mirror of
https://github.com/Kicksecure/security-misc.git
synced 2025-11-25 15:07:11 -05:00
b6fe1a5a6e
Ensures the `sysctl` and boot parameters are equivalent in settings and in description. This should prevent future questions regarding having omitted boot parameters that were actually redundant.
369 lines
17 KiB
Text
369 lines
17 KiB
Text
## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC <adrelanos@whonix.org>
|
|
## See the file COPYING for copying conditions.
|
|
|
|
kpkg="linux-image-$(dpkg --print-architecture)" || true
|
|
kver="$(dpkg-query --show --showformat='${Version}' "$kpkg")" 2>/dev/null || true
|
|
#echo "## kver: $kver"
|
|
|
|
## Definitions:
|
|
## KSPP=yes: compliant with recommendations by the KSPP
|
|
## KSPP=partial: partially compliant with recommendations by the KSPP
|
|
## KSPP=no: not (currently) compliant with recommendations by the KSPP
|
|
## If there is no explicit KSPP compliance notice, the setting is not mentioned by the KSPP.
|
|
|
|
## This configuration file is split into 4 sections:
|
|
## 1. Kernel Space
|
|
## 2. Direct Memory Access
|
|
## 3. Entropy
|
|
## 4. Networking
|
|
|
|
## See the documentation below for details on the majority of the selected commands:
|
|
## https://www.kernel.org/doc/html/latest/admin-guide/kernel-parameters.html
|
|
## https://wiki.archlinux.org/title/Kernel_parameters#GRUB
|
|
|
|
## 1. Kernel Space:
|
|
##
|
|
## https://madaidans-insecurities.github.io/guides/linux-hardening.html#boot-parameters
|
|
## https://kspp.github.io/Recommended_Settings#kernel-command-line-options
|
|
|
|
## Disable merging of slabs with similar size.
|
|
## Reduces the risk of triggering heap overflows.
|
|
## Prevents overwriting objects from merged caches and limits influencing slab cache layout.
|
|
##
|
|
## https://www.openwall.com/lists/kernel-hardening/2017/06/19/33
|
|
## https://www.openwall.com/lists/kernel-hardening/2017/06/20/10
|
|
##
|
|
## KSPP=yes
|
|
## KSPP sets the kernel parameter and does not set CONFIG_SLAB_MERGE_DEFAULT.
|
|
##
|
|
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX slab_nomerge"
|
|
|
|
## Enable sanity checks and red zoning of slabs via debugging options to detect memory corruption.
|
|
## Sanity checks force additional verification steps on every memory allocation and free operation.
|
|
## Red zoning adds extra metadata to each object to detect writes beyond the object's boundaries.
|
|
## As a by product of debugging, this will implicitly disabling kernel pointer hashing unless manually re-enabled.
|
|
## Enabling this (for now) will therefore leak exact and all kernel memory addresses to root.
|
|
## Introduces a noticeable performance overhead during all memory allocation and deallocation operations.
|
|
##
|
|
## https://www.kernel.org/doc/html/latest/mm/slub.html
|
|
## https://www.kernel.org/doc/Documentation/vm/slub.txt
|
|
## https://lore.kernel.org/all/20210601182202.3011020-5-swboyd@chromium.org/T/#u
|
|
## https://blogs.oracle.com/linux/post/linux-slub-allocator-internals-and-debugging-2
|
|
## https://gitlab.tails.boum.org/tails/tails/-/issues/19613
|
|
## https://github.com/Kicksecure/security-misc/issues/253
|
|
##
|
|
## KSPP=partial
|
|
## KSPP sets the kernel parameters and CONFIG_SLUB_DEBUG.
|
|
##
|
|
## TODO: Debian forky / 14
|
|
## The first parameter is applicable when using Linux kernel >= 6.17 (retained here for future-proofing and completeness).
|
|
##
|
|
#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX hash_pointers=always"
|
|
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX slab_debug=FZ"
|
|
|
|
## Zero memory at allocation time and free time.
|
|
## Fills newly allocated pages, freed pages, and heap objects with zeros.
|
|
## Mitigates use-after-free exploits by erasing sensitive information in memory.
|
|
##
|
|
## https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=6471384af2a6530696fc0203bafe4de41a23c9ef
|
|
##
|
|
## KSPP=yes
|
|
## KSPP sets the kernel parameters, CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y, and CONFIG_INIT_ON_FREE_DEFAULT_ON=y.
