mirror of
https://github.com/Kicksecure/security-misc.git
synced 2024-12-23 01:13:40 +07:00
Merge remote-tracking branch 'raja/kargs'
This commit is contained in:
commit
a2802f352f
67
README.md
67
README.md
@ -101,36 +101,56 @@ Various networking components of the TCP/IP stack are hardened for IPv4/6.
|
||||
|
||||
### Boot parameters
|
||||
|
||||
Boot parameters are outlined in configuration files located in the
|
||||
`etc/default/grub.d/` directory.
|
||||
Mitigations for known CPU vulnerabilities are enabled in their strictest form
|
||||
and simultaneous multithreading (SMT) is disabled. See the
|
||||
`/etc/default/grub.d/40_cpu_mitigations.cfg` configuration file.
|
||||
|
||||
- Slab merging is disabled which significantly increases the difficulty of
|
||||
heap exploitation by preventing overwriting objects from merged caches and
|
||||
by making it harder to influence slab cache layout.
|
||||
Boot parameters relating to kernel hardening, DMA mitigations, and entropy
|
||||
generation are outlined in the `/etc/default/grub.d/40_kernel_hardening.cfg`
|
||||
configuration file.
|
||||
|
||||
- Memory zeroing at allocation and free time is enabled to mitigate some
|
||||
use-after-free vulnerabilities and erase sensitive information in memory.
|
||||
- Disable merging of slabs with similar size which reduces the risk of
|
||||
triggering heap overflows and limits influencing slab cache layout.
|
||||
|
||||
- Page allocator freelist randomization is enabled.
|
||||
- Enable memory zeroing at both allocation and free time which mitigate some
|
||||
use-after-free vulnerabilities by erasing sensitive information in memory.
|
||||
|
||||
- Kernel Page Table Isolation is enabled to mitigate Meltdown and increase
|
||||
KASLR effectiveness.
|
||||
- Enable the kernel page allocator to randomise free lists to limit some data
|
||||
exfiltration and ROP attacks especially during the early boot process.
|
||||
|
||||
- vsyscalls are disabled as they are obsolete, are at fixed addresses and
|
||||
thus, are a potential target for ROP.
|
||||
- Enable kernel page table isolation increase KASLR effectiveness and also
|
||||
mitigate the Meltdown CPU vulnerability.
|
||||
|
||||
- The kernel panics on oopses to thwart certain kernel exploits.
|
||||
- Enables randomisation of the kernel stack offset on syscall entries to harden
|
||||
against memory corruption attacks.
|
||||
|
||||
- Enables randomisation of the kernel stack offset on syscall entries.
|
||||
- Disable vsyscalls as they are vulnerable to ROP attacks and have now been
|
||||
replaced by vDSO.
|
||||
|
||||
- Mitigations for known CPU vulnerabilities are enabled and SMT is
|
||||
disabled.
|
||||
- Restrict access to debugfs by not registering the file system since it can
|
||||
contain sensitive information.
|
||||
|
||||
- IOMMU is enabled to prevent DMA attacks along with strict enforcement of
|
||||
IOMMU TLB invalidation so devices will never be able to access stale data
|
||||
contents.
|
||||
- Force kernel panics on "oopses" to potentially indicate and thwart certain
|
||||
kernel exploitation attempts.
|
||||
|
||||
- Distrust the 'randomly' generated CPU and bootloader seeds.
|
||||
- Provide option to modify machine check exception handler.
|
||||
|
||||
- Provide option to disable support for all x86 processes and syscalls to reduce
|
||||
attack surface (when using Linux kernel version >= 6.7).
|
||||
|
||||
- Enable strict IOMMU translation to protect against DMA attacks and disable
|
||||
the busmaster bit on all PCI bridges during the early boot process.
|
||||
|
||||
- Do not credit the CPU or bootloader as entropy sources at boot in order to
|
||||
maximise the absolute quantity of entropy in the combined pool.
|
||||
|
||||
- Obtain more entropy at boot from RAM as the runtime memory allocator is
|
||||
being initialised.
|
||||
|
||||
- Provide option to disable the entire IPv6 stack to reduce attack surface.
|
||||
|
||||
Disallow sensitive kernel information leaks in the console during boot. See
|
||||
the `/etc/default/grub.d/41_quiet_boot.cfg` configuration file.
