From a1d1f97955fd9fd3cee77dc04e2eb5e5fa29d243 Mon Sep 17 00:00:00 2001 From: raja-grewal Date: Fri, 8 Nov 2024 03:58:23 +0000 Subject: [PATCH 01/13] Provide option to drop gratuitous ARP packets --- README.md | 3 +++ usr/lib/sysctl.d/990-security-misc.conf | 11 +++++++++++ 2 files changed, 14 insertions(+) diff --git a/README.md b/README.md index c23d261..3404414 100644 --- a/README.md +++ b/README.md @@ -121,6 +121,9 @@ Networking: - Optional - Enable IPv6 Privacy Extensions. +- Optional - Drop gratuitous ARP packets to prevent ARP cache poisoning + via man-in-the-middle and denial-of-service attacks. + ### Boot parameters Mitigations for known CPU vulnerabilities are enabled in their strictest form diff --git a/usr/lib/sysctl.d/990-security-misc.conf b/usr/lib/sysctl.d/990-security-misc.conf index 6009fc4..2bec703 100644 --- a/usr/lib/sysctl.d/990-security-misc.conf +++ b/usr/lib/sysctl.d/990-security-misc.conf @@ -526,3 +526,14 @@ net.ipv4.tcp_timestamps=0 ## The use of IPv6 Privacy Extensions is currently disabled due to these breakages. ## #net.ipv6.conf.*.use_tempaddr=2 + +## Drop gratuitous ARP (Address Resolution Protocol) packets. +## Stops ARP responses sent by a device without being explicitly requested. +## Prevents ARP cache poisoning by rejecting fake ARP entries into a network. +## Prevents man-in-the-middle and denial-of-service attacks. +## May cause breakages when ARP proxies are used in the network. +## +## https://patchwork.ozlabs.org/project/netdev/patch/1428652454-1224-3-git-send-email-johannes@sipsolutions.net/ +## https://www.practicalnetworking.net/series/arp/gratuitous-arp/ +## +#net.ipv4.conf.*.drop_gratuitous_arp=1 From c2aae73ce161811571e4c85609a0b043399c1b65 Mon Sep 17 00:00:00 2001 From: raja-grewal Date: Wed, 13 Nov 2024 05:38:03 +0000 Subject: [PATCH 02/13] Add reference and move text --- README.md | 6 +++--- usr/lib/sysctl.d/990-security-misc.conf | 23 ++++++++++++----------- 2 files changed, 15 insertions(+), 14 deletions(-) diff --git a/README.md b/README.md index 3404414..e167a87 100644 --- a/README.md +++ b/README.md @@ -102,6 +102,9 @@ Networking: - Disable ICMP redirect acceptance and redirect sending messages to prevent man-in-the-middle attacks and minimize information disclosure. +- Optional - Drop gratuitous ARP packets to prevent ARP cache poisoning + via man-in-the-middle and denial-of-service attacks. + - Ignore ICMP echo requests to prevent clock fingerprinting and Smurf attacks. - Ignore bogus ICMP error responses. @@ -121,9 +124,6 @@ Networking: - Optional - Enable IPv6 Privacy Extensions. -- Optional - Drop gratuitous ARP packets to prevent ARP cache poisoning - via man-in-the-middle and denial-of-service attacks. - ### Boot parameters Mitigations for known CPU vulnerabilities are enabled in their strictest form diff --git a/usr/lib/sysctl.d/990-security-misc.conf b/usr/lib/sysctl.d/990-security-misc.conf index 2bec703..054dcbf 100644 --- a/usr/lib/sysctl.d/990-security-misc.conf +++ b/usr/lib/sysctl.d/990-security-misc.conf @@ -443,6 +443,18 @@ net.ipv4.conf.*.send_redirects=0 net.ipv6.conf.*.accept_redirects=0 #net.ipv4.conf.*.secure_redirects=1 +## Drop gratuitous ARP (Address Resolution Protocol) packets. +## Stops ARP responses sent by a device without being explicitly requested. +## Prevents ARP cache poisoning by rejecting fake ARP entries into a network. +## Prevents man-in-the-middle and denial-of-service attacks. +## May cause breakages when ARP proxies are used in the network. +## +## https://cyber.gouv.fr/sites/default/files/document/linux_configuration-en-v2.pdf +## https://patchwork.ozlabs.org/project/netdev/patch/1428652454-1224-3-git-send-email-johannes@sipsolutions.net/ +## https://www.practicalnetworking.net/series/arp/gratuitous-arp/ +## +#net.ipv4.conf.*.drop_gratuitous_arp=1 + ## Ignore ICMP echo requests. ## Prevents clock fingerprinting through ICMP timestamps and Smurf attacks. ## @@ -526,14 +538,3 @@ net.ipv4.tcp_timestamps=0 ## The use of IPv6 Privacy Extensions is currently disabled due to these breakages. ## #net.ipv6.conf.