mirror of
https://github.com/Kicksecure/security-misc.git
synced 2024-10-01 08:25:45 -04:00
spelling
This commit is contained in:
parent
f4da582aa3
commit
d454f36c63
@ -11,7 +11,7 @@ kver="$(dpkg-query --show --showformat='${Version}' "$kpkg")" 2>/dev/null || tru
|
|||||||
## 3. Entropy
|
## 3. Entropy
|
||||||
## 4. Networking
|
## 4. Networking
|
||||||
|
|
||||||
## See the documentation below for details on the majority of the selected commands.
|
## See the documentation below for details on the majority of the selected commands:
|
||||||
## https://www.kernel.org/doc/html/latest/admin-guide/kernel-parameters.html
|
## https://www.kernel.org/doc/html/latest/admin-guide/kernel-parameters.html
|
||||||
## https://wiki.archlinux.org/title/Kernel_parameters#GRUB
|
## https://wiki.archlinux.org/title/Kernel_parameters#GRUB
|
||||||
|
|
||||||
@ -37,10 +37,10 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX slab_nomerge"
|
|||||||
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX init_on_alloc=1"
|
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX init_on_alloc=1"
|
||||||
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX init_on_free=1"
|
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX init_on_free=1"
|
||||||
|
|
||||||
## Enable the kernel page allocator to randomise free lists.
|
## Enable the kernel page allocator to randomize free lists.
|
||||||
## During early boot the page allocator has predictable FIFO behaviour for physical pages.
|
## During early boot, the page allocator has predictable FIFO behavior for physical pages.
|
||||||
## Limits some data exfiltration and ROP attacks that rely on inferring sensitive data location.
|
## Limits some data exfiltration and ROP attacks that rely on inferring sensitive data location.
|
||||||
## Also improves performance by optimising memory-side cache utilisation.
|
## Also improves performance by optimizing memory-side cache utilization.
|
||||||
##
|
##
|
||||||
## https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=e900a918b0984ec8f2eb150b8477a47b75d17692
|
## https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=e900a918b0984ec8f2eb150b8477a47b75d17692
|
||||||
## https://en.wikipedia.org/wiki/Return-oriented_programming#Attacks
|
## https://en.wikipedia.org/wiki/Return-oriented_programming#Attacks
|
||||||
@ -54,7 +54,7 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX page_alloc.shuffle=1"
|
|||||||
##
|
##
|
||||||
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX pti=on"
|
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX pti=on"
|
||||||
|
|
||||||
## Enable randomisation of the kernel stack offset on syscall entries.
|
## Enable randomization of the kernel stack offset on syscall entries.
|
||||||
## Hardens against memory corruption attacks due to increased entropy.
|
## Hardens against memory corruption attacks due to increased entropy.
|
||||||
## Limits attacks relying on deterministic stack addresses or cross-syscall address exposure.
|
## Limits attacks relying on deterministic stack addresses or cross-syscall address exposure.
|
||||||
##
|
##
|
||||||
@ -96,7 +96,7 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX debugfs=off"
|
|||||||
## https://www.kernel.org/doc/html/latest/arch/x86/x86_64/boot-options.html#machine-check
|
## https://www.kernel.org/doc/html/latest/arch/x86/x86_64/boot-options.html#machine-check
|
||||||
## https://forums.whonix.org/t/kernel-hardening/7296/494
|
## https://forums.whonix.org/t/kernel-hardening/7296/494
|
||||||
##
|
##
|
||||||
## The default kernel setting will be utilised until provided sufficient evidence to modify.
|
## The default kernel setting will be utilized until provided sufficient evidence to modify.
|
||||||
##
|
##
|
||||||
#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX mce=0"
|
#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX mce=0"
|
||||||
|
|
||||||
@ -143,7 +143,7 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX iommu.passthrough=0"
|
|||||||
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX iommu.strict=1"
|
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX iommu.strict=1"
|
||||||
|
|
||||||
## Disable the busmaster bit on all PCI bridges during the early boot process.
|
## Disable the busmaster bit on all PCI bridges during the early boot process.
|
||||||
## Patches weak-point in some existing IOMMU implementations.
|
## Patches weak points in some existing IOMMU implementations.
|
||||||
## May lead to issues such as complete system boot failure on certain devices.
|
## May lead to issues such as complete system boot failure on certain devices.
|
||||||
##
|
##
|
||||||
## https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=4444f8541dad16fefd9b8807ad1451e806ef1d94
|
## https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=4444f8541dad16fefd9b8807ad1451e806ef1d94
|
||||||
@ -159,8 +159,8 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX efi=disable_early_pci_dma"
|
|||||||
## The RDRAND CPU (RNG) instructions are proprietary and closed-source.
|
## The RDRAND CPU (RNG) instructions are proprietary and closed-source.
|
||||||
## Numerous implementations of RDRAND have a long history of being defective.
|
## Numerous implementations of RDRAND have a long history of being defective.
|
||||||
## The RNG seed passed by the bootloader could also potentially be tampered.
|
## The RNG seed passed by the bootloader could also potentially be tampered.
|
||||||
## Maximising the entropy pool at boot is desirable for all cryptographic operations.
|
## Maximizing the entropy pool at boot is desirable for all cryptographic operations.
|
||||||
## These settings ensure additional entropy is obtained from other sources to initialise the RNG.
|
## These settings ensure additional entropy is obtained from other sources to initialize the RNG.
|
||||||
## Note that distrusting these (relatively fast) sources of entropy will increase boot time.
|
## Note that distrusting these (relatively fast) sources of entropy will increase boot time.
|
||||||
##
|
##
|
||||||
## https://en.wikipedia.org/wiki/RDRAND#Reception
|
## https://en.wikipedia.org/wiki/RDRAND#Reception
|
||||||
@ -175,7 +175,7 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX efi=disable_early_pci_dma"
|
|||||||
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX random.trust_bootloader=off"
|
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX random.trust_bootloader=off"
|
||||||
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX random.trust_cpu=off"
|
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX random.trust_cpu=off"
|
||||||
|
|
||||||
## Obtain more entropy during boot as the runtime memory allocator is being initialised.
|
## Obtain more entropy during boot as the runtime memory allocator is being initialized.
|
||||||
## Entropy will be extracted from up to the first 4GB of RAM.
|
## Entropy will be extracted from up to the first 4GB of RAM.
|
||||||
## Requires the linux-hardened kernel patch.
|
## Requires the linux-hardened kernel patch.
|
||||||
##
|
##
|
||||||
|
Loading…
Reference in New Issue
Block a user