mirror of
https://github.com/Kicksecure/security-misc.git
synced 2025-11-27 23:00:43 -05:00
Split the security-misc into security-misc-shared, security-misc-desktop and security-misc-server: rename files
https://github.com/Kicksecure/security-misc/issues/187
This commit is contained in:
Patrick Schleizer
parent
2de10d5b7b
commit
f70550d015
132 changed files with 35 additions and 0 deletions
327
etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared
Normal file
327
etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared
Normal file
|
|
@ -0,0 +1,327 @@
|
|||
## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC <adrelanos@whonix.org>
|
||||
## See the file COPYING for copying conditions.
|
||||
|
||||
kpkg="linux-image-$(dpkg --print-architecture)" || true
|
||||
kver="$(dpkg-query --show --showformat='${Version}' "$kpkg")" 2>/dev/null || true
|
||||
#echo "## kver: $kver"
|
||||
|
||||
## Definitions:
|
||||
## KSPP=yes: compliant with recommendations by the KSPP
|
||||
## KSPP=partial: partially compliant with recommendations by the KSPP
|
||||
## KSPP=no: not (currently) compliant with recommendations by the KSPP
|
||||
## If there is no explicit KSPP compliance notice, the setting is not mentioned by the KSPP.
|
||||
|
||||
## This configuration file is split into 4 sections:
|
||||
## 1. Kernel Space
|
||||
## 2. Direct Memory Access
|
||||
## 3. Entropy
|
||||
## 4. Networking
|
||||
|
||||
## See the documentation below for details on the majority of the selected commands:
|
||||
## https://www.kernel.org/doc/html/latest/admin-guide/kernel-parameters.html
|
||||
## https://wiki.archlinux.org/title/Kernel_parameters#GRUB
|
||||
|
||||
## 1. Kernel Space:
|
||||
##
|
||||
## https://madaidans-insecurities.github.io/guides/linux-hardening.html#boot-parameters
|
||||
## https://kspp.github.io/Recommended_Settings#kernel-command-line-options
|
||||
|
||||
## Disable merging of slabs with similar size.
|
||||
## Reduces the risk of triggering heap overflows.
|
||||
## Prevents overwriting objects from merged caches and limits influencing slab cache layout.
|
||||
##
|
||||
## https://www.openwall.com/lists/kernel-hardening/2017/06/19/33
|
||||
## https://www.openwall.com/lists/kernel-hardening/2017/06/20/10
|
||||
##
|
||||
## KSPP=yes
|
||||
## KSPP sets the kernel parameter and does not set CONFIG_SLAB_MERGE_DEFAULT.
|
||||
##
|
||||
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX slab_nomerge"
|
||||
|
||||
## Enable sanity checks and red zoning of slabs via debugging options to detect corruption.
|
||||
## As a by product of debugging, this will implicitly disabling kernel pointer hashing.
|
||||
## Enabling will therefore leak exact and all kernel memory addresses to root.
|
||||
## Has the potential to cause a noticeable performance decrease.
|
||||
##
|
||||
## https://www.kernel.org/doc/html/latest/mm/slub.html
|
||||
## https://lore.kernel.org/all/20210601182202.3011020-5-swboyd@chromium.org/T/#u
|
||||
## https://gitlab.tails.boum.org/tails/tails/-/issues/19613
|
||||
## https://github.com/Kicksecure/security-misc/issues/253
|
||||
##
|
||||
## KSPP=yes
|
||||
## KSPP sets the kernel parameters and CONFIG_SLUB_DEBUG.
|
||||
##
|
||||
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX slab_debug=FZ"
|
||||
|
||||
## Zero memory at allocation time and free time.
|
||||
## Fills newly allocated pages, freed pages, and heap objects with zeros.
|
||||
## Mitigates use-after-free exploits by erasing sensitive information in memory.
|
||||
##
|
||||
## https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=6471384af2a6530696fc0203bafe4de41a23c9ef
|
||||
##
|
||||
## KSPP=yes
|
||||
## KSPP sets the kernel parameters, CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y, and CONFIG_INIT_ON_FREE_DEFAULT_ON=y.