*.use_tempaddr=2 - -## Drop gratuitous ARP (Address Resolution Protocol) packets. -## Stops ARP responses sent by a device without being explicitly requested. -## Prevents ARP cache poisoning by rejecting fake ARP entries into a network. -## Prevents man-in-the-middle and denial-of-service attacks. -## May cause breakages when ARP proxies are used in the network. -## -## https://patchwork.ozlabs.org/project/netdev/patch/1428652454-1224-3-git-send-email-johannes@sipsolutions.net/ -## https://www.practicalnetworking.net/series/arp/gratuitous-arp/ -## -#net.ipv4.conf.*.drop_gratuitous_arp=1 From a25d4f8df88908e83e56049204aa625f1196a948 Mon Sep 17 00:00:00 2001 From: raja-grewal Date: Wed, 13 Nov 2024 05:40:21 +0000 Subject: [PATCH 03/13] Provide option to enable ARP filtering --- README.md | 3 +++ usr/lib/sysctl.d/990-security-misc.conf | 9 +++++++++ 2 files changed, 12 insertions(+) diff --git a/README.md b/README.md index e167a87..baa450d 100644 --- a/README.md +++ b/README.md @@ -102,6 +102,9 @@ Networking: - Disable ICMP redirect acceptance and redirect sending messages to prevent man-in-the-middle attacks and minimize information disclosure. +- Optional - Enable ARP filtering to mitigate some ARP spoofing and ARP + cache poisoning attacks. + - Optional - Drop gratuitous ARP packets to prevent ARP cache poisoning via man-in-the-middle and denial-of-service attacks. diff --git a/usr/lib/sysctl.d/990-security-misc.conf b/usr/lib/sysctl.d/990-security-misc.conf index 054dcbf..52d31de 100644 --- a/usr/lib/sysctl.d/990-security-misc.conf +++ b/usr/lib/sysctl.d/990-security-misc.conf @@ -443,6 +443,15 @@ net.ipv4.conf.*.send_redirects=0 net.ipv6.conf.*.accept_redirects=0 #net.ipv4.conf.*.secure_redirects=1 +## Enable ARP (Address Resolution Protocol) filtering. +## Prevents the Linux kernel from handling the ARP table globally +## Can mitigate some ARP spoofing and ARP cache poisoning attacks. +## Improper filtering can lead to increased ARP traffic and inadvertently block legitimate ARP requests. +## +## https://cyber.gouv.fr/sites/default/files/document/linux_configuration-en-v2.pdf +## +#net.ipv4.conf.*.arp_filter=1 + ## Drop gratuitous ARP (Address Resolution Protocol) packets. ## Stops ARP responses sent by a device without being explicitly requested. ## Prevents ARP cache poisoning by rejecting fake ARP entries into a network. From 18aec201bfb0477fee8800ad1388099e11920016 Mon Sep 17 00:00:00 2001 From: raja-grewal Date: Wed, 13 Nov 2024 05:41:25 +0000 Subject: [PATCH 04/13] Provide option to harden response to ARP requests --- README.md | 3 +++ usr/lib/sysctl.d/990-security-misc.conf | 7 +++++++ 2 files changed, 10 insertions(+) diff --git a/README.md b/README.md index baa450d..ed9e4d7 100644 --- a/README.md +++ b/README.md @@ -105,6 +105,9 @@ Networking: - Optional - Enable ARP filtering to mitigate some ARP spoofing and ARP cache poisoning attacks. +- Optional - Respond to ARP requests only if the target IP address is + on-link, preventing some IP spoofing attacks. + - Optional - Drop gratuitous ARP packets to prevent ARP cache poisoning via man-in-the-middle and denial-of-service attacks. diff --git a/usr/lib/sysctl.d/990-security-misc.conf b/usr/lib/sysctl.d/990-security-misc.conf index 52d31de..a2c3198 100644 --- a/usr/lib/sysctl.d/990-security-misc.conf +++ b/usr/lib/sysctl.d/990-security-misc.conf @@ -452,6 +452,13 @@ net.ipv6.conf.*.accept_redirects=0 ## #net.ipv4.conf.*.arp_filter=1 +## Respond to ARP (Address Resolution Protocol) requests only if the target IP address is on-link. +## Reduces IP spoofing attacks by limiting the scope of allowable ARP responses. +## +## https://cyber.gouv.fr/sites/default/files/document/linux_configuration-en-v2.pdf +## +#net.ipv4.conf.