Merge remote-tracking branch 'raja/kargs'

This commit is contained in:
Patrick Schleizer 2024-07-17 08:38:23 -04:00
commit a2802f352f
No known key found for this signature in database
GPG Key ID: CB8D50BB77BB3C48
12 changed files with 340 additions and 157 deletions

View File

@ -101,36 +101,56 @@ Various networking components of the TCP/IP stack are hardened for IPv4/6.
### Boot parameters ### Boot parameters
Boot parameters are outlined in configuration files located in the Mitigations for known CPU vulnerabilities are enabled in their strictest form
`etc/default/grub.d/` directory. and simultaneous multithreading (SMT) is disabled. See the
`/etc/default/grub.d/40_cpu_mitigations.cfg` configuration file.
- Slab merging is disabled which significantly increases the difficulty of Boot parameters relating to kernel hardening, DMA mitigations, and entropy
heap exploitation by preventing overwriting objects from merged caches and generation are outlined in the `/etc/default/grub.d/40_kernel_hardening.cfg`
by making it harder to influence slab cache layout. configuration file.
- Memory zeroing at allocation and free time is enabled to mitigate some - Disable merging of slabs with similar size which reduces the risk of
use-after-free vulnerabilities and erase sensitive information in memory. triggering heap overflows and limits influencing slab cache layout.
- Page allocator freelist randomization is enabled. - Enable memory zeroing at both allocation and free time which mitigate some
use-after-free vulnerabilities by erasing sensitive information in memory.
- Kernel Page Table Isolation is enabled to mitigate Meltdown and increase - Enable the kernel page allocator to randomise free lists to limit some data
KASLR effectiveness. exfiltration and ROP attacks especially during the early boot process.
- vsyscalls are disabled as they are obsolete, are at fixed addresses and - Enable kernel page table isolation increase KASLR effectiveness and also
thus, are a potential target for ROP. mitigate the Meltdown CPU vulnerability.
- The kernel panics on oopses to thwart certain kernel exploits. - Enables randomisation of the kernel stack offset on syscall entries to harden
against memory corruption attacks.
- Enables randomisation of the kernel stack offset on syscall entries. - Disable vsyscalls as they are vulnerable to ROP attacks and have now been
replaced by vDSO.
- Mitigations for known CPU vulnerabilities are enabled and SMT is - Restrict access to debugfs by not registering the file system since it can
disabled. contain sensitive information.
- IOMMU is enabled to prevent DMA attacks along with strict enforcement of - Force kernel panics on "oopses" to potentially indicate and thwart certain
IOMMU TLB invalidation so devices will never be able to access stale data kernel exploitation attempts.
contents.
- Distrust the 'randomly' generated CPU and bootloader seeds. - Provide option to modify machine check exception handler.
- Provide option to disable support for all x86 processes and syscalls to reduce
attack surface (when using Linux kernel version >= 6.7).
- Enable strict IOMMU translation to protect against DMA attacks and disable
the busmaster bit on all PCI bridges during the early boot process.
- Do not credit the CPU or bootloader as entropy sources at boot in order to
maximise the absolute quantity of entropy in the combined pool.
- Obtain more entropy at boot from RAM as the runtime memory allocator is
being initialised.
- Provide option to disable the entire IPv6 stack to reduce attack surface.
Disallow sensitive kernel information leaks in the console during boot. See
the `/etc/default/grub.d/41_quiet_boot.cfg` configuration file.
### Kernel Modules ### Kernel Modules
@ -143,7 +163,7 @@ Not yet due to issues:
See: See:
- `/etc/default/grub.d/40_only_allow_signed_modules.cfg` - `/etc/default/grub.d/40_signed_modules.cfg`
#### Disables the loading of new modules to the kernel after the fact #### Disables the loading of new modules to the kernel after the fact
@ -285,8 +305,9 @@ See:
`/usr/lib/modules-load.d/30_security-misc.conf` configuration file. `/usr/lib/modules-load.d/30_security-misc.conf` configuration file.
- Distrusts the CPU for initial entropy at boot as it is not possible to - Distrusts the CPU for initial entropy at boot as it is not possible to
audit, may contain weaknesses or a backdoor. For references, see: audit, may contain weaknesses or a backdoor. Similarly, do not credit the
`/etc/default/grub.d/40_distrust_cpu.cfg` bootloader seed for initial entropy. For references, see:
`/etc/default/grub.d/40_kernel_hardening.cfg`
- Gathers more entropy during boot if using the linux-hardened kernel patch. - Gathers more entropy during boot if using the linux-hardened kernel patch.