|
||||
##
|
||||
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX init_on_alloc=1"
|
||||
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX init_on_free=1"
|
||||
|
||||
## Enable the kernel page allocator to randomize free lists.
|
||||
## During early boot, the page allocator has predictable FIFO behavior for physical pages.
|
||||
## Limits some data exfiltration and ROP attacks that rely on inferring sensitive data location.
|
||||
## Also improves performance by optimizing memory-side cache utilization.
|
||||
##
|
||||
## https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=e900a918b0984ec8f2eb150b8477a47b75d17692
|
||||
## https://en.wikipedia.org/wiki/Return-oriented_programming#Attacks
|
||||
##
|
||||
## KSPP=yes
|
||||
## KSPP sets the kernel parameter and CONFIG_SHUFFLE_PAGE_ALLOCATOR=y.
|
||||
##
|
||||
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX page_alloc.shuffle=1"
|
||||
|
||||
## Enable kernel page table isolation to harden against kernel ASLR (KASLR) bypasses.
|
||||
## Mitigates the Meltdown CPU vulnerability.
|
||||
##
|
||||
## https://en.wikipedia.org/wiki/Kernel_page-table_isolation
|
||||
##
|
||||
## KSPP=yes
|
||||
## KSPP sets the kernel parameter and CONFIG_MITIGATION_PAGE_TABLE_ISOLATION=y.
|
||||
##
|
||||
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX pti=on"
|
||||
|
||||
## Enable randomization of the kernel stack offset on syscall entries.
|
||||
## Hardens against memory corruption attacks due to increased entropy.
|
||||
## Limits attacks relying on deterministic stack addresses or cross-syscall address exposure.
|
||||
##
|
||||
## https://lkml.org/lkml/2019/3/18/246
|
||||
## https://a13xp0p0v.github.io/2020/02/15/CVE-2019-18683.html
|
||||
##
|
||||
## KSPP=yes
|
||||
## KSPP sets the kernel parameter and CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT=y.
|
||||
##
|
||||
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX randomize_kstack_offset=on"
|
||||
|
||||
## Disable vsyscalls to reduce attack surface as they have been replaced by vDSO.
|
||||
## Vulnerable to ROP attacks as vsyscalls are located at fixed addresses in memory.
|
||||
##
|
||||
## https://lwn.net/Articles/446528/
|
||||
## https://en.wikipedia.org/wiki/VDSO
|
||||
##
|
||||
## KSPP=yes
|
||||
## KSPP sets the kernel parameter, CONFIG_LEGACY_VSYSCALL_NONE=y and does not set CONFIG_X86_VSYSCALL_EMULATION.
|
||||
##
|
||||
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX vsyscall=none"
|
||||
|
||||
## Restrict access to debugfs by not registering the file system.
|
||||
## Deactivated since the file system can contain sensitive information.
|
||||
##
|
||||
## https://lkml.org/lkml/2020/7/16/122
|
||||
##
|
||||
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX debugfs=off"
|
||||
|
||||
## Force the kernel to immediately panic on "oopses".
|
||||
## Panics may be due to false-positives such as bad drivers.
|
||||
## Oopses are serious but non-fatal errors.
|
||||
## Certain "oopses" can sometimes indicate and thwart potential kernel exploitation attempts.
|
||||
## Note that by forcing kernel panics on oopses, this exposes the system to targeted denial of service attacks.
|
||||
##
|
||||
## https://en.wikipedia.org/wiki/Kernel_panic#Linux
|
||||
## https://en.wikipedia.org/wiki/Linux_kernel_oops
|
||||
## https://forums.whonix.org/t/set-oops-panic-kernel-parameter-or-kernel-panic-on-oops-1-sysctl-for-better-security/7713
|
||||
##
|
||||
## KSPP=yes
|
||||
## KSPP sets CONFIG_PANIC_ON_OOPS=y and CONFIG_PANIC_TIMEOUT=-1.
|
||||
##
|
||||
## See /usr/libexec/security-misc/panic-on-oops for implementation.
|
||||
##
|
||||
#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX oops=panic"