*.arp_ignore=2 + ## Drop gratuitous ARP (Address Resolution Protocol) packets. ## Stops ARP responses sent by a device without being explicitly requested. ## Prevents ARP cache poisoning by rejecting fake ARP entries into a network. From 141b84c40de76988ec78bdccf1c1d67fc4367b3f Mon Sep 17 00:00:00 2001 From: raja-grewal Date: Wed, 13 Nov 2024 05:42:56 +0000 Subject: [PATCH 05/13] Provide option to deny sending and receiving shared media redirects --- README.md | 5 ++++- usr/lib/sysctl.d/990-security-misc.conf | 11 +++++++++++ 2 files changed, 15 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index ed9e4d7..50b3cf0 100644 --- a/README.md +++ b/README.md @@ -102,12 +102,15 @@ Networking: - Disable ICMP redirect acceptance and redirect sending messages to prevent man-in-the-middle attacks and minimize information disclosure. +- Optional - Deny sending and receiving shared media redirects to reduce + the risk of IP spoofing attacks. + - Optional - Enable ARP filtering to mitigate some ARP spoofing and ARP cache poisoning attacks. - Optional - Respond to ARP requests only if the target IP address is on-link, preventing some IP spoofing attacks. - + - Optional - Drop gratuitous ARP packets to prevent ARP cache poisoning via man-in-the-middle and denial-of-service attacks. diff --git a/usr/lib/sysctl.d/990-security-misc.conf b/usr/lib/sysctl.d/990-security-misc.conf index a2c3198..c43ca19 100644 --- a/usr/lib/sysctl.d/990-security-misc.conf +++ b/usr/lib/sysctl.d/990-security-misc.conf @@ -443,6 +443,17 @@ net.ipv4.conf.*.send_redirects=0 net.ipv6.conf.*.accept_redirects=0 #net.ipv4.conf.*.secure_redirects=1 +## Deny sending and receiving RFC1620 shared media redirects. +## Relevant mainly for network interfaces that operate over shared media such as Ethernet hubs. +## Stops the kernel from sending ICMP redirects to specific networks from the connected network. +## This variable overrides the use secure_redirects. +## +## https://cyber.gouv.fr/sites/default/files/document/linux_configuration-en-v2.pdf +## https://datatracker.ietf.org/doc/html/rfc1620 +## https://www.frozentux.net/ipsysctl-tutorial/chunkyhtml/theconfvariables.html +## +#net.ipv4.conf.*.shared_media=0 + ## Enable ARP (Address Resolution Protocol) filtering. ## Prevents the Linux kernel from handling the ARP table globally ## Can mitigate some ARP spoofing and ARP cache poisoning attacks. From c1167968542a62d0677517e11505f6e9222ec378 Mon Sep 17 00:00:00 2001 From: raja-grewal Date: Thu, 12 Dec 2024 06:36:47 +0000 Subject: [PATCH 06/13] `arp_ignore`: Add reference to 2024-12-10 Mullvad VPN audit details --- usr/lib/sysctl.d/990-security-misc.conf | 3 +++ 1 file changed, 3 insertions(+) diff --git a/usr/lib/sysctl.d/990-security-misc.conf b/usr/lib/sysctl.d/990-security-misc.conf index c43ca19..93efe26 100644 --- a/usr/lib/sysctl.d/990-security-misc.conf +++ b/usr/lib/sysctl.d/990-security-misc.conf @@ -467,6 +467,9 @@ net.ipv6.conf.*.accept_redirects=0 ## Reduces IP spoofing attacks by limiting the scope of allowable ARP responses. ## ## https://cyber.gouv.fr/sites/default/files/document/linux_configuration-en-v2.pdf +## https://github.com/mullvad/mullvadvpn-app/blob/main/audits/2024-12-10-X41-D-Sec.md#mllvd-cr-24-03-virtual-ip-address-of-tunnel-device-leaks-to-network-adjacent-participant-severity-medium +## https://github.com/mullvad/mullvadvpn-app/pull/7141 +## https://www.x41-dsec.de/static/reports/X41-Mullvad-Audit-Public-Report-2024-12-10.pdf ## #net.ipv4.conf.*.arp_ignore=2 From ca3a73ac13d805515f71f1be7ecedc33d3a1b519 Mon Sep 17 00:00:00 2001 From: raja-grewal Date: Tue, 17 Dec 2024 11:37:10 +0000 Subject: [PATCH 07/13] Typo --- usr/lib/sysctl.d/990-security-misc.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/usr/lib/sysctl.d/990-security-misc.conf b/usr/lib/sysctl.d/990-security-misc.conf index 6009fc4..81e40a2 100644 --- a/usr/lib/sysctl.d/990-security-misc.conf +++ b/usr/lib/sysctl.d/990-security-misc.conf @@ -281,7 +281,7 @@ fs.protected_fifos=2 fs.protected_regular=2 ## Enable ASLR for mmap base, stack, VDSO pages, and heap. -## Forces shared libraries to be loaded to random addresses +## Forces shared libraries to be loaded to random addresses. ## Start location of PIE-linked binaries is randomized. ## Heap randomization can lead to breakages with legacy applications. ## From 943c421889ce5dfe3869380e4587ca22724f2ce7 Mon Sep 17 00:00:00 2001 From: raja-grewal Date: Tue, 17 Dec 2024 11:40:38 +0000 Subject: [PATCH 08/13] Minor refactoring --- etc/default/grub.d/41_recovery_restrict.cfg | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/etc/default/grub.d/41_recovery_restrict.cfg