raja-grewal
|
b16c99ab62
|
Remove hardcoded spec_rstack_overflow setting
|
2024-01-29 13:39:40 +00:00 |
|
raja-grewal
|
139b10a9aa
|
Control RAS overflow mitigation on AMD Zen CPUs
|
2024-01-29 12:59:13 +00:00 |
|
raja-grewal
|
6c54e35027
|
Enable mitigations for RETBleed vulnerability and disable SMT
|
2024-01-29 12:58:51 +00:00 |
|
raja-grewal
|
4509a5fc95
|
Enable known mitigations for CPU vulnerabilities and disable SMT
|
2024-01-29 12:58:14 +00:00 |
|
raja-grewal
|
4231155efa
|
Add reference for kernel parameters
|
2024-01-29 12:57:48 +00:00 |
|
Patrick Schleizer
|
c9ea7a4dca
|
use amd_iommu=force_isolation instead of amd_iommu=force_enable
because we set `iommu=force` already anyhow
fixes https://github.com/Kicksecure/security-misc/issues/175
|
2023-12-04 11:02:55 -05:00 |
|
monsieuremre
|
f2ad8383cf
|
fix
|
2023-12-03 19:51:38 +00:00 |
|
monsieuremre
|
dd15823a97
|
undo superfluousness
|
2023-12-03 19:50:07 +00:00 |
|
monsieuremre
|
83e13bb62d
|
Update 40_enable_iommu.cfg
|
2023-12-03 19:42:34 +00:00 |
|
Patrick Schleizer
|
97054b2b10
|
revert enabling kernel module signature enforcement
due to issues
https://forums.whonix.org/t/enforce-kernel-module-software-signature-verification-module-signing-disallow-kernel-module-loading-by-default/7880/63
https://github.com/dell/dkms/issues/359
|
2023-11-03 15:55:17 -04:00 |
|
Patrick Schleizer
|
b6d53f698d
|
Revert "allow loading unsigned modules due to issues"
This reverts commit 661bcd8603 .
|
2023-11-03 12:17:00 -04:00 |
|
Patrick Schleizer
|
f6d1346e2b
|
fix
|
2023-10-22 16:22:08 -04:00 |
|
Patrick Schleizer
|
11382881b5
|
comments
|
2023-10-22 16:12:26 -04:00 |
|
Patrick Schleizer
|
4288e10554
|
fix, rework remount-secure kernel parameters parsing
|
2023-10-22 13:25:31 -04:00 |
|
Patrick Schleizer
|
c409e3221e
|
implement remount-secure
|
2023-10-22 09:36:03 -04:00 |
|
Patrick Schleizer
|
d543825d85
|
comments
|
2023-10-21 12:24:59 -04:00 |
|
Raja Grewal
|
7a4212dd76
|
Update copyright
|
2023-03-30 17:08:47 +11:00 |
|
Patrick Schleizer
|
87c4e77c01
|
migrate to ram-wipe package
|
2023-01-09 06:23:00 -05:00 |
|
Raja Grewal
|
92669dba18
|
Comment out machine check exception
|
2022-08-21 23:02:44 +10:00 |
|
Patrick Schleizer
|
0c5b1e9f57
|
undo "force kernel to panic on "oopses"
because implemented differently already
https://forums.whonix.org/t/set-oops-panic-kernel-parameter-or-kernel-panic-on-oops-1-sysctl-for-better-security/7713
|
2022-07-23 07:49:56 -04:00 |
|
Raja Grewal
|
ca764d8de0
|
force kernel to panic on "oopses"
|
2022-07-20 04:06:35 +10:00 |
|
Raja Grewal
|
1660aaa6dd
|
update details around disabling SMT
|
2022-07-19 03:38:41 +10:00 |
|
Raja Grewal
|
bfd78a2c06