|
||||
|
||||
## Modify machine check exception handler.
|
||||
## Can decide whether the system should panic or not based on the occurrence of an exception.
|
||||
##
|
||||
## https://www.kernel.org/doc/html/latest/arch/x86/x86_64/machinecheck.html
|
||||
## https://www.kernel.org/doc/html/latest/arch/x86/x86_64/boot-options.html#machine-check
|
||||
## https://forums.whonix.org/t/kernel-hardening/7296/494
|
||||
##
|
||||
## The default kernel setting will be utilized until provided sufficient evidence to modify.
|
||||
##
|
||||
#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX mce=0"
|
||||
|
||||
## Prevent sensitive kernel information leaks in the console during boot.
|
||||
## Must be used in combination with the kernel.printk sysctl.
|
||||
## See /usr/lib/sysctl.d/30_silent-kernel-printk.conf for implementation.
|
||||
##
|
||||
## https://www.kernel.org/doc/html/latest/core-api/printk-basics.html
|
||||
## https://wiki.archlinux.org/title/silent_boot
|
||||
##
|
||||
## See /etc/default/grub.d/41_quiet_boot.cfg for implementation.
|
||||
##
|
||||
#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX loglevel=0"
|
||||
#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX quiet"
|
||||
|
||||
## Enable the kernel "Electric-Fence" sampling-based memory safety error detector.
|
||||
## KFENCE detects heap out-of-bounds access, use-after-free, and invalid-free errors.
|
||||
## Aims to have very low processing overhead at each sampling interval.
|
||||
## Sampling interval is set to occur every 100 milliseconds as per KSPP recommendation.
|
||||
##
|
||||
## https://www.kernel.org/doc/html/latest/dev-tools/kfence.html
|
||||
## https://google.github.io/kernel-sanitizers/KFENCE.html
|
||||
## https://blogs.oracle.com/linux/post/linux-slub-allocator-internals-and-debugging-4
|
||||
## https://lwn.net/Articles/835542/
|
||||
##
|
||||
## KSPP=yes
|
||||
## KSPP sets the kernel parameter, CONFIG_KFENCE=y, and CONFIG_KFENCE_SAMPLE_INTERVAL=100.
|
||||
##
|
||||
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX kfence.sample_interval=100"
|
||||
|
||||
## Disable 32-bit Virtual Dynamic Shared Object (vDSO) mappings.
|
||||
## Legacy compatibility feature for superseded glibc versions.
|
||||
##
|
||||
## https://lore.kernel.org/lkml/20080409082927.BD59E26F992@magilla.localdomain/T/
|
||||
## https://lists.openwall.net/linux-kernel/2014/03/11/3
|
||||
##
|
||||
## KSPP=yes
|
||||
## KSPP sets the kernel parameter and does not set CONFIG_COMPAT_VDSO.
|
||||
##
|
||||
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX vdso32=0"
