2019-05-05 21:42:03 +07:00
|
|
|
# Disables the merging of slabs of similar sizes. Sometimes a slab can be used in a vulnerable way which an attacker can exploit.
|
|
|
|
|
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX slab_nomerge"
|
2019-05-06 03:17:33 +07:00
|
|
|
|
2019-05-06 16:51:14 +07:00
|
|
|
# Enables sanity checks (F), redzoning (Z) and poisoning (P).
|
2019-09-08 03:08:56 +07:00
|
|
|
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX slub_debug=FZP"
|
2019-05-06 03:17:33 +07:00
|
|
|
|
2019-05-06 16:51:14 +07:00
|
|
|
# Wipes free memory so it can't leak in various ways and prevents some use-after-free vulnerabilites.
|
2019-05-06 03:17:33 +07:00
|
|
|
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX page_poison=1"
|
|
|
|
|
|
2019-05-06 16:51:14 +07:00
|
|
|
# Makes the kernel panic on uncorrectable errors in ECC memory that an attacker could exploit.
|
2019-05-06 03:17:33 +07:00
|
|
|
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX mce=0"
|
2019-06-24 00:54:34 +07:00
|
|
|
|
|
|
|
|
# Enables Kernel Page Table Isolation which mitigates Meltdown and improves KASLR.
|
|
|
|
|
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX pti=on"
|
|
|
|
|
|
|
|
|
|
# Enables all mitigations for the MDS vulnerability.
|
2019-06-24 01:46:52 +07:00
|
|
|
# Disables smt which can be used to exploit the MDS vulnerability.
|
|
|
|
|
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX mds=full,nosmt"
|
