Git-Mirrors/security-misc
1
0
Fork 0
mirror of https://github.com/Kicksecure/security-misc.git synced 2024-10-01 08:25:45 -04:00
Code Issues Packages Projects Releases Wiki Activity
98e88d1456
security-misc/etc/default/grub.d/40_kernel_hardening.cfg
madaidan 98e88d1456
Detect kernel upgrades
2019-12-23 19:57:43 +00:00

59 lines
2.3 KiB
INI
Raw Blame History

## Copyright (C) 2019 - 2019 ENCRYPTED SUPPORT LP <adrelanos@riseup.net>
## See the file COPYING for copying conditions.
kver="$(dpkg-query --show --showformat='${Version}' linux-image-amd64)"
#echo "## kver: $kver"
## Disables the merging of slabs of similar sizes.
## Sometimes a slab can be used in a vulnerable way which an attacker can exploit.
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX slab_nomerge"
## Enables sanity checks (F) and redzoning (Z).
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX slub_debug=FZ"
## Zero memory at allocation and free time.
if dpkg --compare-versions "$kver" ge "5.3"; then
#echo "## $kver grater or equal 5.3: yes"
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX init_on_alloc=1 init_on_free=1"
else
#echo "## $kver grater or equal 5.3: no"
## SLUB poisoning and page poisoning is used if the kernel
## does not yet support init_on_{,alloc,free}.
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX slub_debug=P"
if command -v "qubesdb-read" >/dev/null 2>&1 ; then
## https://github.com/QubesOS/qubes-issues/issues/5212#issuecomment-533873012
true "skip adding page_poison=1 in Qubes"
else
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX page_poison=1"
fi
fi
## Makes the kernel panic on uncorrectable errors in ECC memory that an attacker could exploit.
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX mce=0"
## Enables Kernel Page Table Isolation which mitigates Meltdown and improves KASLR.
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX pti=on"
## Enables all mitigations for the MDS vulnerability.
## Disables smt which can be used to exploit the MDS vulnerability.
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX mds=full,nosmt"
## Vsyscalls are obsolete, are at fixed addresses and are a target for ROP.
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX vsyscall=none"
## Enables page allocator freelist randomization.
if dpkg --compare-versions "${kver}" ge "5.2"; then
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX page_alloc.shuffle=1"
fi
## Enables kernel lockdown.
##
## Disabled for now as it enforces module signature verification which breaks
## too many things.
## https://forums.whonix.org/t/enforce-kernel-module-software-signature-verification-module-signing-disallow-kernel-module-loading-by-default/7880
##
#if dpkg --compare-versions "${kver}" ge "5.4"; then
# GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX lockdown=confidentiality"
#fi
Reference in New Issue View Git Blame Copy Permalink