## Copyright (C) 2019 - 2021 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. kpkg="linux-image-$(dpkg --print-architecture)" || true kver="$(dpkg-query --show --showformat='${Version}' "$kpkg")" 2>/dev/null || true #echo "## kver: $kver" ## Disables the merging of slabs of similar sizes. ## Sometimes a slab can be used in a vulnerable way which an attacker can exploit. GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX slab_nomerge" if dpkg --compare-versions "$kver" ge "5.3"; then ## Enables sanity checks (F) and redzoning (Z). GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX slub_debug=FZ" #echo "## $kver grater or equal 5.3: yes" ## Zero memory at allocation and free time. GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX init_on_alloc=1 init_on_free=1" else #echo "## $kver grater or equal 5.3: no" ## SLUB poisoning and page poisoning is used if the kernel ## does not yet support init_on_{,alloc,free}. GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX slub_debug=FZP" if command -v "qubesdb-read" >/dev/null 2>&1 ; then ## https://github.com/QubesOS/qubes-issues/issues/5212#issuecomment-533873012 true "skip adding page_poison=1 in Qubes" else GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX page_poison=1" fi fi ## Makes the kernel panic on uncorrectable errors in ECC memory that an attacker could exploit. GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX mce=0" ## Enables Kernel Page Table Isolation which mitigates Meltdown and improves KASLR. GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX pti=on" ## Vsyscalls are obsolete, are at fixed addresses and are a target for ROP. GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX vsyscall=none" ## Enables page allocator freelist randomization. if dpkg --compare-versions "${kver}" ge "5.2"; then GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX page_alloc.shuffle=1" fi ## Enables kernel lockdown. ## ## Disabled for now as it enforces module signature verification which breaks ## too many things. ## https://forums.whonix.org/t/enforce-kernel-module-software-signature-verification-module-signing-disallow-kernel-module-loading-by-default/7880 ## #if dpkg --compare-versions "${kver}" ge "5.4"; then # GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX lockdown=confidentiality" #fi ## Gather more entropy during boot. ## ## Requires linux-hardened kernel patch. ## https://github.com/anthraxx/linux-hardened GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX extra_latent_entropy" ## Restrict access to debugfs since it can contain a lot of sensitive information. ## https://lkml.org/lkml/2020/7/16/122 ## https://github.com/torvalds/linux/blob/fb1201aececc59990b75ef59fca93ae4aa1e1444/Documentation/admin-guide/kernel-parameters.txt#L835-L848 GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX debugfs=off"