2024-05-11 10:18:36 +07:00
|
|
|
## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
|
2023-01-26 03:13:19 +07:00
|
|
|
## See the file COPYING for copying conditions.
|
|
|
|
|
|
2024-08-26 08:34:12 +07:00
|
|
|
## Definitions:
|
|
|
|
|
## KSPP=yes: compliant with recommendations by the KSPP
|
|
|
|
|
## KSPP=partial: partially compliant with recommendations by the KSPP
|
2024-09-26 20:09:21 +07:00
|
|
|
## KSPP=no: not (currently) compliant with recommendations by the KSPP
|
2024-10-14 09:54:30 +07:00
|
|
|
## If there is no explicit KSPP compliance notice, the setting is not mentioned by the KSPP.
|
2024-08-26 08:34:12 +07:00
|
|
|
|
2024-07-13 22:21:24 +07:00
|
|
|
## NOTE:
|
2024-07-17 21:55:12 +07:00
|
|
|
## This configuration is in a dedicated file because the ram-wipe package
|
|
|
|
|
## requires kexec. However, ram-wipe cannot ship a config file
|
|
|
|
|
## /etc/sysctl.d/40_ram-wipe.conf that sets 'kernel.kexec_load_disabled=0'.
|
|
|
|
|
## Once systemd-sysctl.service has set 'kernel.kexec_load_disabled=1',
|
|
|
|
|
## it cannot be undone without a reboot. This is an upstream Linux security feature.
|
2024-07-17 21:56:14 +07:00
|
|
|
## Instead, ram-wipe will config-package-dev 'hide' this file.
|
2024-07-13 22:21:24 +07:00
|
|
|
|
2024-07-17 21:55:12 +07:00
|
|
|
## Disables kexec, which can be used to replace the running kernel.
|
2024-08-16 11:55:22 +07:00
|
|
|
## Useful for live kernel patching without rebooting.
|
2023-01-26 03:13:19 +07:00
|
|
|
##
|
2024-07-13 19:41:40 +07:00
|
|
|
## https://en.wikipedia.org/wiki/Kexec
|
2023-01-26 03:13:19 +07:00
|
|
|
##
|
2024-08-16 22:06:21 +07:00
|
|
|
## KSPP=yes
|
|
|
|
|
## KSPP sets the sysctl and does not set CONFIG_KEXEC.
|
|
|
|
|
##
|
2023-01-26 03:13:19 +07:00
|
|
|
kernel.kexec_load_disabled=1
|