View File

@ -67,3 +67,17 @@ rm_conffile /etc/permission-hardening.d/25_default_whitelist_sudo.conf
rm_conffile /etc/permission-hardening.d/25_default_whitelist_unix_chkpwd.conf rm_conffile /etc/permission-hardening.d/25_default_whitelist_unix_chkpwd.conf
rm_conffile /etc/permission-hardening.d/25_default_whitelist_virtualbox.conf rm_conffile /etc/permission-hardening.d/25_default_whitelist_virtualbox.conf
rm_conffile /etc/permission-hardening.d/30_default.conf rm_conffile /etc/permission-hardening.d/30_default.conf
## merged into 1 file /etc/default/grub.d/40_kernel_hardening.cfg
rm_conffile /etc/default/grub.d/40_distrust_bootloader.cfg
rm_conffile /etc/default/grub.d/40_distrust_cpu.cfg
rm_conffile /etc/default/grub.d/40_enable_iommu.cfg
## renamed to /etc/default/grub.d/40_remount_secure.cfg
rm_conffile /etc/default/grub.d/40_remmount-secure.cfg
## renamed to /etc/default/grub.d/40_signed_modules.cfg
rm_conffile /etc/default/grub.d/40_only_allow_signed_modules.cfg
## renamed to /etc/default/grub.d/41_quiet_boot.cfg
rm_conffile /etc/default/grub.d/41_quiet.cfg

