Commit Graph

91 Commits

Author SHA1 Message Date
raja-grewal
8f7768ce96
Add vendor links 2024-05-05 12:50:39 +00:00
raja-grewal
0c031a29d3
RFDS mitigation on Intel Atom CPUs (including E-cores) 2024-05-01 13:55:09 +10:00
raja-grewal
1122b3402c
GDS mitigation for CPUs 2024-05-01 13:50:42 +10:00
raja-grewal
c002bd62e8
Clarify use of mitigations=auto 2024-05-01 13:49:34 +10:00
raja-grewal
d89d7e8ef8
Add reference for RETBleed 2024-05-01 13:49:00 +10:00
raja-grewal
015dcc4212
Add reference for SSB 2024-05-01 13:48:13 +10:00
raja-grewal
de4f4be947
Merge spectre mitigations 2024-05-01 13:47:40 +10:00
raja-grewal
965c8641fd
Update BHI mitigation reference 2024-05-01 13:47:02 +10:00
raja-grewal
493576836c
BHI mitigation on Intel CPUs 2024-04-12 00:17:06 +10:00
Patrick Schleizer
af6c6971a7
comment 2024-03-04 06:33:51 -05:00
raja-grewal
b16c99ab62
Remove hardcoded spec_rstack_overflow setting 2024-01-29 13:39:40 +00:00
raja-grewal
139b10a9aa
Control RAS overflow mitigation on AMD Zen CPUs 2024-01-29 12:59:13 +00:00
raja-grewal
6c54e35027
Enable mitigations for RETBleed vulnerability and disable SMT 2024-01-29 12:58:51 +00:00
raja-grewal
4509a5fc95
Enable known mitigations for CPU vulnerabilities and disable SMT 2024-01-29 12:58:14 +00:00
raja-grewal
4231155efa
Add reference for kernel parameters 2024-01-29 12:57:48 +00:00
Patrick Schleizer
c9ea7a4dca
use amd_iommu=force_isolation instead of amd_iommu=force_enable
because we set `iommu=force` already anyhow

fixes https://github.com/Kicksecure/security-misc/issues/175
2023-12-04 11:02:55 -05:00
monsieuremre
f2ad8383cf
fix 2023-12-03 19:51:38 +00:00
monsieuremre
dd15823a97
undo superfluousness 2023-12-03 19:50:07 +00:00
monsieuremre
83e13bb62d
Update 40_enable_iommu.cfg 2023-12-03 19:42:34 +00:00
Patrick Schleizer
97054b2b10
revert enabling kernel module signature enforcement
due to issues

https://forums.whonix.org/t/enforce-kernel-module-software-signature-verification-module-signing-disallow-kernel-module-loading-by-default/7880/63

https://github.com/dell/dkms/issues/359
2023-11-03 15:55:17 -04:00
Patrick Schleizer
b6d53f698d
Revert "allow loading unsigned modules due to issues"
This reverts commit 661bcd8603.
2023-11-03 12:17:00 -04:00
Patrick Schleizer
f6d1346e2b
fix 2023-10-22 16:22:08 -04:00
Patrick Schleizer
11382881b5
comments 2023-10-22 16:12:26 -04:00
Patrick Schleizer
4288e10554
fix, rework remount-secure kernel parameters parsing 2023-10-22 13:25:31 -04:00
Patrick Schleizer
c409e3221e
implement remount-secure 2023-10-22 09:36:03 -04:00
Patrick Schleizer
d543825d85
comments 2023-10-21 12:24:59 -04:00
Raja Grewal
7a4212dd76
Update copyright 2023-03-30 17:08:47 +11:00
Patrick Schleizer
87c4e77c01
migrate to ram-wipe package 2023-01-09 06:23:00 -05:00
Raja Grewal
92669dba18
Comment out machine check exception 2022-08-21 23:02:44 +10:00
Patrick Schleizer
0c5b1e9f57
undo "force kernel to panic on "oopses"
because implemented differently already

https://forums.whonix.org/t/set-oops-panic-kernel-parameter-or-kernel-panic-on-oops-1-sysctl-for-better-security/7713
2022-07-23 07:49:56 -04:00
Raja Grewal
ca764d8de0
force kernel to panic on "oopses" 2022-07-20 04:06:35 +10:00
Raja Grewal
1660aaa6dd
update details around disabling SMT 2022-07-19 03:38:41 +10:00
Raja Grewal
bfd78a2c06
update SRBDS mitigation 2022-07-19 03:16:08 +10:00
Raja Grewal
c3ebb9160f
CPU mitigation - MMIO Stale Data 2022-07-19 02:33:16 +10:00
Raja Grewal
59e90ff122
CPU mitigation - L1D FLushing 2022-07-19 02:32:41 +10:00
Raja Grewal
8531fbf99d
CPU mitigation - SRBDS 2022-07-19 02:30:49 +10:00
Raja Grewal
73f1e23332
shuffle and rewording 2022-07-19 02:29:46 +10:00
Raja Grewal
a47922ad28
enforce of IOMMU TLB invalidation 2022-07-13 04:47:07 +10:00
Raja Grewal
33df16af80
disables random.trust_bootloader 2022-07-13 04:37:03 +10:00
Raja Grewal
d0779a96fc
add reference 2022-07-13 04:36:34 +10:00
Raja Grewal
74858d257b
enable randomize_kstack_offset 2022-07-13 04:34:35 +10:00
Raja Grewal
f572332108
disable slub_debug 2022-07-13 04:32:03 +10:00
Patrick Schleizer
1c0e071948
comments 2022-07-05 10:45:55 -04:00
Patrick Schleizer
5d47f5f74c
comments 2022-07-05 10:45:09 -04:00
Patrick Schleizer
435c689cf9
comments 2022-07-05 10:44:28 -04:00
Patrick Schleizer
c20d588d78
comments 2022-07-05 10:42:37 -04:00
Patrick Schleizer
b342ce930e
add /etc/default/grub.d/40_cold_boot_attack_defense.cfg 2022-07-05 10:28:22 -04:00
Patrick Schleizer
67eaf8c916
comments 2022-06-29 11:40:38 -04:00
Patrick Schleizer
72908d6b0d
comments 2022-06-29 11:34:55 -04:00
Patrick Schleizer
2d37e3a1af
copyright 2022-05-20 14:46:38 -04:00