Git-Mirrors/security-misc
1
0
Fork 0
mirror of https://github.com/Kicksecure/security-misc.git synced 2025-11-24 23:03:10 -05:00
Code Issues Projects Releases Packages Wiki Activity

Merge 635c216d4e into 1ef974300a

Browse source
This commit is contained in:
raja-grewal 2025-11-09 15:42:06 +11:00 committed by GitHub
commit e7310467df
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
2 changed files with 17 additions and 3 deletions
Download patch file Download diff file Expand all files Collapse all files

5
README.md
View file

@ -145,6 +145,11 @@ Mitigations for known CPU vulnerabilities are enabled in their strictest form
and simultaneous multithreading (SMT) is disabled. See the
`/etc/default/grub.d/40_cpu_mitigations.cfg` configuration file.
Importantly, we do not rely on the use of the already enabled-by-default `mitigations=auto`
kernel boot parameter to perform CPU mitigations like many other distributions. This is
because it's use is both totally redundant and it does not apply all hardening settings
to their strictest possible levels. See issue: https://github.com/Kicksecure/security-misc/issues/199#issuecomment-3327391859.
Note, to achieve complete protection for known CPU vulnerabilities, the latest
security microcode (BIOS/UEFI) updates must be installed on the system. Furthermore,
if using Secure Boot, the Secure Boot Forbidden Signature Database (DBX) must be kept

15
etc/default/grub.d/40_cpu_mitigations.cfg#security-misc-shared
View file

@ -34,12 +34,21 @@
## https://uefi.org/revocationlistfile
## https://github.com/fwupd/fwupd
## Enable a subset of known mitigations for some CPU vulnerabilities and disable SMT.
## Enable a subset of known default mitigations for some CPU vulnerabilities and disable SMT.
## Note that this redundant parameter simply applies each mitigation at the already applied default settings.
## The default values are not always the strictest and so we reapply each below to their highest setting.
## We retain it here for completeness as many other distributions heavily rely on this for many CPU mitigations.
##
## KSPP=yes
## https://github.com/Kicksecure/security-misc/issues/199#issuecomment-3327391859
## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/attack_vector_controls.html
##
## KSPP=no
## KSPP sets the kernel parameters.
##
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX mitigations=auto,nosmt"
## WARNING: Do not enable this parameter, it is presented here only for educational purposes.
## WARNING: Parameters are applied consecutively and so do not ever move this setting down.
##
#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX mitigations=auto,nosmt"
## Disable SMT as it has been the cause of and amplified numerous CPU exploits.
## The only full mitigation of cross-HT attacks is to disable SMT.