View File

@ -1,99 +1,117 @@
## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP <adrelanos@whonix.org> ## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
## See the file COPYING for copying conditions. ## See the file COPYING for copying conditions.
## Enables known mitigations for CPU vulnerabilities. ## Enable known mitigations for CPU vulnerabilities.
##
## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/index.html ## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/index.html
## https://www.kernel.org/doc/html/latest/admin-guide/kernel-parameters.html ## https://www.kernel.org/doc/html/latest/admin-guide/kernel-parameters.html
## https://forums.whonix.org/t/should-all-kernel-patches-for-cpu-bugs-be-unconditionally-enabled-vs-performance-vs-applicability/7647 ## https://forums.whonix.org/t/should-all-kernel-patches-for-cpu-bugs-be-unconditionally-enabled-vs-performance-vs-applicability/7647
## Check for potential updates directly from AMD and Intel. ## Check for potential updates directly from AMD and Intel.
##
## https://www.amd.com/en/resources/product-security.html ## https://www.amd.com/en/resources/product-security.html
## https://www.intel.com/content/www/us/en/developer/topic-technology/software-security-guidance/advisory-guidance.html ## https://www.intel.com/content/www/us/en/developer/topic-technology/software-security-guidance/advisory-guidance.html
## https://www.intel.com/content/www/us/en/developer/topic-technology/software-security-guidance/disclosure-documentation.html ## https://www.intel.com/content/www/us/en/developer/topic-technology/software-security-guidance/disclosure-documentation.html
## Enable a subset of known mitigations for CPU vulnerabilities and disable SMT. ## Enable a subset of known mitigations for CPU vulnerabilities and disable SMT.
##
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX mitigations=auto,nosmt" GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX mitigations=auto,nosmt"
## Disable SMT as it has been the cause of and amplified numerous CPU exploits.
## The only full mitigation of cross-HT attacks is to disable SMT.
## Disabling will significantly decrease system performance on multi-threaded tasks.
## To enable SMT, remove this line all other occurrences of "nosmt" in this file.
##
## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/core-scheduling.html
## https://forums.whonix.org/t/should-all-kernel-patches-for-cpu-bugs-be-unconditionally-enabled-vs-performance-vs-applicability/7647/17
## https://github.com/anthraxx/linux-hardened/issues/37#issuecomment-619597365
##
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX nosmt=force"
## Enable mitigations for both Spectre Variant 2 (indirect branch speculation) ## Enable mitigations for both Spectre Variant 2 (indirect branch speculation)
## and Intel branch history injection (BHI) vulnerabilities. ## and Intel branch history injection (BHI) vulnerabilities.
## ##
## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/spectre.html ## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/spectre.html
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX spectre_v2=on spectre_bhi=on" ##
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX spectre_v2=on"
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX spectre_bhi=on"
## Disable Speculative Store Bypass (Spectre Variant 4). ## Disable Speculative Store Bypass (Spectre Variant 4).
## ##
## https://www.suse.com/support/kb/doc/?id=000019189 ## https://www.suse.com/support/kb/doc/?id=000019189
##
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX spec_store_bypass_disable=on" GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX spec_store_bypass_disable=on"
## Enable mitigations for the L1TF vulnerability through disabling SMT ## Enable mitigations for the L1TF vulnerability through disabling SMT
## and L1D flush runtime control. ## and L1D flush runtime control.
## ##
## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/l1tf.html ## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/l1tf.html
##
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX l1tf=full,force" GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX l1tf=full,force"
## Enable mitigations for the MDS vulnerability through clearing buffer cache ## Enable mitigations for the MDS vulnerability through clearing buffer cache
## and disabling SMT. ## and disabling SMT.
## ##
## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/mds.html ## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/mds.html
##
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX mds=full,nosmt" GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX mds=full,nosmt"
## Patches the TAA vulnerability by disabling TSX and enables mitigations using ## Patches the TAA vulnerability by disabling TSX and enable mitigations using
## TSX Async Abort along with disabling SMT. ## TSX Async Abort along with disabling SMT.
## ##
## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/tsx_async_abort.html ## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/tsx_async_abort.html
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX tsx=off tsx_async_abort=full,nosmt" ##
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX tsx=off"
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX tsx_async_abort=full,nosmt"
## Mark all huge pages in the EPT as non-executable to mitigate iTLB multihit. ## Mark all huge pages in the EPT as non-executable to mitigate iTLB multihit.
## ##
## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/multihit.html ## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/multihit.html
##
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX kvm.nx_huge_pages=force" GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX kvm.nx_huge_pages=force"
## Enables mitigations for SRBDS to prevent MDS attacks on RDRAND and RDSEED instructions. ## Mitigations for SRBDS to prevent MDS attacks on RDRAND and RDSEED instructions
## Only mitigated through microcode updates from Intel. ## are only possible through microcode updates from Intel.
## ##
## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/special-register-buffer-data-sampling.html ## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/special-register-buffer-data-sampling.html
## https://access.redhat.com/solutions/5142691 ## https://access.redhat.com/solutions/5142691
## Force disable SMT as it has caused numerous CPU vulnerabilities. ## Enable the prctl() interface to prevent leaks from L1D on context switches.
## The only full mitigation of cross-HT attacks is to disable SMT.
##
## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/core-scheduling.html
## https://forums.whonix.org/t/should-all-kernel-patches-for-cpu-bugs-be-unconditionally-enabled-vs-performance-vs-applicability/7647/17
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX nosmt=force"
## Enables the prctl interface to prevent leaks from L1D on context switches.
## ##
## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/l1d_flush.html ## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/l1d_flush.html
##
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX l1d_flush=on" GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX l1d_flush=on"
## Mitigates numerous MMIO Stale Data vulnerabilities and disables SMT. ## Mitigate numerous MMIO Stale Data vulnerabilities and disable SMT.
## ##
## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/processor_mmio_stale_data.html ## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/processor_mmio_stale_data.html
##
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX mmio_stale_data=full,nosmt" GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX mmio_stale_data=full,nosmt"
## Enable mitigations for RETBleed (Arbitrary Speculative Code Execution with ## Enable mitigations for RETBleed (Arbitrary Speculative Code Execution with
## Return Instructions) vulnerability and disable SMT. ## Return Instructions) vulnerability and disable SMT.
## ##
## https://www.suse.com/support/kb/doc/?id=000020693 ## https://www.suse.com/support/kb/doc/?id=000020693
##
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX retbleed=auto,nosmt" GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX retbleed=auto,nosmt"
## Control RAS overflow mitigation on AMD Zen CPUs. ## Control RAS overflow mitigation on AMD Zen CPUs.
## The current default kernel parameter is 'spec_rstack_overflow=safe-ret'
## This default will used until provided sufficient evidence to modify.
## ##
## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/srso.html ## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/srso.html
##
## The default kernel setting will be utilised until provided sufficient evidence to modify.
##
#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX spec_rstack_overflow=safe-ret"
## Mitigates Gather Data Sampling (GDS) vulnerability. ## Enable Gather Data Sampling (GDS) mitigation.
## Note for systems that have not received a suitable microcode update this will ## Note for systems that have not received a suitable microcode update this will
## entirely disable use of the AVX instructions set. ## entirely disable use of the AVX instructions set.
## ##
## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/gather_data_sampling.html ## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/gather_data_sampling.html
##
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX gather_data_sampling=force" GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX gather_data_sampling=force"
## Register File Data Sampling (RFDS) mitigation on Intel Atom CPUs which ## Enable Register File Data Sampling (RFDS) mitigation on Intel Atom CPUs which
## encompasses E-cores on hybrid architectures. ## encompasses E-cores on hybrid architectures.
## ##
## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/reg-file-data-sampling.html ## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/reg-file-data-sampling.html
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX reg_file_data_sampling=on" ##
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX reg_file_data_sampling=on"

