bootloader could also potentially be tampered.
## Maximising the entropy pool at boot is desirable for all cryptographic operations.
## These settings ensure additional entropy is obtained from other sources to initialise the RNG.
@ -191,10 +191,10 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX extra_latent_entropy"
## Disable the entire IPv6 stack functionality.
## Removes attack surface associated with the IPv6 module.
##
##
## https://www.kernel.org/doc/html/latest/networking/ipv6.html
## https://wiki.archlinux.org/title/IPv6#Disable_IPv6
##
## Enabling makes redundant many network hardening sysctl's in usr/lib/sysctl.d/990-security-misc.conf.
##
#ipv6.disable=1
#ipv6.disable=1

View File

@ -1,7 +1,7 @@
## Copyright (C) 2023 - 2024 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
## See the file COPYING for copying conditions.
## Remount Secure provides enhanced security via mmount options:
## Remount Secure provides enhanced security via mmount options:
## https://www.kicksecure.com/wiki/Security-misc#Remount_Secure
## Option A (No Security):
@ -20,6 +20,6 @@
#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX remountsecure=2"
## Option D (Highest Security)
## Re-mount with nodev, nosuid, and noexec for all mount points including /home.
## Re-mount with nodev, nosuid, and noexec for all mount points including /home.
##
#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX remountsecure=3"

View File

@ -26,4 +26,4 @@ GRUB_CMDLINE_LINUX_DEFAULT="$GRUB_CMDLINE_LINUX_DEFAULT quiet"
## For Increased Log Verbosity:
## Adjust (or comment out) the kernel.printk sysctl in /usr/lib/sysctl.d/30_silent-kernel-printk.conf.
## Alternatively, installing the debug-misc package will undo these settings.
## Alternatively, installing the debug-misc package will undo these settings.