|
update SRBDS mitigation
|
2022-07-19 03:16:08 +10:00 |
|
Raja Grewal
|
c3ebb9160f
|
CPU mitigation - MMIO Stale Data
|
2022-07-19 02:33:16 +10:00 |
|
Raja Grewal
|
59e90ff122
|
CPU mitigation - L1D FLushing
|
2022-07-19 02:32:41 +10:00 |
|
Raja Grewal
|
8531fbf99d
|
CPU mitigation - SRBDS
|
2022-07-19 02:30:49 +10:00 |
|
Raja Grewal
|
73f1e23332
|
shuffle and rewording
|
2022-07-19 02:29:46 +10:00 |
|
Raja Grewal
|
a47922ad28
|
enforce of IOMMU TLB invalidation
|
2022-07-13 04:47:07 +10:00 |
|
Raja Grewal
|
33df16af80
|
disables random.trust_bootloader
|
2022-07-13 04:37:03 +10:00 |
|
Raja Grewal
|
d0779a96fc
|
add reference
|
2022-07-13 04:36:34 +10:00 |
|
Raja Grewal
|
74858d257b
|
enable randomize_kstack_offset
|
2022-07-13 04:34:35 +10:00 |
|
Raja Grewal
|
f572332108
|
disable slub_debug
|
2022-07-13 04:32:03 +10:00 |
|
Patrick Schleizer
|
1c0e071948
|
comments
|
2022-07-05 10:45:55 -04:00 |
|
Patrick Schleizer
|
5d47f5f74c
|
comments
|
2022-07-05 10:45:09 -04:00 |
|
Patrick Schleizer
|
435c689cf9
|
comments
|
2022-07-05 10:44:28 -04:00 |
|
Patrick Schleizer
|
c20d588d78
|
comments
|
2022-07-05 10:42:37 -04:00 |
|
Patrick Schleizer
|
b342ce930e
|
add /etc/default/grub.d/40_cold_boot_attack_defense.cfg
|
2022-07-05 10:28:22 -04:00 |
|
Patrick Schleizer
|
67eaf8c916
|
comments
|
2022-06-29 11:40:38 -04:00 |
|
Patrick Schleizer
|
72908d6b0d
|
comments
|
2022-06-29 11:34:55 -04:00 |
|
Patrick Schleizer
|
2d37e3a1af
|
copyright
|
2022-05-20 14:46:38 -04:00 |
|
Patrick Schleizer
|
c72567dbd2
|
fix
|
2021-09-14 14:18:44 -04:00 |
|
Patrick Schleizer
|
d62bbaab82
|
fix, unduplicate kernel command line
|
2021-09-12 11:40:58 -04:00 |
|
Patrick Schleizer
|
bd31b4085c
|
remove Debian buster support in /etc/default/grub.d
|
2021-09-09 12:16:18 -04:00 |
|
Patrick Schleizer
|
ac0c492663
|
do not set kernel parameter quiet loglevel=0 for recovery boot option
for easier debugging
|
2021-09-06 08:22:55 -04:00 |
|
Patrick Schleizer
|
49902b8c56
|
move grub quiet to separate config file /etc/default/grub.d/41_quiet.cfg
|
2021-09-06 08:19:41 -04:00 |
|
Patrick Schleizer
|
db43cedcfd
|
LANG=C str_replace
|
2021-08-22 05:23:24 -04:00 |
|
Patrick Schleizer
|
a67007f4b7
|
copyright
|
2021-03-17 09:45:21 -04:00 |
|
madaidan
|
06ffd5d220
|
Restrict access to debugfs
|
2020-09-28 19:21:20 +00:00 |
|
Patrick Schleizer
|
6485df8126
|
Prevent kernel info leaks in console during boot.
add kernel parameter `quiet loglevel=0`
https://phabricator.whonix.org/T950
|
2020-04-23 12:26:31 -04:00 |
|
Patrick Schleizer
|
72228946dc
|
fix etc/default/grub.d/40_kernel_hardening.cfg
in Qubes if no kernel package is installed
|
2020-04-08 16:46:11 +00:00 |
|