diff --git a/README.md b/README.md index 7ed16cc..bad198e 100644 --- a/README.md +++ b/README.md @@ -101,36 +101,56 @@ Various networking components of the TCP/IP stack are hardened for IPv4/6. ### Boot parameters -Boot parameters are outlined in configuration files located in the -`etc/default/grub.d/` directory. +Mitigations for known CPU vulnerabilities are enabled in their strictest form +and simultaneous multithreading (SMT) is disabled. See the +`/etc/default/grub.d/40_cpu_mitigations.cfg` configuration file. -- Slab merging is disabled which significantly increases the difficulty of - heap exploitation by preventing overwriting objects from merged caches and - by making it harder to influence slab cache layout. +Boot parameters relating to kernel hardening, DMA mitigations, and entropy +generation are outlined in the `/etc/default/grub.d/40_kernel_hardening.cfg` +configuration file. -- Memory zeroing at allocation and free time is enabled to mitigate some - use-after-free vulnerabilities and erase sensitive information in memory. +- Disable merging of slabs with similar size which reduces the risk of + triggering heap overflows and limits influencing slab cache layout. -- Page allocator freelist randomization is enabled. +- Enable memory zeroing at both allocation and free time which mitigate some + use-after-free vulnerabilities by erasing sensitive information in memory. -- Kernel Page Table Isolation is enabled to mitigate Meltdown and increase - KASLR effectiveness. +- Enable the kernel page allocator to randomise free lists to limit some data + exfiltration and ROP attacks especially during the early boot process. -- vsyscalls are disabled as they are obsolete, are at fixed addresses and - thus, are a potential target for ROP. +- Enable kernel page table isolation increase KASLR effectiveness and also + mitigate the Meltdown CPU vulnerability. -- The kernel panics on oopses to thwart certain kernel exploits. +- Enables randomisation of the kernel stack offset on syscall entries to harden + against memory corruption attacks. -- Enables randomisation of the kernel stack offset on syscall entries. +- Disable vsyscalls as they are vulnerable to ROP attacks and have now been + replaced by vDSO. -- Mitigations for known CPU vulnerabilities are enabled and SMT is - disabled. +- Restrict access to debugfs by not registering the file system since it can + contain sensitive information. -- IOMMU is enabled to prevent DMA attacks along with strict enforcement of - IOMMU TLB invalidation so devices will never be able to access stale data - contents. +- Force kernel panics on "oopses" to potentially indicate and thwart certain + kernel exploitation attempts. -- Distrust the 'randomly' generated CPU and bootloader seeds. +- Provide option to modify machine check exception handler. + +- Provide option to disable support for all x86 processes and syscalls to reduce + attack surface (when using Linux kernel version >= 6.7). + +- Enable strict IOMMU translation to protect against DMA attacks and disable + the busmaster bit on all PCI bridges during the early boot process. + +- Do not credit the CPU or bootloader as entropy sources at boot in order to + maximise the absolute quantity of entropy in the combined pool. + +- Obtain more entropy at boot from RAM as the runtime memory allocator is + being initialised. + +- Provide option to disable the entire IPv6 stack to reduce attack surface. + +Disallow sensitive kernel information leaks in the console during boot. See +the `/etc/default/grub.d/41_quiet_boot.cfg` configuration file. ### Kernel Modules @@ -143,7 +163,7 @@ Not yet due to issues: See: -- `/etc/default/grub.d/40_only_allow_signed_modules.cfg` +- `/etc/default/grub.d/40_signed_modules.cfg` #### Disables the loading of new modules to the kernel after the fact @@ -285,8 +305,9 @@ See: `/usr/lib/modules-load.d/30_security-misc.conf` configuration file. - Distrusts the CPU for initial entropy at boot as it is not possible to - audit, may contain weaknesses or a backdoor. For references, see: - `/etc/default/grub.d/40_distrust_cpu.cfg` + audit, may contain weaknesses or a backdoor. Similarly, do not credit the + bootloader