b/etc/default/grub.d/41_recovery_restrict.cfg index cfe68b0..530a728 100644 --- a/etc/default/grub.d/41_recovery_restrict.cfg +++ b/etc/default/grub.d/41_recovery_restrict.cfg @@ -7,10 +7,15 @@ ## KSPP=no: not (currently) compliant with recommendations by the KSPP ## If there is no explicit KSPP compliance notice, the setting is not mentioned by the KSPP. -## Disable access to single-user mode (i.e. recovery mode). +## Disable access to single-user (recovery) mode. +## ## https://forums.kicksecure.com/t/remove-linux-recovery-mode-boot-option-from-default-grub-boot-menu/727 -GRUB_DISABLE_RECOVERY='true' +## +GRUB_DISABLE_RECOVERY="true" ## Disable access to Dracut's recovery console. +## ## https://forums.kicksecure.com/t/harden-dracut-initramfs-generator-by-disabling-recovery-console/724 -GRUB_CMDLINE_LINUX_DEFAULT="$GRUB_CMDLINE_LINUX_DEFAULT rd.shell=0 rd.emergency=halt" +## +GRUB_CMDLINE_LINUX_DEFAULT="$GRUB_CMDLINE_LINUX_DEFAULT rd.emergency=halt" +GRUB_CMDLINE_LINUX_DEFAULT="$GRUB_CMDLINE_LINUX_DEFAULT rd.shell=0" \ No newline at end of file From defba1f2450b2c8bbc668bf5f6f6f0d101338cc7 Mon Sep 17 00:00:00 2001 From: raja-grewal Date: Tue, 17 Dec 2024 11:42:03 +0000 Subject: [PATCH 09/13] Refactor CPU mitigations --- etc/default/grub.d/40_cpu_mitigations.cfg | 80 ++++++++++++++++------- 1 file changed, 55 insertions(+), 25 deletions(-) diff --git a/etc/default/grub.d/40_cpu_mitigations.cfg b/etc/default/grub.d/40_cpu_mitigations.cfg index 1b900c0..c1828dc 100644 --- a/etc/default/grub.d/40_cpu_mitigations.cfg +++ b/etc/default/grub.d/40_cpu_mitigations.cfg @@ -17,7 +17,7 @@ ## https://www.intel.com/content/www/us/en/developer/topic-technology/software-security-guidance/advisory-guidance.html ## https://www.intel.com/content/www/us/en/developer/topic-technology/software-security-guidance/disclosure-documentation.html -## Enable a subset of known mitigations for CPU vulnerabilities and disable SMT. +## Enable a subset of known mitigations for some CPU vulnerabilities and disable SMT. ## ## KSPP=yes ## KSPP sets the kernel parameters. @@ -27,7 +27,7 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX mitigations=auto,nosmt" ## Disable SMT as it has been the cause of and amplified numerous CPU exploits. ## The only full mitigation of cross-HT attacks is to disable SMT. ## Disabling will significantly decrease system performance on multi-threaded tasks. -## To enable SMT, remove this line and all other occurrences of "nosmt" in this file. +## Note, this setting will prevent re-enabling SMT via the sysfs interface. ## ## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/core-scheduling.html ## https://forums.whonix.org/t/should-all-kernel-patches-for-cpu-bugs-be-unconditionally-enabled-vs-performance-vs-applicability/7647/17 @@ -36,95 +36,125 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX mitigations=auto,nosmt" ## KSPP=yes ## KSPP sets the kernel parameter. ## +## To re-enable SMT: +## - Remove "nosmt=force". +## - Remove all occurrences of ",nosmt" in this file (note the comma ","). +## - Downgrade "l1tf=full,force" protection to "l1tf=flush". +## GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX nosmt=force" -## Enable mitigations for both Spectre Variant 2 (indirect branch speculation) -## and Intel branch history injection (BHI) vulnerabilities. +## Spectre Side Channels (BTI and BHI): +## Unconditionally enable mitigation for Spectre Variant 2 (branch target injection). +## Enable mitigation for the Intel branch history injection vulnerability. +## Currently affects both AMD and Intel CPUs. ## ## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/spectre.html ## GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX spectre_v2=on" GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX spectre_bhi=on" -## Disable Speculative Store Bypass (Spectre Variant 4). -## Unconditionally enable mitigation for both kernel and userspace. +## Speculative Store Bypass (SSB): +## Mitigate Spectre Variant 4 by disabling speculative store bypass system-wide. +## Unconditionally enable the mitigation for both kernel and userspace. +## Currently affects both AMD