diff --git a/etc/default/grub.d/40_kernel_hardening.cfg b/etc/default/grub.d/40_kernel_hardening.cfg index 946f2a4..b69dfe0 100644 --- a/etc/default/grub.d/40_kernel_hardening.cfg +++ b/etc/default/grub.d/40_kernel_hardening.cfg @@ -11,7 +11,7 @@ kver="$(dpkg-query --show --showformat='${Version}' "$kpkg")" 2>/dev/null || tru ## 3. Entropy ## 4. Networking -## See the documentation below for details on the majority of the selected commands. +## See the documentation below for details on the majority of the selected commands: ## https://www.kernel.org/doc/html/latest/admin-guide/kernel-parameters.html ## https://wiki.archlinux.org/title/Kernel_parameters#GRUB @@ -37,10 +37,10 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX slab_nomerge" GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX init_on_alloc=1" GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX init_on_free=1" -## Enable the kernel page allocator to randomise free lists. -## During early boot the page allocator has predictable FIFO behaviour for physical pages. +## Enable the kernel page allocator to randomize free lists. +## During early boot, the page allocator has predictable FIFO behavior for physical pages. ## Limits some data exfiltration and ROP attacks that rely on inferring sensitive data location. -## Also improves performance by optimising memory-side cache utilisation. +## Also improves performance by optimizing memory-side cache utilization. ## ## https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=e900a918b0984ec8f2eb150b8477a47b75d17692 ## https://en.wikipedia.org/wiki/Return-oriented_programming#Attacks @@ -54,7 +54,7 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX page_alloc.shuffle=1" ## GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX pti=on" -## Enable randomisation of the kernel stack offset on syscall entries. +## Enable randomization of the kernel stack offset on syscall entries. ## Hardens against memory corruption attacks due to increased entropy. ## Limits attacks relying on deterministic stack addresses or cross-syscall address exposure. ## @@ -96,7 +96,7 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX debugfs=off" ## https://www.kernel.org/doc/html/latest/arch/x86/x86_64/boot-options.html#machine-check ## https://forums.whonix.org/t/kernel-hardening/7296/494 ## -## The default kernel setting will be utilised until provided sufficient evidence to modify. +## The default kernel setting will be utilized until provided sufficient evidence to modify. ## #GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX mce=0" @@ -143,7 +143,7 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX iommu.passthrough=0" GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX iommu.strict=1" ## Disable the busmaster bit on all PCI bridges during the early boot process. -## Patches weak-point in some existing IOMMU implementations. +## Patches weak points in some existing IOMMU implementations. ## May lead to issues such as complete system boot failure on certain devices. ## ## https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=4444f8541dad16fefd9b8807ad1451e806ef1d94 @@ -159,8 +159,8 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX efi=disable_early_pci_dma" ## The RDRAND CPU (RNG) instructions are proprietary and closed-source. ## Numerous implementations of RDRAND have a long history of being defective. ## The RNG seed passed by the bootloader could also potentially be tampered. -## Maximising the entropy pool at boot is desirable for all cryptographic operations. -## These settings ensure additional entropy is obtained from other sources to initialise the RNG. +## Maximizing the entropy pool at boot is desirable for all cryptographic operations. +## These settings ensure additional entropy is obtained from other sources to initialize the RNG. ## Note that distrusting these (relatively fast) sources of entropy will increase boot time. ## ## https://en.wikipedia.org/wiki/RDRAND#Reception @@ -175,7 +175,7 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX efi=disable_early_pci_dma" GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX random.trust_bootloader=off" GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX random.trust_cpu=off" -## Obtain more entropy during boot as the runtime memory allocator is being initialised. +## Obtain more entropy during boot as the runtime memory allocator is being initialized. ## Entropy will be extracted from up to the first 4GB of RAM. ## Requires the linux-hardened kernel patch. ##