Enable ia32_emulation=0

2025-12-25 20:24:34 -05:00 · 2025-08-17 07:08:08 +00:00 · 2025-08-17 07:08:08 +00:00 · f175d1961e
commit f175d1961e
parent c7bdca32c0
2 changed files with 3 additions and 7 deletions
--- a/README.md
+++ b/README.md
@ -225,8 +225,7 @@ Kernel space:
  since it may be slightly more resilient to attacks that are able to write
  arbitrary executables in memory.

- Optional - Disable support for all x86 processes and syscalls (when using Linux kernel >= 6.7)
-  to reduce attack surface.
+- Disable support for all 32-bit x86 processes and syscalls to reduce attack surface.

 - Disable the EFI persistent storage feature which prevents the kernel from writing crash logs
  and other persistent data to either the UEFI variable storage or ACPI ERST backends.
--- a/etc/default/grub.d/40_kernel_hardening.cfg
+++ b/etc/default/grub.d/40_kernel_hardening.cfg
@ -210,7 +210,7 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX vdso32=0"
 ##
 #GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX cfi=kcfi"

-## Disable support for x86 processes and syscalls.
+## Disable support for all 32-bit x86 processes and syscalls.
 ## Unconditionally disables IA32 emulation to substantially reduce attack surface.
 ##
 ## https://lore.kernel.org/all/20230623111409.3047467-7-nik.borisov@suse.com/
@ -218,10 +218,7 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX vdso32=0"
 ## KSPP=yes
 ## KSPP does not set CONFIG_COMPAT, CONFIG_IA32_EMULATION, CONFIG_X86_X32, CONFIG_X86_X32_ABI, and CONFIG_MODIFY_LDT_SYSCALL.
 ##
-## TODO: Debian 13 Trixie
-## Applicable when using Linux kernel >= 6.7 (retained here for future-proofing and completeness).
-##
-#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX ia32_emulation=0"
+GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX ia32_emulation=0"

 ## Disable EFI persistent storage feature.
 ## Disable Error Record Serialization Table (ERST) support as a form of defense-in-depth.