Git-Mirrors/security-misc
1
0
Fork 0
mirror of https://github.com/Kicksecure/security-misc.git synced 2025-11-25 19:06:20 -05:00
Code Issues Projects Releases Packages Wiki Activity

Temporarily revert IA32 doc updates

Browse source
This commit is contained in:
raja-grewal 2025-08-17 07:05:32 +00:00 committed by GitHub
parent 1f75426f07
commit e06b78a522
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
2 changed files with 7 additions and 3 deletions
Download patch file Download diff file Expand all files Collapse all files

5
README.md
View file

@ -224,8 +224,9 @@ Kernel space:
since it may be slightly more resilient to attacks that are able to write
arbitrary executables in memory.
- Optional - Disable support for all 32-bit x86 processes and syscalls to reduce attack surface.
- Optional - Disable support for all x86 processes and syscalls (when using Linux kernel >= 6.7)
to reduce attack surface.
- Disable the EFI persistent storage feature which prevents the kernel from writing crash logs
and other persistent data to either the UEFI variable storage or ACPI ERST backends.

5
etc/default/grub.d/40_kernel_hardening.cfg
View file

@ -210,7 +210,7 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX vdso32=0"
##
#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX cfi=kcfi"
## Disable support for all 32-bit x86 processes and syscalls.
## Disable support for x86 processes and syscalls.
## Unconditionally disables IA32 emulation to substantially reduce attack surface.
##
## https://lore.kernel.org/all/20230623111409.3047467-7-nik.borisov@suse.com/
@ -218,6 +218,9 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX vdso32=0"
## KSPP=yes
## KSPP does not set CONFIG_COMPAT, CONFIG_IA32_EMULATION, CONFIG_X86_X32, CONFIG_X86_X32_ABI, and CONFIG_MODIFY_LDT_SYSCALL.
##
## TODO: Debian 13 Trixie
## Applicable when using Linux kernel >= 6.7 (retained here for future-proofing and completeness).
##
#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX ia32_emulation=0"
## Disable EFI persistent storage feature.