View File

@ -1,7 +0,0 @@
## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
## See the file COPYING for copying conditions.
## Distrusts the bootloader for initial entropy at boot.
##
## https://lkml.org/lkml/2022/6/5/271
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX random.trust_bootloader=off"

View File

@ -1,12 +0,0 @@
## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
## See the file COPYING for copying conditions.
## Distrusts the CPU for initial entropy at boot as it is not possible to
## audit, may contain weaknesses or a backdoor.
##
## https://en.wikipedia.org/wiki/RDRAND#Reception
## https://twitter.com/pid_eins/status/1149649806056280069
## https://archive.nytimes.com/www.nytimes.com/interactive/2013/09/05/us/documents-reveal-nsa-campaign-against-encryption.html
## https://forums.whonix.org/t/entropy-config-random-trust-cpu-yes-or-no-rng-core-default-quality/8566
## https://lkml.org/lkml/2022/6/5/271
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX random.trust_cpu=off"

View File

@ -1,17 +0,0 @@
## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
## See the file COPYING for copying conditions.
## Enables IOMMU to prevent DMA attacks.
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX intel_iommu=on amd_iommu=force_isolation"
## Disable the busmaster bit on all PCI bridges during very
## early boot to avoid holes in IOMMU.
##
## https://mjg59.dreamwidth.org/54433.html
## https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=4444f8541dad16fefd9b8807ad1451e806ef1d94
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX efi=disable_early_pci_dma"
## Enables strict enforcement of IOMMU TLB invalidation so devices will never be able to access stale data contents
## https://github.com/torvalds/linux/blob/master/drivers/iommu/Kconfig#L97
## Page 11 of https://lenovopress.lenovo.com/lp1467.pdf
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX iommu=force iommu.passthrough=0 iommu.strict=1"