|
|
##
|
|
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX init_on_alloc=1"
|
|
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX init_on_free=1"
|
|
|
|
## Enable the kernel page allocator to randomize free lists.
|
|
## During early boot, the page allocator has predictable FIFO behavior for physical pages.
|
|
## Limits some data exfiltration and ROP attacks that rely on inferring sensitive data location.
|
|
## Also improves performance by optimizing memory-side cache utilization.
|
|
##
|
|
## https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=e900a918b0984ec8f2eb150b8477a47b75d17692
|
|
## https://en.wikipedia.org/wiki/Return-oriented_programming#Attacks
|
|
##
|
|
## KSPP=yes
|
|
## KSPP sets the kernel parameter and CONFIG_SHUFFLE_PAGE_ALLOCATOR=y.
|
|
##
|
|
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX page_alloc.shuffle=1"
|
|
|
|
## Enable kernel page table isolation to harden against kernel ASLR (KASLR) bypasses.
|
|
## Mitigates the Meltdown CPU vulnerability.
|
|
##
|
|
## https://en.wikipedia.org/wiki/Kernel_page-table_isolation
|
|
##
|
|
## KSPP=yes
|
|
## KSPP sets the kernel parameter and CONFIG_MITIGATION_PAGE_TABLE_ISOLATION=y.
|
|
##
|
|
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX pti=on"
|
|
|
|
## Enable randomization of the kernel stack offset on syscall entries.
|
|
## Hardens against memory corruption attacks due to increased entropy.
|
|
## Limits attacks relying on deterministic stack addresses or cross-syscall address exposure.
|
|
##
|
|
## https://lkml.org/lkml/2019/3/18/246
|
|
## https://a13xp0p0v.github.io/2020/02/15/CVE-2019-18683.html
|
|
##
|
|
## KSPP=yes
|
|
## KSPP sets the kernel parameter and CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT=y.
|
|
##
|
|
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX randomize_kstack_offset=on"
|
|
|
|
## Disable vsyscalls to reduce attack surface as they have been replaced by vDSO.
|
|
## Vulnerable to ROP attacks as vsyscalls are located at fixed addresses in memory.
|
|
##
|
|
## https://lwn.net/Articles/446528/
|
|
## https://en.wikipedia.org/wiki/VDSO
|
|
##
|
|
## KSPP=yes
|
|
## KSPP sets the kernel parameter, CONFIG_LEGACY_VSYSCALL_NONE=y and does not set CONFIG_X86_VSYSCALL_EMULATION.
|
|
##
|
|
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX vsyscall=none"
|
|
|
|
## Restrict access to debugfs by not registering the file system.
|
|
## Deactivated since the file system can contain sensitive information.
|
|
##
|
|
## https://lkml.org/lkml/2020/7/16/122
|
|
##
|
|
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX debugfs=off"
|
|
|
|
## Force the kernel to immediately panic on "oopses" and kernel warnings in the WARN() path.
|
|
## Panics may be due to false-positives such as bad drivers.
|
|
## Both allowed limits are set to one so that panics occur on the single first instance of either scenario.
|
|
## Oopses are serious but non-fatal errors.
|
|
## Certain "oopses" can sometimes indicate and thwart potential kernel exploitation attempts.
|
|
## Warnings are messages generated by the kernel to indicate unexpected conditions or errors.
|
|
## By default, code execution continues regardless of warnings emitted by macros like WARN() and WARN_ON().
|
|
## Note that by forcing kernel panics on oopses and warnings, this exposes the system to targeted denial of service attacks.
|
|
##
|
|
## https://en.wikipedia.org/wiki/Kernel_panic#Linux
|
|
## https://en.wikipedia.org/wiki/Linux_kernel_oops
|
|
## https://lwn.net/Articles/876209/
|
|
## https://git.sr.ht/~gregkh/presentation-security/tree/3fdaf81a2f8b2c8d64cdb2f529cc714624868aa8/item/security-stuff.pdf
|
|
## https://forums.whonix.org/t/set-oops-panic-kernel-parameter-or-kernel-panisc-on-oops-1-sysctl-for-better-security/7713
|
|
##
|
|
## KSPP=yes
|
|
## KSPP sets CONFIG_PANIC_ON_OOPS=y.
|
|
##
|
|
## See /usr/libexec/security-misc/panic-on-oops for implementation.
|
|
##
|
|
#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX oops=panic"
|
|
#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX panic_on_warn=1"
|
|
|
|
## Force immediate system reboots on the occurrence of a single kernel panic.
|
|
## Increases resilience and limits impact of denial of service attacks as system automatically restarts.
|
|
## Ensures the system does not hang forever if a panic occurs, reducing susceptibility to both cold and warm boot attacks.