|
||||
|
||||
### Kernel Modules
|
||||
|
||||
@ -143,7 +163,7 @@ Not yet due to issues:
|
||||
|
||||
See:
|
||||
|
||||
- `/etc/default/grub.d/40_only_allow_signed_modules.cfg`
|
||||
- `/etc/default/grub.d/40_signed_modules.cfg`
|
||||
|
||||
#### Disables the loading of new modules to the kernel after the fact
|
||||
|
||||
@ -285,8 +305,9 @@ See:
|
||||
`/usr/lib/modules-load.d/30_security-misc.conf` configuration file.
|
||||
|
||||
- Distrusts the CPU for initial entropy at boot as it is not possible to
|
||||
audit, may contain weaknesses or a backdoor. For references, see:
|
||||
`/etc/default/grub.d/40_distrust_cpu.cfg`
|
||||
audit, may contain weaknesses or a backdoor. Similarly, do not credit the
|
||||
bootloader seed for initial entropy. For references, see:
|
||||
`/etc/default/grub.d/40_kernel_hardening.cfg`
|
||||
|
||||
- Gathers more entropy during boot if using the linux-hardened kernel patch.
|
||||
|
||||
|
14
debian/security-misc.maintscript
vendored
14
debian/security-misc.maintscript
vendored
@ -67,3 +67,17 @@ rm_conffile /etc/permission-hardening.d/25_default_whitelist_sudo.conf
|
||||
rm_conffile /etc/permission-hardening.d/25_default_whitelist_unix_chkpwd.conf
|
||||
rm_conffile /etc/permission-hardening.d/25_default_whitelist_virtualbox.conf
|
||||
rm_conffile /etc/permission-hardening.d/30_default.conf
|
||||
|
||||
## merged into 1 file /etc/default/grub.d/40_kernel_hardening.cfg
|
||||
rm_conffile /etc/default/grub.d/40_distrust_bootloader.cfg
|
||||
rm_conffile /etc/default/grub.d/40_distrust_cpu.cfg
|
||||
rm_conffile /etc/default/grub.d/40_enable_iommu.cfg
|
||||
|
||||
## renamed to /etc/default/grub.d/40_remount_secure.cfg
|
||||
rm_conffile /etc/default/grub.d/40_remmount-secure.cfg
|
||||
|
||||
## renamed to /etc/default/grub.d/40_signed_modules.cfg
|
||||
rm_conffile /etc/default/grub.d/40_only_allow_signed_modules.cfg
|
||||
|
||||
## renamed to /etc/default/grub.d/41_quiet_boot.cfg
|
||||
rm_conffile /etc/default/grub.d/41_quiet.cfg
|
||||
|
@ -1,99 +1,117 @@
|
||||
## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
|
||||
## See the file COPYING for copying conditions.
|
||||
|
||||
## Enables known mitigations for CPU vulnerabilities.
|
||||
##
|
||||
## Enable known mitigations for CPU vulnerabilities.
|
||||
## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/index.html
|
||||
## https://www.kernel.org/doc/html/latest/admin-guide/kernel-parameters.html
|
||||
## https://forums.whonix.org/t/should-all-kernel-patches-for-cpu-bugs-be-unconditionally-enabled-vs-performance-vs-applicability/7647
|
||||
|
||||
## Check for potential updates directly from AMD and Intel.
|
||||
##
|
||||
## https://www.amd.com/en/resources/product-security.html
|
||||
## https://www.intel.com/content/www/us/en/developer/topic-technology/software-security-guidance/advisory-guidance.html
|
||||
## https://www.intel.com/content/www/us/en/developer/topic-technology/software-security-guidance/disclosure-documentation.html
|
||||
|
||||
## Enable a subset of known mitigations for CPU vulnerabilities and disable SMT.
|
||||
##
|
||||
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX mitigations=auto,nosmt"