seed for initial entropy. For references, see: + `/etc/default/grub.d/40_kernel_hardening.cfg` - Gathers more entropy during boot if using the linux-hardened kernel patch. diff --git a/debian/security-misc.maintscript b/debian/security-misc.maintscript index aa00d07..efa72c2 100644 --- a/debian/security-misc.maintscript +++ b/debian/security-misc.maintscript @@ -67,3 +67,17 @@ rm_conffile /etc/permission-hardening.d/25_default_whitelist_sudo.conf rm_conffile /etc/permission-hardening.d/25_default_whitelist_unix_chkpwd.conf rm_conffile /etc/permission-hardening.d/25_default_whitelist_virtualbox.conf rm_conffile /etc/permission-hardening.d/30_default.conf + +## merged into 1 file /etc/default/grub.d/40_kernel_hardening.cfg +rm_conffile /etc/default/grub.d/40_distrust_bootloader.cfg +rm_conffile /etc/default/grub.d/40_distrust_cpu.cfg +rm_conffile /etc/default/grub.d/40_enable_iommu.cfg + +## renamed to /etc/default/grub.d/40_remount_secure.cfg +rm_conffile /etc/default/grub.d/40_remmount-secure.cfg + +## renamed to /etc/default/grub.d/40_signed_modules.cfg +rm_conffile /etc/default/grub.d/40_only_allow_signed_modules.cfg + +## renamed to /etc/default/grub.d/41_quiet_boot.cfg +rm_conffile /etc/default/grub.d/41_quiet.cfg diff --git a/etc/default/grub.d/40_cpu_mitigations.cfg b/etc/default/grub.d/40_cpu_mitigations.cfg index 99582ae..e303f9f 100644 --- a/etc/default/grub.d/40_cpu_mitigations.cfg +++ b/etc/default/grub.d/40_cpu_mitigations.cfg @@ -1,99 +1,117 @@ ## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. -## Enables known mitigations for CPU vulnerabilities. -## +## Enable known mitigations for CPU vulnerabilities. ## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/index.html ## https://www.kernel.org/doc/html/latest/admin-guide/kernel-parameters.html ## https://forums.whonix.org/t/should-all-kernel-patches-for-cpu-bugs-be-unconditionally-enabled-vs-performance-vs-applicability/7647 ## Check for potential updates directly from AMD and Intel. -## ## https://www.amd.com/en/resources/product-security.html ## https://www.intel.com/content/www/us/en/developer/topic-technology/software-security-guidance/advisory-guidance.html ## https://www.intel.com/content/www/us/en/developer/topic-technology/software-security-guidance/disclosure-documentation.html ## Enable a subset of known mitigations for CPU vulnerabilities and disable SMT. +## GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX mitigations=auto,nosmt" +## Disable SMT as it has been the cause of and amplified numerous CPU exploits. +## The only full mitigation of cross-HT attacks is to disable SMT. +## Disabling will significantly decrease system performance on multi-threaded tasks. +## To enable SMT, remove this line all other occurrences of "nosmt" in this file. +## +## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/core-scheduling.html +## https://forums.whonix.org/t/should-all-kernel-patches-for-cpu-bugs-be-unconditionally-enabled-vs-performance-vs-applicability/7647/17 +## https://github.com/anthraxx/linux-hardened/issues/37#issuecomment-619597365 +## +GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX nosmt=force" + ## Enable mitigations for both Spectre Variant 2 (indirect branch speculation) ## and Intel branch history injection (BHI) vulnerabilities. ## ## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/spectre.html -GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX spectre_v2=on spectre_bhi=on" +## +GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX spectre_v2=on" +GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX spectre_bhi=on" ## Disable Speculative Store Bypass (Spectre Variant 4). ## ## https://www.suse.com/support/kb/doc/?id=000019189 +## GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX spec_store_bypass_disable=on" ## Enable mitigations for the L1TF vulnerability through disabling SMT ## and L1D flush runtime control. ## ## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/l1tf.html +## GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX l1tf=full,force" ## Enable mitigations for the MDS vulnerability through clearing buffer cache ## and disabling