|
|
## Immediate rebooting also prevents persistent information disclosure on panic details that were dumped to screen.
|
|
##
|
|
## KSPP=yes
|
|
## KSPP sets CONFIG_PANIC_TIMEOUT=-1.
|
|
##
|
|
## See /usr/libexec/security-misc/panic-on-oops for implementation.
|
|
##
|
|
#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX panic=-1"
|
|
|
|
## Modify machine check exception handler.
|
|
## Can decide whether the system should panic or not based on the occurrence of an exception.
|
|
##
|
|
## https://www.kernel.org/doc/html/latest/arch/x86/x86_64/machinecheck.html
|
|
## https://www.kernel.org/doc/html/latest/arch/x86/x86_64/boot-options.html#machine-check
|
|
## https://forums.whonix.org/t/kernel-hardening/7296/494
|
|
##
|
|
## The default kernel setting will be utilized until provided sufficient evidence to modify.
|
|
##
|
|
#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX mce=0"
|
|
|
|
## Prevent sensitive kernel information leaks in the console during boot.
|
|
## Must be used in combination with the kernel.printk sysctl.
|
|
## See /usr/lib/sysctl.d/30_silent-kernel-printk.conf for implementation.
|
|
##
|
|
## https://www.kernel.org/doc/html/latest/core-api/printk-basics.html
|
|
## https://wiki.archlinux.org/title/silent_boot
|
|
##
|
|
## See /etc/default/grub.d/41_quiet_boot.cfg for implementation.
|
|
##
|
|
#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX loglevel=0"
|
|
#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX quiet"
|
|
|
|
## Enable the kernel "Electric-Fence" sampling-based memory safety error detector.
|
|
## KFENCE detects heap out-of-bounds access, use-after-free, and invalid-free errors.
|
|
## Aims to have very low processing overhead at each sampling interval.
|
|
## Sampling interval is set to occur every 100 milliseconds as per KSPP recommendation.
|
|
##
|
|
## https://www.kernel.org/doc/html/latest/dev-tools/kfence.html
|
|
## https://google.github.io/kernel-sanitizers/KFENCE.html
|
|
## https://blogs.oracle.com/linux/post/linux-slub-allocator-internals-and-debugging-4
|
|
## https://lwn.net/Articles/835542/
|
|
##
|
|
## KSPP=yes
|
|
## KSPP sets the kernel parameter, CONFIG_KFENCE=y, and CONFIG_KFENCE_SAMPLE_INTERVAL=100.
|
|
##
|
|
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX kfence.sample_interval=100"
|
|
|
|
## Disable 32-bit Virtual Dynamic Shared Object (vDSO) mappings.
|
|
## Legacy compatibility feature for superseded glibc versions.
|
|
##
|
|
## https://lore.kernel.org/lkml/20080409082927.BD59E26F992@magilla.localdomain/T/
|
|
## https://lists.openwall.net/linux-kernel/2014/03/11/3
|
|
##
|
|
## KSPP=yes
|
|
## KSPP sets the kernel parameter and does not set CONFIG_COMPAT_VDSO.
|
|
##
|
|
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX vdso32=0"