|
||||
|
||||
## Disable SMT as it has been the cause of and amplified numerous CPU exploits.
|
||||
## The only full mitigation of cross-HT attacks is to disable SMT.
|
||||
## Disabling will significantly decrease system performance on multi-threaded tasks.
|
||||
## To enable SMT, remove this line all other occurrences of "nosmt" in this file.
|
||||
##
|
||||
## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/core-scheduling.html
|
||||
## https://forums.whonix.org/t/should-all-kernel-patches-for-cpu-bugs-be-unconditionally-enabled-vs-performance-vs-applicability/7647/17
|
||||
## https://github.com/anthraxx/linux-hardened/issues/37#issuecomment-619597365
|
||||
##
|
||||
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX nosmt=force"
|
||||
|
||||
## Enable mitigations for both Spectre Variant 2 (indirect branch speculation)
|
||||
## and Intel branch history injection (BHI) vulnerabilities.
|
||||
##
|
||||
## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/spectre.html
|
||||
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX spectre_v2=on spectre_bhi=on"
|
||||
##
|
||||
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX spectre_v2=on"
|
||||
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX spectre_bhi=on"
|
||||
|
||||
## Disable Speculative Store Bypass (Spectre Variant 4).
|
||||
##
|
||||
## https://www.suse.com/support/kb/doc/?id=000019189
|
||||
##
|
||||
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX spec_store_bypass_disable=on"
|
||||
|
||||
## Enable mitigations for the L1TF vulnerability through disabling SMT
|
||||
## and L1D flush runtime control.
|
||||
##
|
||||
## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/l1tf.html
|
||||
##
|
||||
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX l1tf=full,force"
|
||||
|
||||
## Enable mitigations for the MDS vulnerability through clearing buffer cache
|
||||
## and disabling SMT.
|
||||
##
|
||||
## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/mds.html
|
||||
##
|
||||
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX mds=full,nosmt"
|
||||
|
||||
## Patches the TAA vulnerability by disabling TSX and enables mitigations using
|
||||
## Patches the TAA vulnerability by disabling TSX and enable mitigations using
|
||||
## TSX Async Abort along with disabling SMT.
|
||||
##
|
||||
## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/tsx_async_abort.html
|
||||
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX tsx=off tsx_async_abort=full,nosmt"
|
||||
##
|
||||
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX tsx=off"
|
||||
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX tsx_async_abort=full,nosmt"
|
||||
|
||||
## Mark all huge pages in the EPT as non-executable to mitigate iTLB multihit.
|
||||
##
|
||||
## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/multihit.html
|
||||
##
|
||||
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX kvm.nx_huge_pages=force"
|
||||
|
||||
## Enables mitigations for SRBDS to prevent MDS attacks on RDRAND and RDSEED instructions.
|
||||
## Only mitigated through microcode updates from Intel.
|
||||
## Mitigations for SRBDS to prevent MDS attacks on RDRAND and RDSEED instructions
|
||||
## are only possible through microcode updates from Intel.
|
||||
##
|
||||
## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/special-register-buffer-data-sampling.html
|
||||
## https://access.redhat.com/solutions/5142691
|
||||
|
||||
## Force disable SMT as it has caused numerous CPU vulnerabilities.
|
||||
## The only full mitigation of cross-HT attacks is to disable SMT.
|
||||
##
|
||||
## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/core-scheduling.html
|
||||
## https://forums.whonix.org/t/should-all-kernel-patches-for-cpu-bugs-be-unconditionally-enabled-vs-performance-vs-applicability/7647/17
|
||||
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX nosmt=force"
|
||||
|
||||
## Enables the prctl interface to prevent leaks from L1D on context switches.
|
||||
## Enable the prctl() interface to prevent leaks from L1D on context switches.
|
||||
##
|
||||
## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/l1d_flush.html
|
||||
##
|
||||
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX l1d_flush=on"
|
||||
|
||||
## Mitigates numerous MMIO Stale Data vulnerabilities and disables SMT.
|
||||
## Mitigate numerous MMIO Stale Data vulnerabilities and disable SMT.
|
||||
##
|
||||
## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/processor_mmio_stale_data.html
|
||||
##
|
||||
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX mmio_stale_data=full,nosmt"
|
||||
|
||||
## Enable mitigations for RETBleed (Arbitrary Speculative Code Execution with
|
||||
## Return Instructions) vulnerability and disable SMT.
|
||||
##
|
||||
## https://www.suse.com/support/kb/doc/?id=000020693
|
||||
##
|
||||
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX retbleed=auto,nosmt"
