Git-Mirrors/security-misc
1
0
Fork 0
mirror of https://github.com/Kicksecure/security-misc.git synced 2025-12-28 00:04:35 -05:00
Code Issues Projects Releases Packages Wiki Activity

Merge remote-tracking branch 'raja/incomplete_cpu_mitigations' into arraybolt3/trixie-raja-merge

Browse source
This commit is contained in:
Aaron Rainbolt 2025-12-14 14:01:54 -06:00
commit e7e6d6d373
No known key found for this signature in database
GPG key ID: A709160D73C79109
2 changed files with 16 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

5
README.md
View file

@ -155,6 +155,11 @@ Mitigations for known CPU vulnerabilities are enabled in their strictest form
and simultaneous multithreading (SMT) is disabled. See the
`/etc/default/grub.d/40_cpu_mitigations.cfg` configuration file.
Importantly, we do not rely on the use of the already enabled-by-default `mitigations=auto`
kernel boot parameter to perform CPU mitigations like many other distributions. This is
because it's use is both totally redundant and it does not apply all hardening settings
to their strictest possible levels. See issue: https://github.com/Kicksecure/security-misc/issues/199#issuecomment-3327391859.
Note, to achieve complete protection for known CPU vulnerabilities, the latest
security microcode (BIOS/UEFI) updates must be installed on the system. Furthermore,
if using Secure Boot, the Secure Boot Forbidden Signature Database (DBX) must be kept

12
etc/default/grub.d/40_cpu_mitigations.cfg#security-misc-shared
View file

@ -34,11 +34,21 @@
## https://uefi.org/revocationlistfile
## https://github.com/fwupd/fwupd
## Enable a subset of known mitigations for some CPU vulnerabilities and disable SMT.
## Enable a subset of known default mitigations for some CPU vulnerabilities and disable SMT.
## Note that this redundant parameter simply applies each mitigation at the already applied default settings.
## The default values are not always the strictest and so we reapply each below to their highest setting.
## We retain it here for completeness as many other distributions heavily rely on this for many CPU mitigations.
##
## https://github.com/Kicksecure/security-misc/issues/199#issuecomment-3327391859
## https://github.com/secureblue/secureblue/issues/1405
## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/attack_vector_controls.html
##
## KSPP=yes
## KSPP sets the kernel parameters.
##
## WARNING: Do not rely on this parameter, it is presented here only for educational purposes.
## WARNING: Parameters are applied consecutively and so do not ever move this setting down.
##
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX mitigations=auto,nosmt"
## Disable SMT as it has been the cause of and amplified numerous CPU exploits.