From df2fc2cf6b0437d23c7641118ebd24d2e3a670ce Mon Sep 17 00:00:00 2001
From: raja-grewal <rg_public@proton.me>
Date: Sun, 16 Mar 2025 03:30:04 +0000
Subject: [PATCH] Set `efi_pstore.pstore_disable=1`

---
 README.md                                  |  3 +++
 etc/default/grub.d/40_kernel_hardening.cfg | 12 ++++++++++++
 2 files changed, 15 insertions(+)

diff --git a/README.md b/README.md
index d47cf1d..ebcfef5 100644
--- a/README.md
+++ b/README.md
@@ -226,6 +226,9 @@ Kernel space:
 - Optional - Disable support for all x86 processes and syscalls (when using Linux kernel >= 6.7)
   to reduce attack surface.
 
+- Disable EFI persistent storage feature, preventing the kernel from writing crash logs and
+  other persistent data to the EFI variable store.
+  
 Direct memory access:
 
 - Enable strict IOMMU translation to protect against some DMA attacks via the use
diff --git a/etc/default/grub.d/40_kernel_hardening.cfg b/etc/default/grub.d/40_kernel_hardening.cfg
index 748bf47..99f2d16 100644
--- a/etc/default/grub.d/40_kernel_hardening.cfg
+++ b/etc/default/grub.d/40_kernel_hardening.cfg
@@ -223,6 +223,18 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX vdso32=0"
 ##
 #GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX ia32_emulation=0"
 
+## Disable EFI persistent storage feature.
+## Prevents the kernel from writing crash logs and other persistent data to the EFI variable store.
+##
+## https://blogs.oracle.com/linux/post/pstore-linux-kernel-persistent-storage-file-system
+## https://www.ais.com/understanding-pstore-linux-kernel-persistent-storage-file-system/
+## https://lwn.net/Articles/434821/
+## https://manpages.debian.org/testing/systemd/systemd-pstore.service.8.en.html
+## https://gitlab.tails.boum.org/tails/tails/-/issues/20813
+## https://github.com/Kicksecure/security-misc/issues/299
+##
+GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX efi_pstore.pstore_disable=1"
+
 ## 2. Direct Memory Access:
 ##
 ## https://madaidans-insecurities.github.io/guides/linux-hardening.html#dma-attacks