and Intel CPUs. ## +## https://en.wikipedia.org/wiki/Speculative_Store_Bypass ## https://www.suse.com/support/kb/doc/?id=000019189 ## GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX spec_store_bypass_disable=on" GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX ssbd=force-on" -## Enable mitigations for the L1TF vulnerability through disabling SMT -## and L1D flush runtime control. +## L1 Terminal Fault (L1TF): +## Mitigate the vulnerability by disabling L1D flush runtime control and SMT. +## Currently affects Intel CPUs. ## ## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/l1tf.html ## GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX l1tf=full,force" -## Enable mitigations for the MDS vulnerability through clearing buffer cache -## and disabling SMT. +## Microarchitectural Data Sampling (MDS): +## Mitigate the vulnerability by clearing the buffer cache and disabling SMT. +## Currently affects Intel CPUs. ## ## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/mds.html ## GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX mds=full,nosmt" -## Patches the TAA vulnerability by disabling TSX and enables mitigations using -## TSX Async Abort along with disabling SMT. +## TSX Asynchronous Abort (TAA): +## Mitigate the vulnerability by disabling TSX. +## If TSX is enabled, clear CPU buffer rings on transitions and disable SMT. +## Currently affects Intel CPUs. ## ## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/tsx_async_abort.html ## GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX tsx=off" GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX tsx_async_abort=full,nosmt" -## Mark all huge pages in the EPT as non-executable to mitigate iTLB multihit. +## iTLB Multihit: +## Mitigate the vulnerability by marking all huge pages in the EPT as non-executable. +## Currently affects Intel CPUs. ## ## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/multihit.html ## GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX kvm.nx_huge_pages=force" -## Mitigations for SRBDS to prevent MDS attacks on RDRAND and RDSEED instructions -## are only possible through microcode updates from Intel. +## Special Register Buffer Data Sampling (SRBDS): +## Mitigation of the vulnerability is only possible via microcode updates from Intel. +## Currently affects Intel CPUs. ## ## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/special-register-buffer-data-sampling.html ## https://access.redhat.com/solutions/5142691 -## Enable the prctl() interface to prevent leaks from L1D on context switches. +## L1D Flushing: +## Mitigate leaks from the L1D cache on context switches by enabling the prctl() interface. +## Currently affects Intel CPUs. ## ## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/l1d_flush.html ## GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX l1d_flush=on" -## Mitigate numerous MMIO Stale Data vulnerabilities and disable SMT. +## MMIO Stale Data: +## Mitigate the vulnerability by appropriately clearing the CPU buffer and disabling SMT. +## Currently affects Intel CPUs. ## ## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/processor_mmio_stale_data.html ## GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX mmio_stale_data=full,nosmt" -## Enable mitigations for RETBleed (Arbitrary Speculative Code Execution with -## Return Instructions) vulnerability and disable SMT. +## Arbitrary Speculative Code Execution with Return Instructions (Retbleed): +## Mitigate the vulnerability through CPU-dependent implementation and disable SMT. +## Currently affects both AMD Zen 1-2 and Intel CPUs. ## +## https://en.wikipedia.org/wiki/Retbleed +## https://comsec.ethz.ch/research/microarch/retbleed/ ## https://www.suse.com/support/kb/doc/?id=000020693 +## https://access.redhat.com/solutions/retbleed ## GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX retbleed=auto,nosmt" -## Control RAS overflow mitigation on AMD Zen CPUs. +## Speculative Return Stack Overflow (SRSO): +## Mitigate the vulnerability by ensureing all RET instructions speculate to a controlled location. +## Currently affects AMD Zen 1-4 