|
|
|
|
## Switch (back) to using kCFI as the default Control Flow Integrity (CFI) implementation.
|
|
## The default implementation is FineIBT as of Linux kernel 6.2.
|
|
## The Intel-developed IBT (Indirect Branch Tracking) is only used if supported by the CPU.
|
|
## kCFI is software-only while FineIBT is a hybrid software/hardware implementation.
|
|
## FineIBT may result in some performance benefits as it only performs hash checks at the destinations.
|
|
## kCFI mandates hash validation at the source (which is randomized), making it more difficult to bypass.
|
|
## FineIBT is considered weaker against attacks that can write arbitrary executables into memory.
|
|
##
|
|
## https://lwn.net/Articles/891976/
|
|
## https://lore.kernel.org/lkml/202210010918.4918F847C4@keescook/T/#u
|
|
## https://lore.kernel.org/lkml/202210182217.486CBA50@keescook/T/
|
|
## https://lore.kernel.org/all/20221027092842.699804264@infradead.org/
|
|
## https://lore.kernel.org/lkml/202407150933.E1871BE@keescook/
|
|
## https://isopenbsdsecu.re/mitigations/forward_edge_cfi/
|
|
## https://docs.kernel.org/next/x86/shstk.html
|
|
## https://source.android.com/docs/security/test/kcfi
|
|
## https://lpc.events/event/16/contributions/1315/attachments/1067/2169/cfi.pdf
|
|
## https://forums.whonix.org/t/kernel-hardening-security-misc/7296/561
|
|
##
|
|
## KSPP=yes
|
|
## KSPP sets the kernel parameter.
|
|
##
|
|
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX cfi=kcfi"
|
|
|
|
## Disable support for all 32-bit x86 processes and syscalls.
|
|
## Unconditionally disables IA32 emulation to substantially reduce attack surface.
|
|
##
|
|
## https://lore.kernel.org/all/20230623111409.3047467-7-nik.borisov@suse.com/
|
|
##
|
|
## KSPP=yes
|
|
## KSPP does not set CONFIG_COMPAT, CONFIG_IA32_EMULATION, CONFIG_X86_X32, CONFIG_X86_X32_ABI, and CONFIG_MODIFY_LDT_SYSCALL.
|
|
##
|
|
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX ia32_emulation=0"
|
|
|
|
## Disable EFI persistent storage feature.
|
|
## Disable Error Record Serialization Table (ERST) support as a form of defense-in-depth.
|
|
## Prevents the kernel from writing crash logs and other persistent data to the storage backend.
|
|
## Both the UEFI variable storage and ACPI ERST backends are deactivated.
|
|
##
|
|
## https://blogs.oracle.com/linux/post/pstore-linux-kernel-persistent-storage-file-system
|
|
## https://www.ais.com/understanding-pstore-linux-kernel-persistent-storage-file-system/
|
|
## https://lwn.net/Articles/434821/
|
|
## https://manpages.debian.org/testing/systemd/systemd-pstore.service.8.en.html
|
|
## https://gitlab.tails.boum.org/tails/tails/-/issues/20813
|
|
## https://github.com/Kicksecure/security-misc/issues/299
|
|
##
|
|
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX efi_pstore.pstore_disable=1"
|
|
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX erst_disable"
|
|
|
|
## 2. Direct Memory Access:
|
|
##
|
|
## https://madaidans-insecurities.github.io/guides/linux-hardening.html#dma-attacks
|
|
|
|
## Enable CPU manufacturer-specific IOMMU drivers to mitigate some DMA attacks.
|
|
##
|
|
## KSPP=yes
|
|
## KSPP sets CONFIG_INTEL_IOMMU=y, CONFIG_INTEL_IOMMU_DEFAULT_ON=y, CONFIG_INTEL_IOMMU_SVM=y, CONFIG_AMD_IOMMU=y, and CONFIG_AMD_IOMMU_V2=y.
|
|
##
|
|
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX amd_iommu=force_isolation"
|
|
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX intel_iommu=on"
|
|
|
|
## Enable and force use of IOMMU translation to protect against some DMA attacks.
|
|
## Strictly force DMA unmap operations to synchronously invalidate IOMMU hardware TLBs.
|
|
## Ensures devices will never be able to access stale data contents.
|
|
##
|
|
## https://en.wikipedia.org/wiki/Input%E2%80%93output_memory_management_unit
|
|
## https://en.wikipedia.org/wiki/DMA_attack
|
|
## https://lenovopress.lenovo.com/lp1467.pdf
|
|
##
|
|
## KSPP=yes
|
|
## KSPP sets the kernel parameters, CONFIG_IOMMU_SUPPORT=y, CONFIG_IOMMU_DEFAULT_DMA_STRICT=y, and does not set CONFIG_IOMMU_DEFAULT_PASSTHROUGH.
|
|
##
|
|
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX iommu=force"
|
|
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX iommu.passthrough=0"
|
|
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX iommu.strict=1"