|
||||
|
||||
## Switch (back) to using kCFI as the default Control Flow Integrity (CFI) implementation.
|
||||
## The default implementation is FineIBT as of Linux kernel 6.2.
|
||||
## The Intel-developed IBT (Indirect Branch Tracking) is only used if supported by the CPU.
|
||||
## kCFI is software-only while FineIBT is a hybrid software/hardware implementation.
|
||||
## FineIBT may result in some performance benefits as it only performs hash checks at the destinations.
|
||||
## kCFI mandates hash validation at the source (which is randomized), making it more difficult to bypass.
|
||||
## FineIBT is considered weaker against attacks that can write arbitrary executables into memory.
|
||||
##
|
||||
## https://lwn.net/Articles/891976/
|
||||
## https://lore.kernel.org/lkml/202210010918.4918F847C4@keescook/T/#u
|
||||
## https://lore.kernel.org/lkml/202210182217.486CBA50@keescook/T/
|
||||
## https://lore.kernel.org/all/20221027092842.699804264@infradead.org/
|
||||
## https://lore.kernel.org/lkml/202407150933.E1871BE@keescook/
|
||||
## https://isopenbsdsecu.re/mitigations/forward_edge_cfi/
|
||||
## https://docs.kernel.org/next/x86/shstk.html
|
||||
## https://source.android.com/docs/security/test/kcfi
|
||||
## https://lpc.events/event/16/contributions/1315/attachments/1067/2169/cfi.pdf
|
||||
## https://forums.whonix.org/t/kernel-hardening-security-misc/7296/561
|
||||
##
|
||||
## KSPP=yes
|
||||
## KSPP sets the kernel parameter.
|
||||
##
|
||||
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX cfi=kcfi"
|
||||
|
||||
## Disable support for all 32-bit x86 processes and syscalls.
|
||||
## Unconditionally disables IA32 emulation to substantially reduce attack surface.
|
||||
##
|
||||
## https://lore.kernel.org/all/20230623111409.3047467-7-nik.borisov@suse.com/
|
||||
##
|
||||
## KSPP=yes
|
||||
## KSPP does not set CONFIG_COMPAT, CONFIG_IA32_EMULATION, CONFIG_X86_X32, CONFIG_X86_X32_ABI, and CONFIG_MODIFY_LDT_SYSCALL.
|
||||
##
|
||||
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX ia32_emulation=0"
|
||||
|
||||
## Disable EFI persistent storage feature.
|
||||
## Disable Error Record Serialization Table (ERST) support as a form of defense-in-depth.
|
||||
## Prevents the kernel from writing crash logs and other persistent data to the storage backend.
|
||||
## Both the UEFI variable storage and ACPI ERST backends are deactivated.
|
||||
##
|
||||
## https://blogs.oracle.com/linux/post/pstore-linux-kernel-persistent-storage-file-system
|
||||
## https://www.ais.com/understanding-pstore-linux-kernel-persistent-storage-file-system/
|
||||
## https://lwn.net/Articles/434821/
|
||||
## https://manpages.debian.org/testing/systemd/systemd-pstore.service.8.en.html
|
||||
## https://gitlab.tails.boum.org/tails/tails/-/issues/20813
|
||||
## https://github.com/Kicksecure/security-misc/issues/299
|
||||
##
|
||||
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX efi_pstore.pstore_disable=1"
|
||||
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX erst_disable"
|
||||
|
||||
## 2. Direct Memory Access:
|
||||
##
|
||||
## https://madaidans-insecurities.github.io/guides/linux-hardening.html#dma-attacks
|
||||
|
||||
## Enable CPU manufacturer-specific IOMMU drivers to mitigate some DMA attacks.
|
||||
##
|
||||
## KSPP=yes
|
||||
## KSPP sets CONFIG_INTEL_IOMMU=y, CONFIG_INTEL_IOMMU_DEFAULT_ON=y, CONFIG_INTEL_IOMMU_SVM=y, CONFIG_AMD_IOMMU=y, and CONFIG_AMD_IOMMU_V2=y.
|
||||
##
|
||||
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX amd_iommu=force_isolation"
|
||||
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX intel_iommu=on"
|
||||
|
||||
## Enable and force use of IOMMU translation to protect against some DMA attacks.
|
||||
## Strictly force DMA unmap operations to synchronously invalidate IOMMU hardware TLBs.
|
||||
## Ensures devices will never be able to access stale data contents.
|
||||
##
|
||||
## https://en.wikipedia.org/wiki/Input%E2%80%93output_memory_management_unit
|
||||
## https://en.wikipedia.org/wiki/DMA_attack
|
||||
## https://lenovopress.lenovo.com/lp1467.pdf
|
||||
##
|
||||
## KSPP=yes
|
||||
## KSPP sets the kernel parameters, CONFIG_IOMMU_SUPPORT=y, CONFIG_IOMMU_DEFAULT_DMA_STRICT=y, and does not set CONFIG_IOMMU_DEFAULT_PASSTHROUGH.