View File

@ -5,58 +5,196 @@ kpkg="linux-image-$(dpkg --print-architecture)" || true
kver="$(dpkg-query --show --showformat='${Version}' "$kpkg")" 2>/dev/null || true kver="$(dpkg-query --show --showformat='${Version}' "$kpkg")" 2>/dev/null || true
#echo "## kver: $kver" #echo "## kver: $kver"
## Disables the merging of slabs of similar sizes. ## This configuration file is split into 3 sections:
## Sometimes a slab can be used in a vulnerable way which an attacker can exploit. ## 1. Kernel Space
## 2. Direct Memory Access
## 3. Entropy
## 4. Networking
## See the documentation below for details on the majority of the selected commands.
## https://www.kernel.org/doc/html/latest/admin-guide/kernel-parameters.html
## https://wiki.archlinux.org/title/Kernel_parameters#GRUB
## 1. Kernel Space:
##
## https://madaidans-insecurities.github.io/guides/linux-hardening.html#boot-parameters
## Disable merging of slabs with similar size.
## Reduces the risk of triggering heap overflows.
## Prevents overwriting objects from merged caches and limits influencing slab cache layout.
##
## https://www.openwall.com/lists/kernel-hardening/2017/06/19/33
## https://www.openwall.com/lists/kernel-hardening/2017/06/20/10
##
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX slab_nomerge" GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX slab_nomerge"
## Enables sanity checks (F) and redzoning (Z). ## Zero memory at allocation time and free time.
## Disabled due to kernel deciding to implicitly disable kernel pointer hashing ## Fills newly allocated pages, freed pages, and heap objects with zeros.
## https://github.com/torvalds/linux/commit/792702911f581f7793962fbeb99d5c3a1b28f4c3 ## Mitigates use-after-free exploits by erasing sensitive information in memory.
#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX slub_debug=FZ" ##
## https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=6471384af2a6530696fc0203bafe4de41a23c9ef
##
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX init_on_alloc=1"
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX init_on_free=1"
## Zero memory at allocation and free time. ## Enable the kernel page allocator to randomise free lists.
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX init_on_alloc=1 init_on_free=1" ## During early boot the page allocator has predictable FIFO behaviour for physical pages.
## Limits some data exfiltration and ROP attacks that rely on inferring sensitive data location.
## Machine check exception handler decides whether the system should panic or not based on the exception that happened. ## Also improves performance by optimising memory-side cache utilisation.
## https://forums.whonix.org/t/kernel-hardening/7296/494 ##
#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX mce=0" ## https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=e900a918b0984ec8f2eb150b8477a47b75d17692
## https://en.wikipedia.org/wiki/Return-oriented_programming#Attacks
## Enables Kernel Page Table Isolation which mitigates Meltdown and improves KASLR. ##
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX pti=on"
## Vsyscalls are obsolete, are at fixed addresses and are a target for ROP.
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX vsyscall=none"
## Enables page allocator freelist randomization.
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX page_alloc.shuffle=1" GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX page_alloc.shuffle=1"
## Enables randomisation of the kernel stack offset on syscall entries (introduced in kernel 5.13). ## Enable kernel page table isolation to harden against kernel ASLR (KASLR) bypasses.
## Mitigates the Meltdown CPU vulnerability.
##
## https://en.wikipedia.org/wiki/Kernel_page-table_isolation
##
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX pti=on"
## Enable randomisation of the kernel stack offset on syscall entries.
## Hardens against memory corruption attacks due to increased entropy.
## Limits attacks relying on deterministic stack addresses or cross-syscall address exposure.
##
## https://lkml.org/lkml/2019/3/18/246 ## https://lkml.org/lkml/2019/3/18/246
## https://a13xp0p0v.github.io/2020/02/15/CVE-2019-18683.html
##
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX randomize_kstack_offset=on" GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX randomize_kstack_offset=on"
## Enables kernel lockdown. ## Disable vsyscalls to reduce attack surface as they have been replaced by vDSO.
## Vulnerable to ROP attacks as vsyscalls are located at fixed addresses in memory.
## ##
## Disabled for now as it enforces module signature verification which breaks ## https://lwn.net/Articles/446528/
## too many things. ## https://en.wikipedia.org/wiki/VDSO
## https://forums.whonix.org/t/enforce-kernel-module-software-signature-verification-module-signing-disallow-kernel-module-loading-by-default/7880
## ##
#if dpkg --compare-versions "${kver}" ge "5.4"; then GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX vsyscall=none"
# GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX lockdown=confidentiality"
#fi
## Gather more entropy during boot. ## Restrict access to debugfs by not registering the file system.
## Deactivated since the file system can contain sensitive information.
## ##
## Requires linux-hardened kernel patch.
## https://github.com/anthraxx/linux-hardened
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX extra_latent_entropy"
## Restrict access to debugfs since it can contain a lot of sensitive information.
## https://lkml.org/lkml/2020/7/16/122 ## https://lkml.org/lkml/2020/7/16/122
## https://github.com/torvalds/linux/blob/fb1201aececc59990b75ef59fca93ae4aa1e1444/Documentation/admin-guide/kernel-parameters.txt#L835-L848 ##
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX debugfs=off" GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX debugfs=off"