|
|
|
|
## Clear the busmaster bit on all PCI bridges during the EFI hand-off.
|
|
## Terminates all existing DMA transactions prior to the kernel's IOMMU setup.
|
|
## Forces third party PCI devices to then re-set their busmaster bit in order to perform DMA.
|
|
## Assumes that the motherboard chipset and firmware are not malicious.
|
|
## May cause complete boot failure on certain hardware with incompatible firmware.
|
|
##
|
|
## https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=4444f8541dad16fefd9b8807ad1451e806ef1d94
|
|
## https://mjg59.dreamwidth.org/54433.html
|
|
##
|
|
## KSPP=yes
|
|
## KSPP sets CONFIG_EFI_DISABLE_PCI_DMA=y.
|
|
##
|
|
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX efi=disable_early_pci_dma"
|
|
|
|
## 3. Entropy:
|
|
##
|
|
## https://madaidans-insecurities.github.io/guides/linux-hardening.html#rdrand
|
|
|
|
## Do not credit the CPU seeds as an entropy sources at boot.
|
|
## The RDRAND and RDSEED CPU (RNG) instructions are proprietary and closed-source.
|
|
## Numerous implementations of RDRAND and RDSEED have a long history of being defective.
|
|
## Maximizing the entropy pool at boot is desirable for all cryptographic operations.
|
|
## This ensures additional entropy is obtained from other sources to initialize the Linux CRNG.
|
|
## Note that distrusting this (relatively fast) source of entropy will increase boot time.
|
|
##
|
|
## https://en.wikipedia.org/wiki/RDRAND
|
|
## https://systemd.io/RANDOM_SEEDS/
|
|
## https://www.kicksecure.com/wiki/Dev/Entropy#RDRAND
|
|
## https://archive.nytimes.com/www.nytimes.com/interactive/2013/09/05/us/documents-reveal-nsa-campaign-against-encryption.html
|
|
## https://forums.whonix.org/t/entropy-config-random-trust-cpu-yes-or-no-rng-core-default-quality/8566
|
|
## https://lkml.org/lkml/2022/6/5/271
|
|
## https://lwn.net/Articles/961121/
|
|
## https://lore.kernel.org/lkml/aPFDn-4Cm6n0_3_e@gourry-fedora-PF4VCD3F/
|
|
## https://www.amd.com/en/resources/product-security/bulletin/amd-sb-7055.html
|
|
##
|
|
## KSPP=yes
|
|
## KSPP sets CONFIG_RANDOM_TRUST_CPU=y.
|
|
##
|
|
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX random.trust_cpu=off"
|
|
|
|
## Do not credit the bootloader seeds as an entropy source at boot.
|
|
## The RNG seed passed by the bootloader could potentially be tampered.
|
|
## Maximizing the entropy pool at boot is desirable for all cryptographic operations.
|
|
## This ensures additional entropy is obtained from other sources to initialize the Linux CRNG.
|
|
## Note that distrusting this (relatively fast) source of entropy will increase boot time.
|
|
##
|
|
## https://systemd.io/RANDOM_SEEDS/
|
|
## https://github.com/NixOS/nixpkgs/pull/165355
|
|
## https://lkml.org/lkml/2022/6/5/271
|
|
##
|
|
## KSPP=yes
|
|
## KSPP sets CONFIG_RANDOM_TRUST_BOOTLOADER=y.
|
|
##
|
|
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX random.trust_bootloader=off"
|
|
|
|
## Obtain more entropy during boot as the runtime memory allocator is being initialized.
|
|
## Entropy will be extracted from up to the first 4GB of RAM as another source.
|
|
## Note that entropy extracted this way is not cryptographically secure and so is not credited.
|
|
## Maximizing the entropy pool at boot is desirable for all cryptographic operations.
|
|
## This will increase boot time due to interrupting the boot process.
|
|
## Requires the linux-hardened kernel patch.
|
|
##
|
|
## https://www.kicksecure.com/wiki/Hardened-kernel#linux-hardened
|
|
## https://github.com/anthraxx/linux-hardened/commit/c3e7df1dba1eb8105d6d5143079a6a0ad9e9ebc7
|
|
## https://github.com/anthraxx/linux-hardened/commit/a04458f97fe1f7e95888c77c0165b646375db9c4
|
|
##
|
|
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX extra_latent_entropy"
|
|
|
|
## 4. Networking
|
|
##
|
|
## https://madaidans-insecurities.github.io/guides/linux-hardening.html#kasr-boot-parameters
|
|
|
|
## Disable the entire IPv6 stack functionality.
|
|
## Removes attack surface associated with the IPv6 module.
|
|
##
|
|
## https://www.kernel.org/doc/html/latest/networking/ipv6.html
|
|
## https://wiki.archlinux.org/title/IPv6#Disable_IPv6
|
|
##
|
|
## Enabling makes redundant many network hardening sysctl's in /usr/lib/sysctl.d/990-security-misc.conf.
|
|
##
|
|
#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX ipv6.disable=1"
|