|
||||
##
|
||||
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX iommu=force"
|
||||
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX iommu.passthrough=0"
|
||||
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX iommu.strict=1"
|
||||
|
||||
## Clear the busmaster bit on all PCI bridges during the EFI hand-off.
|
||||
## Terminates all existing DMA transactions prior to the kernel's IOMMU setup.
|
||||
## Forces third party PCI devices to then re-set their busmaster bit in order to perform DMA.
|
||||
## Assumes that the motherboard chipset and firmware are not malicious.
|
||||
## May cause complete boot failure on certain hardware with incompatible firmware.
|
||||
##
|
||||
## https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=4444f8541dad16fefd9b8807ad1451e806ef1d94
|
||||
## https://mjg59.dreamwidth.org/54433.html
|
||||
##
|
||||
## KSPP=yes
|
||||
## KSPP sets CONFIG_EFI_DISABLE_PCI_DMA=y.
|
||||
##
|
||||
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX efi=disable_early_pci_dma"
|
||||
|
||||
## 3. Entropy:
|
||||
##
|
||||
## https://madaidans-insecurities.github.io/guides/linux-hardening.html#rdrand
|
||||
|
||||
## Do not credit the CPU or bootloader seeds as entropy sources at boot.
|
||||
## The RDRAND CPU (RNG) instructions are proprietary and closed-source.
|
||||
## Numerous implementations of RDRAND have a long history of being defective.
|
||||
## The RNG seed passed by the bootloader could also potentially be tampered.
|
||||
## Maximizing the entropy pool at boot is desirable for all cryptographic operations.
|
||||
## These settings ensure additional entropy is obtained from other sources to initialize the RNG.
|
||||
## Note that distrusting these (relatively fast) sources of entropy will increase boot time.
|
||||
##
|
||||
## https://en.wikipedia.org/wiki/RDRAND#Reception
|
||||
## https://systemd.io/RANDOM_SEEDS/
|
||||
## https://www.kicksecure.com/wiki/Dev/Entropy#RDRAND
|
||||
## https://arstechnica.com/gadgets/2019/10/how-a-months-old-amd-microcode-bug-destroyed-my-weekend/
|
||||
## https://x.com/pid_eins/status/1149649806056280069
|
||||
## https://archive.nytimes.com/www.nytimes.com/interactive/2013/09/05/us/documents-reveal-nsa-campaign-against-encryption.html
|
||||
## https://forums.whonix.org/t/entropy-config-random-trust-cpu-yes-or-no-rng-core-default-quality/8566
|
||||
## https://github.com/NixOS/nixpkgs/pull/165355
|
||||
## https://lkml.org/lkml/2022/6/5/271
|
||||
##
|
||||
## KSPP=yes
|
||||
## KSPP sets CONFIG_RANDOM_TRUST_BOOTLOADER=y and CONFIG_RANDOM_TRUST_CPU=y.
|
||||
##
|
||||
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX random.trust_bootloader=off"
|
||||
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX random.trust_cpu=off"
|
||||
|
||||
## Obtain more entropy during boot as the runtime memory allocator is being initialized.
|
||||
## Entropy will be extracted from up to the first 4GB of RAM.
|
||||
## Requires the linux-hardened kernel patch.
|
||||
##
|
||||
## https://www.kicksecure.com/wiki/Hardened-kernel#linux-hardened
|
||||
## https://github.com/anthraxx/linux-hardened/commit/c3e7df1dba1eb8105d6d5143079a6a0ad9e9ebc7
|
||||
## https://github.com/anthraxx/linux-hardened/commit/a04458f97fe1f7e95888c77c0165b646375db9c4
|
||||
##
|
||||
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX extra_latent_entropy"
|
||||
|
||||
## 4. Networking
|
||||
##
|
||||
## https://madaidans-insecurities.github.io/guides/linux-hardening.html#kasr-boot-parameters
|
||||
|
||||
## Disable the entire IPv6 stack functionality.
|
||||
## Removes attack surface associated with the IPv6 module.
|
||||
##
|
||||
## https://www.kernel.org/doc/html/latest/networking/ipv6.html
|
||||
## https://wiki.archlinux.org/title/IPv6#Disable_IPv6
|
||||
##
|
||||
## Enabling makes redundant many network hardening sysctl's in /usr/lib/sysctl.d/990-security-misc.conf.
|
||||
##
|
||||
#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX ipv6.disable=1"
|
||||
Loading…
Add table
Add a link
Reference in a new issue