SMT. ## ## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/mds.html +## GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX mds=full,nosmt" -## Patches the TAA vulnerability by disabling TSX and enables mitigations using +## Patches the TAA vulnerability by disabling TSX and enable mitigations using ## TSX Async Abort along with disabling SMT. ## ## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/tsx_async_abort.html -GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX tsx=off tsx_async_abort=full,nosmt" +## +GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX tsx=off" +GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX tsx_async_abort=full,nosmt" ## Mark all huge pages in the EPT as non-executable to mitigate iTLB multihit. ## ## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/multihit.html +## GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX kvm.nx_huge_pages=force" -## Enables mitigations for SRBDS to prevent MDS attacks on RDRAND and RDSEED instructions. -## Only mitigated through microcode updates from Intel. +## Mitigations for SRBDS to prevent MDS attacks on RDRAND and RDSEED instructions +## are only possible through microcode updates from Intel. ## ## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/special-register-buffer-data-sampling.html ## https://access.redhat.com/solutions/5142691 -## Force disable SMT as it has caused numerous CPU vulnerabilities. -## The only full mitigation of cross-HT attacks is to disable SMT. -## -## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/core-scheduling.html -## https://forums.whonix.org/t/should-all-kernel-patches-for-cpu-bugs-be-unconditionally-enabled-vs-performance-vs-applicability/7647/17 -GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX nosmt=force" - -## Enables the prctl interface to prevent leaks from L1D on context switches. +## Enable the prctl() interface to prevent leaks from L1D on context switches. ## ## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/l1d_flush.html +## GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX l1d_flush=on" -## Mitigates numerous MMIO Stale Data vulnerabilities and disables SMT. +## Mitigate numerous MMIO Stale Data vulnerabilities and disable SMT. ## ## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/processor_mmio_stale_data.html +## GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX mmio_stale_data=full,nosmt" ## Enable mitigations for RETBleed (Arbitrary Speculative Code Execution with ## Return Instructions) vulnerability and disable SMT. ## ## https://www.suse.com/support/kb/doc/?id=000020693 +## GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX retbleed=auto,nosmt" ## Control RAS overflow mitigation on AMD Zen CPUs. -## The current default kernel parameter is 'spec_rstack_overflow=safe-ret' -## This default will used until provided sufficient evidence to modify. ## ## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/srso.html +## +## The default kernel setting will be utilised until provided sufficient evidence to modify. +## +#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX spec_rstack_overflow=safe-ret" -## Mitigates Gather Data Sampling (GDS) vulnerability. +## Enable Gather Data Sampling (GDS) mitigation. ## Note for systems that have not received a suitable microcode update this will ## entirely disable use of the AVX instructions set. ## ## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/gather_data_sampling.html +## GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX gather_data_sampling=force" -## Register File Data Sampling (RFDS) mitigation on Intel Atom CPUs which +## Enable Register File Data Sampling (RFDS) mitigation on Intel Atom CPUs which ## encompasses E-cores on hybrid architectures. ## ## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/reg-file-data-sampling.html -GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX reg_file_data_sampling=on" +## +GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX reg_file_data_sampling=on" \ No newline at end of file diff --git a/etc/default/grub.d/40_distrust_bootloader.cfg b/etc/default/grub.d/40_distrust_bootloader.cfg deleted file mode 100644 index eb26262..0000000 --- a/etc/default/grub.d/40_distrust_bootloader.cfg +++ /dev/null @@ -1,7 +0,0 @@ -## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP -## See the file COPYING for copying conditions. - -## Distrusts the bootloader for initial entropy at boot. -## -## https://lkml.org/lkml/2022/6/5/271 -GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX random.trust_bootloader=off" diff --git a/etc/default/grub.d/40_distrust_cpu.cfg b/etc/default/grub.d/40_distrust_cpu.cfg deleted file mode 100644 index 5cfaba9..0000000 --- a/etc/default/grub.d/40_distrust_cpu.cfg +++ /dev/null @@ -1,12 +0,0 @@ -## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP -## See the file COPYING for copying conditions. - -## Distrusts the CPU for initial entropy at boot as it is not possible to -## audit, may contain weaknesses or a backdoor. -## -## https://en.wikipedia.org/wiki/RDRAND#Reception -## https://twitter.com/pid_eins/status/1149649806056280069 -## https://archive.nytimes.com/www.nytimes.com/interactive/2013/09/05/us/documents-reveal-nsa-campaign-against-encryption.html -## https://forums.whonix.org/t/entropy-config-random-trust-cpu-yes-or-no-rng-core-default-quality/8566 -## https://lkml.org/lkml/2022/6/5/271 -GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX random.trust_cpu=off" diff --git a/etc/default/grub.d/40_enable_iommu.cfg b/etc/default/grub.d/40_enable_iommu.cfg deleted file mode 100644 index 898e500..0000000 --- a/etc/default/grub.d/40_enable_iommu.cfg +++ /dev/null @@ -1,17 +0,0 @@ -## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP -## See the file COPYING for copying conditions. - -## Enables IOMMU to prevent DMA attacks. -GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX intel_iommu=on amd_iommu=force_isolation" - -## Disable the busmaster bit on all PCI bridges during very -## early boot to avoid holes in IOMMU. -## -## https://mjg59.dreamwidth.org/54433.html -## https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=4444f8541dad16fefd9b8807ad1451e806ef1d94 -GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX efi=disable_early_pci_dma" - -## Enables strict enforcement of IOMMU TLB invalidation so devices will never be able to access stale data contents -## https://github.com/torvalds/linux/blob/master/drivers/iommu/Kconfig#L97 -## Page 11 of https://lenovopress.lenovo.com/lp1467.pdf -GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX iommu=force iommu.passthrough=0 iommu.strict=1" diff --git a/etc/default/grub.d/40_kernel_hardening.cfg b/etc/default/grub.d/40_kernel_hardening.cfg index 4c70928..8285744 100644 --- a/etc/default/grub.d/40_kernel_hardening.cfg +++ b/etc/default/grub.d/40_kernel_hardening.cfg @@ -5,58 +5,196 @@ kpkg="linux-image-$(dpkg --print-architecture)" || true kver="$(dpkg-query --show --showformat='${Version}' "$kpkg")" 2>/dev/null || true #echo "## kver: $kver" -## Disables the merging of slabs of similar sizes. -## Sometimes a slab can be used in a vulnerable way which an attacker can exploit. +## This configuration file is split into 3 sections: +## 1. Kernel Space +## 2. Direct Memory Access +## 3. Entropy +## 4. Networking + +## See the documentation below for details on the majority of the selected commands. +## https://www.kernel.org/doc/html/latest/admin-guide/kernel-parameters.html +## https://wiki.archlinux.org/title/Kernel_parameters#GRUB + +## 1. Kernel Space: +## +## https://madaidans-insecurities.github.io/guides/linux-hardening.html#boot-parameters + +## Disable merging of slabs with similar size. +## Reduces the risk of triggering heap overflows. +## Prevents overwriting objects from merged caches and limits influencing slab cache layout. +## +## https://www.openwall.com/lists/kernel-hardening/2017/06/19/33 +## https://www.openwall.com/lists/kernel-hardening/2017/06/20/10 +## GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX slab_nomerge" -## Enables sanity checks (F) and redzoning (Z). -## Disabled due to kernel deciding to implicitly disable kernel pointer hashing -## https://github.com/torvalds/linux/commit/792702911f581f7793962fbeb99d5c3a1b28f4c3 -#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX slub_debug=FZ" +## Zero memory at allocation time and