diff --git a/etc/modprobe.d/30_security-misc_disable.conf b/etc/modprobe.d/30_security-misc_disable.conf index e95bd68..79b5ed6 100644 --- a/etc/modprobe.d/30_security-misc_disable.conf +++ b/etc/modprobe.d/30_security-misc_disable.conf @@ -1,7 +1,7 @@ ## Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC ## See the file COPYING for copying conditions. -## See the following links for a community discussion and overview regarding the selections. +## See the following links for a community discussion and overview regarding the selections: ## https://forums.whonix.org/t/blacklist-more-kernel-modules-to-reduce-attack-surface/7989 ## https://madaidans-insecurities.github.io/guides/linux-hardening.html#kasr-kernel-modules @@ -17,11 +17,11 @@ ## 1. Hardware: ## Bluetooth: -## Disable Bluetooth to reduce attack surface due to extended history of security vulnerabilities. +## Disable Bluetooth to reduce the attack surface due to its long history of security vulnerabilities. ## ## https://en.wikipedia.org/wiki/Bluetooth#History_of_security_concerns ## -## Now replaced by a privacy and security preserving default Bluetooth configuration for better usability. +## Now replaced with a privacy- and security-preserving default Bluetooth configuration for better usability. ## https://github.com/Kicksecure/security-misc/pull/145 ## #install bluetooth /usr/bin/disabled-bluetooth-by-security-misc @@ -43,7 +43,7 @@ #install virtio_bt /usr/bin/disabled-bluetooth-by-security-misc ## FireWire (IEEE 1394): -## Disable IEEE 1394 (FireWire/i.LINK/Lynx) modules to prevent some DMA attacks. +## Disable IEEE 1394 (FireWire/i.LINK/Lynx) modules to prevent certain DMA attacks. ## ## https://en.wikipedia.org/wiki/IEEE_1394#Security_issues ## @@ -70,9 +70,9 @@ install gnss-usb /usr/bin/disabled-gps-by-security-misc ## Intel Management Engine (ME): ## Partially disable the Intel ME interface with the OS. -## ME functionality has increasing become more intertwined with basic Intel system operation. -## Disabling may lead to breakages in numerous places without clear debugging/error messages. -## May cause issues with firmware updates, security, power management, display, and DRM. +## ME functionality has increasingly become intertwined with basic Intel system operation. +## Disabling it may lead to breakages in various components without clear debugging/error messages. +## It may affect firmware updates, security, power management, display, and DRM. ## ## https://www.kernel.org/doc/html/latest/driver-api/mei/mei.html ## https://en.wikipedia.org/wiki/Intel_Management_Engine#Security_vulnerabilities @@ -94,7 +94,7 @@ install gnss-usb /usr/bin/disabled-gps-by-security-misc #install microread_mei /usr/bin/disabled-intelme-by-security-misc ## Intel Platform Monitoring Technology (PMT) Telemetry: -## Disable some functionality of the Intel PMT components. +## Disable certain functionalities of the Intel PMT components. ## ## https://github.com/intel/Intel-PMT ## @@ -103,7 +103,7 @@ install pmt_crashlog /usr/bin/disabled-intelpmt-by-security-misc install pmt_telemetry /usr/bin/disabled-intelpmt-by-security-misc ## Thunderbolt: -## Disables Thunderbolt modules to prevent some DMA attacks. +## Disable Thunderbolt modules to prevent certain DMA attacks. ## ## https://en.wikipedia.org/wiki/Thunderbolt_(interface)#Security_vulnerabilities ##