## Force the kernel to panic on "oopses" (which may be due to false positives) ## Force the kernel to panic on "oopses".
## Can sometimes potentially indicate and thwart certain kernel exploitation attempts.
## Also cause panics on machine check exceptions.
## Panics may be due to false-positives such as bad drivers.
##
## https://forums.whonix.org/t/set-oops-panic-kernel-parameter-or-kernel-panic-on-oops-1-sysctl-for-better-security/7713 ## https://forums.whonix.org/t/set-oops-panic-kernel-parameter-or-kernel-panic-on-oops-1-sysctl-for-better-security/7713
## Implemented differently: ##
## /usr/libexec/security-misc/panic-on-oops ## See /usr/libexec/security-misc/panic-on-oops for implementation.
##
#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX oops=panic" #GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX oops=panic"
## Modify machine check exception handler.
## Can decide whether the system should panic or not based on the occurrence of an exception.
##
## https://www.kernel.org/doc/html/latest/arch/x86/x86_64/machinecheck.html
## https://www.kernel.org/doc/html/latest/arch/x86/x86_64/boot-options.html#machine-check
## https://forums.whonix.org/t/kernel-hardening/7296/494
##
## The default kernel setting will be utilised until provided sufficient evidence to modify.
##
#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX mce=0"
## Prevent sensitive kernel information leaks in the console during boot.
## Must be used in combination with the kernel.printk sysctl.
## See /usr/lib/sysctl.d/30_silent-kernel-printk.conf for implementation.
##
## https://www.kernel.org/doc/html/latest/core-api/printk-basics.html
## https://wiki.archlinux.org/title/silent_boot
##
## See /etc/default/grub.d/41_quiet_boot.cfg for implementation.
##
#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX loglevel=0"
#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX quiet"
## Disable support for x86 processes and syscalls.
## Unconditionally disables IA32 emulation to substantially reduce attack surface.
##
## https://lore.kernel.org/all/20230623111409.3047467-7-nik.borisov@suse.com/
##
## Applicable when using Linux kernel >= 6.7 (retained here for future-proofing and completeness).
##
#ia32_emulation=0
## 2. Direct Memory Access:
##
## https://madaidans-insecurities.github.io/guides/linux-hardening.html#dma-attacks
## Enable CPU manufacturer-specific IOMMU drivers to protect against DMA attacks.
##
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX amd_iommu=force_isolation"
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX intel_iommu=on"
## Enable and force use of IOMMU translation to protect against DMA attacks.
## Strictly force DMA unmap operations to synchronously invalidate IOMMU hardware TLBs.
## Ensures devices will never be able to access stale data contents.
##
## https://en.wikipedia.org/wiki/Input%E2%80%93output_memory_management_unit
## https://en.wikipedia.org/wiki/DMA_attack
## https://lenovopress.lenovo.com/lp1467.pdf
##
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX iommu=force"
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX iommu.passthrough=0"
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX iommu.strict=1"
## Disable the busmaster bit on all PCI bridges during the early boot process.
## Patches weak-point in some existing IOMMU implementations.
## May lead to issues such as complete system boot failure on certain devices.
##
## https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=4444f8541dad16fefd9b8807ad1451e806ef1d94
## https://mjg59.dreamwidth.org/54433.html
##
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX efi=disable_early_pci_dma"
## 3. Entropy:
##
## https://madaidans-insecurities.github.io/guides/linux-hardening.html#rdrand
## Do not credit the CPU or bootloader seeds as entropy sources at boot.
## The RDRAND CPU (RNG) instructions are proprietary and closed-source.
## Numerous implementations of RDRAND have a long history of being defective.
## The RNG seed passed by the bootloader could also potentially be tampered.
## Maximising the entropy pool at boot is desirable for all cryptographic operations.
## These settings ensure additional entropy is obtained from other sources to initialise the RNG.
## Note that distrusting these (relatively fast) sources of entropy will increase boot time.
##
## https://en.wikipedia.org/wiki/RDRAND#Reception
## https://systemd.io/RANDOM_SEEDS/
## https://arstechnica.com/gadgets/2019/10/how-a-months-old-amd-microcode-bug-destroyed-my-weekend/
## https://x.com/pid_eins/status/1149649806056280069
## https://archive.nytimes.com/www.nytimes.com/interactive/2013/09/05/us/documents-reveal-nsa-campaign-against-encryption.html
## https://forums.whonix.org/t/entropy-config-random-trust-cpu-yes-or-no-rng-core-default-quality/8566
## https://github.com/NixOS/nixpkgs/pull/165355
## https://lkml.org/lkml/2022/6/5/271
##
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX random.trust_bootloader=off"
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX random.trust_cpu=off"
## Obtain more entropy during boot as the runtime memory allocator is being initialised.
## Entropy will be extracted from up to the first 4GB of RAM.
## Requires the linux-hardened kernel patch.
##
## https://www.kicksecure.com/wiki/Hardened-kernel#linux-hardened
## https://github.com/anthraxx/linux-hardened/commit/c3e7df1dba1eb8105d6d5143079a6a0ad9e9ebc7
## https://github.com/anthraxx/linux-hardened/commit/a04458f97fe1f7e95888c77c0165b646375db9c4
##
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX extra_latent_entropy"
## 4. Networking
##
## https://madaidans-insecurities.github.io/guides/linux-hardening.html#kasr-boot-parameters
## Disable the entire IPv6 stack functionality.
## Removes attack surface associated with the IPv6 module.
##
## https://www.kernel.org/doc/html/latest/networking/ipv6.html
## https://wiki.archlinux.org/title/IPv6#Disable_IPv6
##
## Enabling makes redundant many network hardening sysctl's in usr/lib/sysctl.d/990-security-misc.conf.
##
#ipv6.disable=1

