Add option to disable support for x86 processes and syscalls in the future

2025-07-30 22:59:22 +07:00 · 2024-07-15 02:02:01 +10:00
parent f550fbe07c
commit 99038c7a06
2 changed files with 12 additions and 0 deletions
--- a/etc/default/grub.d/40_kernel_hardening.cfg
+++ b/etc/default/grub.d/40_kernel_hardening.cfg
@ -109,6 +109,15 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX debugfs=off"
 ##
 #GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX mce=0"

+## Disable support for x86 processes and syscalls.
+## Unconditionally disables IA32 emulation to substantially reduce attack surface.
+##
+## https://lore.kernel.org/all/20230623111409.3047467-7-nik.borisov@suse.com/
+##
+## Applicable when using Linux kernel >= 6.7 (retained here for future-proofing and completeness).
+##
+#ia32_emulation=0
+
 ## 2. Direct Memory Access:
 ##
 ## https://madaidans-insecurities.github.io/guides/linux-hardening.html#dma-attacks