free time. +## Fills newly allocated pages, freed pages, and heap objects with zeros. +## Mitigates use-after-free exploits by erasing sensitive information in memory. +## +## https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=6471384af2a6530696fc0203bafe4de41a23c9ef +## +GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX init_on_alloc=1" +GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX init_on_free=1" -## Zero memory at allocation and free time. -GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX init_on_alloc=1 init_on_free=1" - -## Machine check exception handler decides whether the system should panic or not based on the exception that happened. -## https://forums.whonix.org/t/kernel-hardening/7296/494 -#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX mce=0" - -## Enables Kernel Page Table Isolation which mitigates Meltdown and improves KASLR. -GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX pti=on" - -## Vsyscalls are obsolete, are at fixed addresses and are a target for ROP. -GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX vsyscall=none" - -## Enables page allocator freelist randomization. +## Enable the kernel page allocator to randomise free lists. +## During early boot the page allocator has predictable FIFO behaviour for physical pages. +## Limits some data exfiltration and ROP attacks that rely on inferring sensitive data location. +## Also improves performance by optimising memory-side cache utilisation. +## +## https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=e900a918b0984ec8f2eb150b8477a47b75d17692 +## https://en.wikipedia.org/wiki/Return-oriented_programming#Attacks +## GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX page_alloc.shuffle=1" -## Enables randomisation of the kernel stack offset on syscall entries (introduced in kernel 5.13). +## Enable kernel page table isolation to harden against kernel ASLR (KASLR) bypasses. +## Mitigates the Meltdown CPU vulnerability. +## +## https://en.wikipedia.org/wiki/Kernel_page-table_isolation +## +GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX pti=on" + +## Enable randomisation of the kernel stack offset on syscall entries. +## Hardens against memory corruption attacks due to increased entropy. +## Limits attacks relying on deterministic stack addresses or cross-syscall address exposure. +## ## https://lkml.org/lkml/2019/3/18/246 +## https://a13xp0p0v.github.io/2020/02/15/CVE-2019-18683.html +## GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX randomize_kstack_offset=on" -## Enables kernel lockdown. +## Disable vsyscalls to reduce attack surface as they have been replaced by vDSO. +## Vulnerable to ROP attacks as vsyscalls are located at fixed addresses in memory. ## -## Disabled for now as it enforces module signature verification which breaks -## too many things. -## https://forums.whonix.org/t/enforce-kernel-module-software-signature-verification-module-signing-disallow-kernel-module-loading-by-default/7880 +## https://lwn.net/Articles/446528/ +## https://en.wikipedia.org/wiki/VDSO ## -#if dpkg --compare-versions "${kver}" ge "5.4"; then -# GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX lockdown=confidentiality" -#fi +GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX vsyscall=none" -## Gather more entropy during boot. +## Restrict access to debugfs by not registering the file system. +## Deactivated since the file system can contain sensitive information. ## -## Requires linux-hardened kernel patch. -## https://github.com/anthraxx/linux-hardened -GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX extra_latent_entropy" - -## Restrict access to debugfs since it can contain a lot of sensitive information. ## https://lkml.org/lkml/2020/7/16/122 -## https://github.com/torvalds/linux/blob/fb1201aececc59990b75ef59fca93ae4aa1e1444/Documentation/admin-guide/kernel-parameters.txt#L835-L848 +## GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX debugfs=off" -## Force the kernel to panic on "oopses" (which may be due to false positives) +## Force the kernel to panic on "oopses". +## Can sometimes potentially indicate and thwart certain kernel exploitation