View File

@ -1,8 +0,0 @@
## Requires every module to be signed before being loaded.
## Any module that is unsigned or signed with an invalid key cannot be loaded.
## This makes it harder to load a malicious module.
##
## Not enabled by default yet due to issues:
## https://forums.whonix.org/t/enforce-kernel-module-software-signature-verification-module-signing-disallow-kernel-module-loading-by-default/7880/61
## https://github.com/dell/dkms/issues/359
#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX module.sig_enforce=1"

View File

@ -1,16 +1,25 @@
## Copyright (C) 2023 - 2024 ENCRYPTED SUPPORT LP <adrelanos@whonix.org> ## Copyright (C) 2023 - 2024 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
## See the file COPYING for copying conditions. ## See the file COPYING for copying conditions.
## Remount Secure provides enhanced security via mmount options:
## https://www.kicksecure.com/wiki/Security-misc#Remount_Secure ## https://www.kicksecure.com/wiki/Security-misc#Remount_Secure
## Option A (No Security):
## Disable Remount Secure. ## Disable Remount Secure.
##
#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX remountsecure=0" #GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX remountsecure=0"
## Re-mount with nodev, nosuid only. ## Option B (Low Security):
## Re-mount with nodev and nosuid only.
##
#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX remountsecure=1" #GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX remountsecure=1"
## Re-mount with nodev, nosuid and most with noexec except for /home. ## Option C (Medium Security):
## Re-mount with nodev, nosuid, and noexec for most mount points, excluding /home.
##
#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX remountsecure=2" #GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX remountsecure=2"
## Re-mount with nodev, nosuid and all with noexec including /home. ## Option D (Highest Security)
## Re-mount with nodev, nosuid, and noexec for all mount points including /home.
##
#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX remountsecure=3" #GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX remountsecure=3"