CPUs. ## ## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/srso.html ## ## The default kernel setting will be utilized until provided sufficient evidence to modify. +## Using "spec_rstack_overflow=ipbp" may provide stronger security at a greater performance impact. ## #GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX spec_rstack_overflow=safe-ret" -## Enable Gather Data Sampling (GDS) mitigation. -## Note for systems that have not received a suitable microcode update this will -## entirely disable use of the AVX instructions set. +## Gather Data Sampling (GDS): +## Mitigate the vulnerability either via microcode update or by disabling AVX. +## Note, without a suitable microcode update, this will entirely disable use of the AVX instructions set. +## Currently affects Intel CPUs. ## ## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/gather_data_sampling.html ## GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX gather_data_sampling=force" -## Enable Register File Data Sampling (RFDS) mitigation on Intel Atom CPUs which -## encompasses E-cores on hybrid architectures. +## Register File Data Sampling (RFDS): +## Mitigate the vulnerability by appropriately clearing the CPU buffer. +## Currently affects Intel Atom CPUs (which encompasses E-cores on hybrid architectures). ## ## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/reg-file-data-sampling.html ## From 45355aabdc180a6a2fdd4a374c6f7d72f4d36240 Mon Sep 17 00:00:00 2001 From: raja-grewal Date: Tue, 17 Dec 2024 11:42:52 +0000 Subject: [PATCH 10/13] Enable `kvm-intel.vmentry_l1d_flush=always` --- etc/default/grub.d/40_cpu_mitigations.cfg | 2 ++ 1 file changed, 2 insertions(+) diff --git a/etc/default/grub.d/40_cpu_mitigations.cfg b/etc/default/grub.d/40_cpu_mitigations.cfg index c1828dc..8236c99 100644 --- a/etc/default/grub.d/40_cpu_mitigations.cfg +++ b/etc/default/grub.d/40_cpu_mitigations.cfg @@ -66,11 +66,13 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX ssbd=force-on" ## L1 Terminal Fault (L1TF): ## Mitigate the vulnerability by disabling L1D flush runtime control and SMT. +## If conditional L1D flushing, mitigate the vulnerability for certain KVM hypervisor configurations. ## Currently affects Intel CPUs. ## ## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/l1tf.html ## GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX l1tf=full,force" +GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX kvm-intel.vmentry_l1d_flush=always" ## Microarchitectural Data Sampling (MDS): ## Mitigate the vulnerability by clearing the buffer cache and disabling SMT. From 3e96fdd9ccb6268403d6c4f9a061c4a33e6f6dd2 Mon Sep 17 00:00:00 2001 From: raja-grewal Date: Tue, 17 Dec 2024 11:44:11 +0000 Subject: [PATCH 11/13] Enable `kvm.mitigate_smt_rsb=1` --- etc/default/grub.d/40_cpu_mitigations.cfg | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/etc/default/grub.d/40_cpu_mitigations.cfg b/etc/default/grub.d/40_cpu_mitigations.cfg index 8236c99..b7984c5 100644 --- a/etc/default/grub.d/40_cpu_mitigations.cfg +++ b/etc/default/grub.d/40_cpu_mitigations.cfg @@ -134,6 +134,14 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX mmio_stale_data=full,nosmt" ## GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX retbleed=auto,nosmt" +## Cross-Thread Return Address Predictions: +## Mitigate the vulnerability for certain KVM hypervisor configurations. +## Currently affects AMD Zen 1-2 CPUs. +## +## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/cross-thread-rsb.html +## +GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX kvm.mitigate_smt_rsb=1" + ## Speculative Return Stack Overflow (SRSO): ## Mitigate the vulnerability by ensureing all RET instructions speculate to a controlled location. ## Currently affects AMD Zen 1-4 CPUs. From 0dff2cd28fd769955757cdef1b7f9d637a1180c5 Mon Sep 17 00:00:00 2001 From: raja-grewal Date: Wed, 18 Dec 2024 03:32:35 +0000 Subject: [PATCH 12/13] Minor additions --- etc/default/grub.d/40_cpu_mitigations.cfg | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/etc/default/grub.d/40_cpu_mitigations.cfg b/etc/default/grub.d/40_cpu_mitigations.cfg index b7984c5..fa750b7 100644 --- a/etc/default/grub.d/40_cpu_mitigations.cfg +++ b/etc/default/grub.d/40_cpu_mitigations.cfg @@ -8,6 +8,7 @@ ## If there is no explicit KSPP compliance notice, the setting is not mentioned by the KSPP. ## Enable known mitigations for CPU vulnerabilities. +## Note, the mitigations for SSB and Retbleed are not currently mentioned in the first link. ## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/index.html ## https://www.kernel.org/doc/html/latest/admin-guide/kernel-parameters.html ## https://forums.whonix.org/t/should-all-kernel-patches-for-cpu-bugs-be-unconditionally-enabled-vs-performance-vs-applicability/7647 @@ -40,6 +41,7 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX mitigations=auto,nosmt" ## - Remove "nosmt=force". ## - Remove all occurrences of ",nosmt" in this file (note the comma ","). ## - Downgrade "l1tf=full,force" protection to "l1tf=flush". +## - Regenerate the dracut initramfs and then reboot system. ## GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX nosmt=force" @@ -66,7 +68,7 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX ssbd=force-on" ## L1 Terminal Fault (L1TF): ## Mitigate the vulnerability by disabling L1D flush runtime control and SMT. -## If conditional L1D flushing, mitigate the vulnerability for certain KVM hypervisor configurations. +## If L1D flushing is conditional, mitigate the vulnerability for certain KVM hypervisor configurations. ## Currently affects Intel CPUs. ## ## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/l1tf.html @@ -75,7 +77,7 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX l1tf=full,force" GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX kvm-intel.vmentry_l1d_flush=always" ## Microarchitectural Data Sampling (MDS): -## Mitigate the vulnerability by clearing the buffer cache and disabling SMT. +## Mitigate the vulnerability by clearing the CPU buffer cache and disabling SMT. ## Currently affects Intel CPUs. ## ## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/mds.html @@ -101,7 +103,7 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX tsx_async_abort=full,nosmt" GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX kvm.nx_huge_pages=force" ## Special Register Buffer Data Sampling (SRBDS): -## Mitigation of the vulnerability is only possible via microcode updates from Intel. +## Mitigation of the vulnerability is only possible via microcode update from Intel. ## Currently affects Intel CPUs. ## ## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/special-register-buffer-data-sampling.html @@ -115,8 +117,8 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX kvm.nx_huge_pages=force" ## GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX l1d_flush=on" -## MMIO Stale Data: -## Mitigate the vulnerability by appropriately clearing the CPU buffer and disabling SMT. +## Processor MMIO Stale Data: +## Mitigate the vulnerabilities by appropriately clearing the CPU buffer and disabling SMT. ## Currently affects Intel CPUs. ## ## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/processor_mmio_stale_data.html @@ -143,7 +145,7 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX retbleed=auto,nosmt" GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX kvm.mitigate_smt_rsb=1" ## Speculative Return Stack Overflow (SRSO): -## Mitigate the vulnerability by ensureing all RET instructions speculate to a controlled location. +## Mitigate the vulnerability by ensuring all RET instructions speculate to a controlled location. ## Currently affects AMD Zen 1-4 CPUs. ## ## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/srso.html From 3749f8ff097551a843e5ed80de52c6770a32e0c6 Mon Sep 17 00:00:00 2001 From: raja-grewal Date: Wed, 18 Dec 2024 03:36:09 +0000 Subject: [PATCH 13/13] Update presentation on user namespaces --- README.md | 4 +-- usr/lib/sysctl.d/990-security-misc.conf | 43 ++++++++++++------------- 2 files changed, 23 insertions(+), 24 deletions(-) diff --git a/README.md b/README.md index c23d261..d032762 100644 --- a/README.md +++ b/README.md @@ -37,11 +37,11 @@ Kernel space: - Entirely disable the SysRq key so that the Secure Attention Key (SAK) can no longer be utilized. See [documentation](https://www.kicksecure.com/wiki/SysRq). +- Optional - Disable all use of user namespaces. + - Optional - Restrict user namespaces to `CAP_SYS_ADMIN` as they can lead to substantial privilege escalation. -- Optional - Disable all use of user namespaces. - - Restrict kernel profiling and the performance events system to `CAP_PERFMON`. - Force the kernel to panic on both "oopses", which can potentially indicate and thwart diff --git a/usr/lib/sysctl.d/990-security-misc.conf b/usr/lib/sysctl.d/990-security-misc.conf index 81e40a2..10f7a12 100644 --- a/usr/lib/sysctl.d/990-security-misc.conf +++ b/usr/lib/sysctl.d/990-security-misc.conf @@ -117,42 +117,41 @@ vm.unprivileged_userfaultfd=0 ## kernel.sysrq=0 -## Restrict user namespaces to users with CAP_SYS_ADMIN. +## Disable user namespaces entirely. ## User namespaces aim to improve sandboxing and accessibility for unprivileged users. -## Unprivileged user namespaces pose substantial privilege escalation risks. -## Restricting may lead to breakages in numerous software packages. -## -## Flatpak requires unprivileged users to create new user namespaces for sandboxing. -## https://github.com/flatpak/flatpak/wiki/User-namespace-requirements -## https://salsa.debian.org/debian/bubblewrap/-/blob/debian/latest/debian/README.Debian -## https://forums.kicksecure.com/t/can-not-run-flatpak-apps-after-kicksecure-update/592 -## ## Disabling entirely will reduce compatibility with some AppArmor profiles. ## Disabling entirely is known to break the UPower systemd service. -## -## Also breaks (some?) AppImages. -## https://forums.kicksecure.com/t/cannot-run-some-appimage-apps-after-kicksecure-upate/594 -## -## Might also break evolution (e-mail client): -## https://forums.kicksecure.com/t/impossible-to-start-evolution-app-since-the-last-update/601 +## Not recommended due to well-known breakages across numerous software packages. ## ## https://lwn.net/Articles/673597/ ## https://madaidans-insecurities.github.io/linux.html#kernel -## https://gitlab.com/apparmor/apparmor/-/wikis/unprivileged_userns_restriction ## https://github.com/a13xp0p0v/kernel-hardening-checker#questions-and-answers ## https://github.com/NixOS/nixpkgs/pull/84522#issuecomment-614640601 -## https://github.com/flatpak/flatpak/wiki/User-namespace-requirements ## https://github.com/Kicksecure/security-misc/pull/263 -## https://github.com/Kicksecure/security-misc/issues/274 ## ## KSPP=no -## KSPP sets user.max_user_namespaces=0 sysctl, a Linux mainline, stricter setting. +## KSPP sets the sysctl. ## -## kernel.unprivileged_userns_clone is a Debian specific kernel feature. Not Linux mainline. -#kernel.unprivileged_userns_clone=0 -## Uncomment the following sysctl to entirely disable user namespaces. #user.max_user_namespaces=0 +## Restrict user namespaces to users with CAP_SYS_ADMIN. +## See the user.max_user_namespaces setting for more details. +## This is a Debian-specific kernel feature, not a Linux mainline setting. +## Unprivileged user namespaces pose substantial privilege escalation risks. +## Flatpak requires unprivileged users to create new user namespaces for sandboxing. +## Restricting is known to cause breakages in some AppImages and the Evolution Email Client. +## Not recommended due to widespread breakages across many software packages. +## +## https://salsa.debian.org/debian/bubblewrap/-/blob/debian/latest/debian/README.Debian +## https://gitlab.com/apparmor/apparmor/-/wikis/unprivileged_userns_restriction +## https://github.com/flatpak/flatpak/wiki/User-namespace-requirements +## https://forums.kicksecure.com/t/can-not-run-flatpak-apps-after-kicksecure-update/592 +## https://forums.kicksecure.com/t/cannot-run-some-appimage-apps-after-kicksecure-upate/594 +## https://forums.kicksecure.com/t/impossible-to-start-evolution-app-since-the-last-update/601 +## https://github.com/Kicksecure/security-misc/issues/274 +## +#kernel.unprivileged_userns_clone=0 + ## Restricts kernel profiling to users with CAP_PERFMON. ## The performance events system should not be accessible by unprivileged users. ## Other distributions such as Ubuntu and Fedora may permit further restricting.