attempts. +## Also cause panics on machine check exceptions. +## Panics may be due to false-positives such as bad drivers. +## ## https://forums.whonix.org/t/set-oops-panic-kernel-parameter-or-kernel-panic-on-oops-1-sysctl-for-better-security/7713 -## Implemented differently: -## /usr/libexec/security-misc/panic-on-oops +## +## See /usr/libexec/security-misc/panic-on-oops for implementation. +## #GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX oops=panic" + +## Modify machine check exception handler. +## Can decide whether the system should panic or not based on the occurrence of an exception. +## +## https://www.kernel.org/doc/html/latest/arch/x86/x86_64/machinecheck.html +## https://www.kernel.org/doc/html/latest/arch/x86/x86_64/boot-options.html#machine-check +## https://forums.whonix.org/t/kernel-hardening/7296/494 +## +## The default kernel setting will be utilised until provided sufficient evidence to modify. +## +#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX mce=0" + +## Prevent sensitive kernel information leaks in the console during boot. +## Must be used in combination with the kernel.printk sysctl. +## See /usr/lib/sysctl.d/30_silent-kernel-printk.conf for implementation. +## +## https://www.kernel.org/doc/html/latest/core-api/printk-basics.html +## https://wiki.archlinux.org/title/silent_boot +## +## See /etc/default/grub.d/41_quiet_boot.cfg for implementation. +## +#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX loglevel=0" +#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX quiet" + +## Disable support for x86 processes and syscalls. +## Unconditionally disables IA32 emulation to substantially reduce attack surface. +## +## https://lore.kernel.org/all/20230623111409.3047467-7-nik.borisov@suse.com/ +## +## Applicable when using Linux kernel >= 6.7 (retained here for future-proofing and completeness). +## +#ia32_emulation=0 + +## 2. Direct Memory Access: +## +## https://madaidans-insecurities.github.io/guides/linux-hardening.html#dma-attacks + +## Enable CPU manufacturer-specific IOMMU drivers to protect against DMA attacks. +## +GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX amd_iommu=force_isolation" +GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX intel_iommu=on" + +## Enable and force use of IOMMU translation to protect against DMA attacks. +## Strictly force DMA unmap operations to synchronously invalidate IOMMU hardware TLBs. +## Ensures devices will never be able to access stale data contents. +## +## https://en.wikipedia.org/wiki/Input%E2%80%93output_memory_management_unit +## https://en.wikipedia.org/wiki/DMA_attack +## https://lenovopress.lenovo.com/lp1467.pdf +## +GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX iommu=force" +GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX iommu.passthrough=0" +GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX iommu.strict=1" + +## Disable the busmaster bit on all PCI bridges during the early boot process. +## Patches weak-point in some existing IOMMU implementations. +## May lead to issues such as complete system boot failure on certain devices. +## +## https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=4444f8541dad16fefd9b8807ad1451e806ef1d94 +## https://mjg59.dreamwidth.org/54433.html +## +GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX efi=disable_early_pci_dma" + +## 3. Entropy: +## +## https://madaidans-insecurities.github.io/guides/linux-hardening.html#rdrand + +## Do not credit the CPU or bootloader seeds as entropy sources at boot. +## The RDRAND CPU (RNG) instructions are proprietary and closed-source. +## Numerous implementations of RDRAND have a long history of being defective. +## The RNG seed passed by the bootloader could also potentially be tampered. +## Maximising the entropy pool at boot is desirable for all cryptographic operations. +## These settings ensure additional entropy is obtained from other sources to initialise the RNG. +## Note that distrusting these (relatively fast) sources of entropy will increase boot time. +## +## https://en.wikipedia.org/wiki/RDRAND#Reception +## https://systemd.io/RANDOM_SEEDS/ +## https://arstechnica.com/gadgets/2019/10/how-a-months-old-amd-microcode-bug-destroyed-my-weekend/ +## https://x.com/pid_eins/status/1149649806056280069 +## https://archive.nytimes.com/www.nytimes.com/interactive/2013/09/05/us/documents-reveal-nsa-campaign-against-encryption.html +## https://forums.whonix.org/t/entropy-config-random-trust-cpu-yes-or-no-rng-core-default-quality/8566 +## https://github.com/NixOS/nixpkgs/pull/165355 +## https://lkml.org/lkml/2022/6/5/271 +## +GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX random.trust_bootloader=off" +GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX random.trust_cpu=off" + +## Obtain more entropy during boot as the runtime memory allocator is being initialised. +## Entropy will be extracted from up to the first 4GB of RAM. +## Requires the linux-hardened kernel patch. +## +## https://www.kicksecure.com/wiki/Hardened-kernel#linux-hardened +## https://github.com/anthraxx/linux-hardened/commit/c3e7df1dba1eb8105d6d5143079a6a0ad9e9ebc7 +## https://github.com/anthraxx/linux-hardened/commit/a04458f97fe1f7e95888c77c0165b646375db9c4 +## +GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX extra_latent_entropy" + +## 4. Networking +## +## https://madaidans-insecurities.github.io/guides/linux-hardening.html#kasr-boot-parameters + +## Disable the entire IPv6 stack functionality. +## Removes attack surface associated with the IPv6 module. +## +## https://www.kernel.org/doc/html/latest/networking/ipv6.html +## https://wiki.archlinux.org/title/IPv6#Disable_IPv6 +## +## Enabling makes redundant many network hardening sysctl's in usr/lib/sysctl.d/990-security-misc.conf. +## +#ipv6.disable=1 \ No newline at end of file diff --git a/etc/default/grub.d/40_only_allow_signed_modules.cfg b/etc/default/grub.d/40_only_allow_signed_modules.cfg deleted file mode 100644 index 5d1a357..0000000 --- a/etc/default/grub.d/40_only_allow_signed_modules.cfg +++ /dev/null @@ -1,8 +0,0 @@ -## Requires every module to be signed before being loaded. -## Any module that is unsigned or signed with an invalid key cannot be loaded. -## This makes it harder to load a malicious module. -## -## Not enabled by default yet due to issues: -## https://forums.whonix.org/t/enforce-kernel-module-software-signature-verification-module-signing-disallow-kernel-module-loading-by-default/7880/61 -## https://github.com/dell/dkms/issues/359 -#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX module.sig_enforce=1" diff --git a/etc/default/grub.d/40_remmount-secure.cfg b/etc/default/grub.d/40_remount_secure.cfg similarity index 52% rename from etc/default/grub.d/40_remmount-secure.cfg rename to etc/default/grub.d/40_remount_secure.cfg index 4bdc3a9..c180456 100644 --- a/etc/default/grub.d/40_remmount-secure.cfg +++ b/etc/default/grub.d/40_remount_secure.cfg @@ -1,16 +1,25 @@ ## Copyright (C) 2023 - 2024 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. +## Remount Secure provides enhanced security via mmount options: ## https://www.kicksecure.com/wiki/Security-misc#Remount_Secure +## Option A (No Security): ## Disable Remount Secure. +## #GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX remountsecure=0" -## Re-mount with nodev, nosuid only. +## Option B (Low Security): +## Re-mount with nodev and nosuid only. +## #GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX remountsecure=1" -## Re-mount with nodev, nosuid and most with noexec except for /home. +## Option C (Medium Security): +## Re-mount with nodev, nosuid, and noexec for most mount points, excluding /home. +## #GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX remountsecure=2" -## Re-mount with nodev, nosuid and all with noexec including /home. +## Option D (Highest Security) +## Re-mount with nodev, nosuid, and noexec for all mount points including /home. +## #GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX remountsecure=3" diff --git a/etc/default/grub.d/40_signed_modules.cfg b/etc/default/grub.d/40_signed_modules.cfg new file mode 100644 index 0000000..9a6a101 --- /dev/null +++ b/etc/default/grub.d/40_signed_modules.cfg @@ -0,0 +1,25 @@ +## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP +## See the file COPYING for copying conditions. + +## Require every kernel