View File

@ -0,0 +1,25 @@
## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
## See the file COPYING for copying conditions.
## Require every kernel module to be signed before being loaded.
## Any module that is unsigned or signed with an invalid key cannot be loaded.
## This prevents all out-of-tree kernel modules unless signed.
## This makes it harder to load a malicious module.
##
## https://forums.whonix.org/t/enforce-kernel-module-software-signature-verification-module-signing-disallow-kernel-module-loading-by-default/7880/61
## https://github.com/dell/dkms/issues/359
##
## Not enabled by default yet due to several issues.
##
#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX module.sig_enforce=1"
## Enable kernel lockdown to enforce security boundary between user and kernel space.
## Confidentiality mode enforces module signature verification.
##
## https://forums.whonix.org/t/enforce-kernel-module-software-signature-verification-module-signing-disallow-kernel-module-loading-by-default/7880
##
## ## Not enabled by default yet due to several issues.
##
#if dpkg --compare-versions "${kver}" ge "5.4"; then
# GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX lockdown=confidentiality"
#fi

View File

@ -1,27 +0,0 @@
## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
## See the file COPYING for copying conditions.
## Prevent kernel info leaks in console during boot.
## https://phabricator.whonix.org/T950
## LANG=C str_replace is provided by package helper-scripts.
## The following command actually removed "quiet" from the kernel command line.
## If verbosity is desired, the user might want to keep this line.
## Remove "quiet" from GRUB_CMDLINE_LINUX_DEFAULT because "quiet" must be first.
GRUB_CMDLINE_LINUX_DEFAULT="$(echo "$GRUB_CMDLINE_LINUX_DEFAULT" | LANG=C str_replace "quiet" "")"
## If verbosity is desired, the user might want to out-comment the following line.
GRUB_CMDLINE_LINUX_DEFAULT="$GRUB_CMDLINE_LINUX_DEFAULT quiet loglevel=0"
## NOTE:
## After editing this file, running:
## sudo update-grub
## is required.
##
## If higher verbosity is desired, the user might also want to delete file
## /etc/sysctl.d/30_silent-kernel-printk.conf
## (or out-comment its settings).
##
## Alternatively, the user could consider to install the debug-misc package,
## which will undo the settings found here.

View File

@ -0,0 +1,29 @@
## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
## See the file COPYING for copying conditions.
## Some default configuration files automatically include the "quiet" parameter.
## Thefore, first remove "quiet" from GRUB_CMDLINE_LINUX_DEFAULT since "quiet" must be first.
## LANG=C str_replace is provided by package helper-scripts.
##
## https://github.com/Kicksecure/security-misc/pull/233#issuecomment-2228792461
##
GRUB_CMDLINE_LINUX_DEFAULT="$(echo "$GRUB_CMDLINE_LINUX_DEFAULT" | LANG=C str_replace "quiet" "")"
## Prevent sensitive kernel information leaks in the console during boot.
## Must be used in combination with the kernel.printk sysctl.
## See /usr/lib/sysctl.d/30_silent-kernel-printk.conf for implementation.
##
## https://www.kernel.org/doc/html/latest/core-api/printk-basics.html
## https://wiki.archlinux.org/title/silent_boot
##
## For easier debugging, these are not applied to the recovery boot option.
## Switch the pair of commands to universally apply parameters to all boot options.
##
GRUB_CMDLINE_LINUX_DEFAULT="$GRUB_CMDLINE_LINUX_DEFAULT loglevel=0"
GRUB_CMDLINE_LINUX_DEFAULT="$GRUB_CMDLINE_LINUX_DEFAULT quiet"
#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX loglevel=0"
#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX quiet"
## For Increased Log Verbosity:
## Adjust (or comment out) the kernel.printk sysctl in /usr/lib/sysctl.d/30_silent-kernel-printk.conf.
## Alternatively, installing the debug-misc package will undo these settings.