Git-Mirrors/security-misc
1
0
Fork 0
mirror of https://github.com/Kicksecure/security-misc.git synced 2025-11-25 22:18:33 -05:00
Code Issues Projects Releases Packages Wiki Activity

Temporarily revert IA32 doc updates

Browse source
This commit is contained in:
raja-grewal 2025-08-17 07:05:32 +00:00 committed by GitHub
parent 1f75426f07
commit e06b78a522
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
2 changed files with 7 additions and 3 deletions
Download patch file Download diff file Expand all files Collapse all files

3
README.md
View file

@ -224,7 +224,8 @@ Kernel space:
since it may be slightly more resilient to attacks that are able to write since it may be slightly more resilient to attacks that are able to write
arbitrary executables in memory. arbitrary executables in memory.
- Optional - Disable support for all 32-bit x86 processes and syscalls to reduce attack surface. - Optional - Disable support for all x86 processes and syscalls (when using Linux kernel >= 6.7)
to reduce attack surface.
- Disable the EFI persistent storage feature which prevents the kernel from writing crash logs - Disable the EFI persistent storage feature which prevents the kernel from writing crash logs
and other persistent data to either the UEFI variable storage or ACPI ERST backends. and other persistent data to either the UEFI variable storage or ACPI ERST backends.

5
etc/default/grub.d/40_kernel_hardening.cfg
View file

@ -210,7 +210,7 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX vdso32=0"
## ##
#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX cfi=kcfi" #GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX cfi=kcfi"
## Disable support for all 32-bit x86 processes and syscalls. ## Disable support for x86 processes and syscalls.
## Unconditionally disables IA32 emulation to substantially reduce attack surface. ## Unconditionally disables IA32 emulation to substantially reduce attack surface.
## ##
## https://lore.kernel.org/all/20230623111409.3047467-7-nik.borisov@suse.com/ ## https://lore.kernel.org/all/20230623111409.3047467-7-nik.borisov@suse.com/
@ -218,6 +218,9 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX vdso32=0"
## KSPP=yes ## KSPP=yes
## KSPP does not set CONFIG_COMPAT, CONFIG_IA32_EMULATION, CONFIG_X86_X32, CONFIG_X86_X32_ABI, and CONFIG_MODIFY_LDT_SYSCALL. ## KSPP does not set CONFIG_COMPAT, CONFIG_IA32_EMULATION, CONFIG_X86_X32, CONFIG_X86_X32_ABI, and CONFIG_MODIFY_LDT_SYSCALL.
## ##
## TODO: Debian 13 Trixie
## Applicable when using Linux kernel >= 6.7 (retained here for future-proofing and completeness).
##
#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX ia32_emulation=0" #GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX ia32_emulation=0"
## Disable EFI persistent storage feature. ## Disable EFI persistent storage feature.