module to be signed before being loaded. +## Any module that is unsigned or signed with an invalid key cannot be loaded. +## This prevents all out-of-tree kernel modules unless signed. +## This makes it harder to load a malicious module. +## +## https://forums.whonix.org/t/enforce-kernel-module-software-signature-verification-module-signing-disallow-kernel-module-loading-by-default/7880/61 +## https://github.com/dell/dkms/issues/359 +## +## Not enabled by default yet due to several issues. +## +#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX module.sig_enforce=1" + +## Enable kernel lockdown to enforce security boundary between user and kernel space. +## Confidentiality mode enforces module signature verification. +## +## https://forums.whonix.org/t/enforce-kernel-module-software-signature-verification-module-signing-disallow-kernel-module-loading-by-default/7880 +## +## ## Not enabled by default yet due to several issues. +## +#if dpkg --compare-versions "${kver}" ge "5.4"; then +# GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX lockdown=confidentiality" +#fi diff --git a/etc/default/grub.d/41_quiet.cfg b/etc/default/grub.d/41_quiet.cfg deleted file mode 100644 index ecb268b..0000000 --- a/etc/default/grub.d/41_quiet.cfg +++ /dev/null @@ -1,27 +0,0 @@ -## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP -## See the file COPYING for copying conditions. - -## Prevent kernel info leaks in console during boot. -## https://phabricator.whonix.org/T950 - -## LANG=C str_replace is provided by package helper-scripts. - -## The following command actually removed "quiet" from the kernel command line. -## If verbosity is desired, the user might want to keep this line. -## Remove "quiet" from GRUB_CMDLINE_LINUX_DEFAULT because "quiet" must be first. -GRUB_CMDLINE_LINUX_DEFAULT="$(echo "$GRUB_CMDLINE_LINUX_DEFAULT" | LANG=C str_replace "quiet" "")" - -## If verbosity is desired, the user might want to out-comment the following line. -GRUB_CMDLINE_LINUX_DEFAULT="$GRUB_CMDLINE_LINUX_DEFAULT quiet loglevel=0" - -## NOTE: -## After editing this file, running: -## sudo update-grub -## is required. -## -## If higher verbosity is desired, the user might also want to delete file -## /etc/sysctl.d/30_silent-kernel-printk.conf -## (or out-comment its settings). -## -## Alternatively, the user could consider to install the debug-misc package, -## which will undo the settings found here. diff --git a/etc/default/grub.d/41_quiet_boot.cfg b/etc/default/grub.d/41_quiet_boot.cfg new file mode 100644 index 0000000..4beed93 --- /dev/null +++ b/etc/default/grub.d/41_quiet_boot.cfg @@ -0,0 +1,29 @@ +## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP +## See the file COPYING for copying conditions. + +## Some default configuration files automatically include the "quiet" parameter. +## Thefore, first remove "quiet" from GRUB_CMDLINE_LINUX_DEFAULT since "quiet" must be first. +## LANG=C str_replace is provided by package helper-scripts. +## +## https://github.com/Kicksecure/security-misc/pull/233#issuecomment-2228792461 +## +GRUB_CMDLINE_LINUX_DEFAULT="$(echo "$GRUB_CMDLINE_LINUX_DEFAULT" | LANG=C str_replace "quiet" "")" + +## Prevent sensitive kernel information leaks in the console during boot. +## Must be used in combination with the kernel.printk sysctl. +## See /usr/lib/sysctl.d/30_silent-kernel-printk.conf for implementation. +## +## https://www.kernel.org/doc/html/latest/core-api/printk-basics.html +## https://wiki.archlinux.org/title/silent_boot +## +## For easier debugging, these are not applied to the recovery boot option. +## Switch the pair of commands to universally apply parameters to all boot options. +## +GRUB_CMDLINE_LINUX_DEFAULT="$GRUB_CMDLINE_LINUX_DEFAULT loglevel=0" +GRUB_CMDLINE_LINUX_DEFAULT="$GRUB_CMDLINE_LINUX_DEFAULT quiet" +#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX loglevel=0" +#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX quiet" + +## For Increased Log Verbosity: +## Adjust (or comment out) the kernel.printk sysctl in /usr/lib/sysctl.d/30_silent-kernel-printk.conf. +## Alternatively, installing the debug-misc package will undo these settings. \ No newline at end of file