|
||||
|
||||
## Control RAS overflow mitigation on AMD Zen CPUs.
|
||||
## The current default kernel parameter is 'spec_rstack_overflow=safe-ret'
|
||||
## This default will used until provided sufficient evidence to modify.
|
||||
##
|
||||
## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/srso.html
|
||||
##
|
||||
## The default kernel setting will be utilised until provided sufficient evidence to modify.
|
||||
##
|
||||
#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX spec_rstack_overflow=safe-ret"
|
||||
|
||||
## Mitigates Gather Data Sampling (GDS) vulnerability.
|
||||
## Enable Gather Data Sampling (GDS) mitigation.
|
||||
## Note for systems that have not received a suitable microcode update this will
|
||||
## entirely disable use of the AVX instructions set.
|
||||
##
|
||||
## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/gather_data_sampling.html
|
||||
##
|
||||
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX gather_data_sampling=force"
|
||||
|
||||
## Register File Data Sampling (RFDS) mitigation on Intel Atom CPUs which
|
||||
## Enable Register File Data Sampling (RFDS) mitigation on Intel Atom CPUs which
|
||||
## encompasses E-cores on hybrid architectures.
|
||||
##
|
||||
## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/reg-file-data-sampling.html
|
||||
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX reg_file_data_sampling=on"
|
||||
##
|
||||
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX reg_file_data_sampling=on"
|
@ -1,7 +0,0 @@
|
||||
## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
|
||||
## See the file COPYING for copying conditions.
|
||||
|
||||
## Distrusts the bootloader for initial entropy at boot.
|
||||
##
|
||||
## https://lkml.org/lkml/2022/6/5/271
|
||||
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX random.trust_bootloader=off"
|
@ -1,12 +0,0 @@
|
||||
## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
|
||||
## See the file COPYING for copying conditions.
|
||||
|
||||
## Distrusts the CPU for initial entropy at boot as it is not possible to
|
||||
## audit, may contain weaknesses or a backdoor.
|
||||
##
|
||||
## https://en.wikipedia.org/wiki/RDRAND#Reception
|
||||
## https://twitter.com/pid_eins/status/1149649806056280069
|
||||
## https://archive.nytimes.com/www.nytimes.com/interactive/2013/09/05/us/documents-reveal-nsa-campaign-against-encryption.html
|
||||
## https://forums.whonix.org/t/entropy-config-random-trust-cpu-yes-or-no-rng-core-default-quality/8566
|
||||
## https://lkml.org/lkml/2022/6/5/271
|
||||
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX random.trust_cpu=off"
|
@ -1,17 +0,0 @@
|
||||
## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
|
||||
## See the file COPYING for copying conditions.
|
||||
|
||||
## Enables IOMMU to prevent DMA attacks.
|
||||
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX intel_iommu=on amd_iommu=force_isolation"
|
||||
|
||||
## Disable the busmaster bit on all PCI bridges during very
|
||||
## early boot to avoid holes in IOMMU.
|
||||
##
|
||||
## https://mjg59.dreamwidth.org/54433.html
|
||||
## https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=4444f8541dad16fefd9b8807ad1451e806ef1d94
|
||||
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX efi=disable_early_pci_dma"
|
||||
|
||||
## Enables strict enforcement of IOMMU TLB invalidation so devices will never be able to access stale data contents
|
||||
## https://github.com/torvalds/linux/blob/master/drivers/iommu/Kconfig#L97
|
||||
## Page 11 of https://lenovopress.lenovo.com/lp1467.pdf
|
||||
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX iommu=force iommu.passthrough=0 iommu.strict=1"
|
@ -5,58 +5,196 @@ kpkg="linux-image-$(dpkg --print-architecture)" || true
|
||||
kver="$(dpkg-query --show --showformat='${Version}' "$kpkg")" 2>/dev/null || true
|
||||
#echo "## kver: $kver"
|
||||
|
||||
## Disables the merging of slabs of similar sizes.
|
||||
## Sometimes a slab can be used in a vulnerable way which an attacker can exploit.
|
||||
## This configuration file is split into 3 sections:
|
||||
## 1. Kernel Space
|
||||
## 2. Direct Memory Access
|
||||
## 3. Entropy
|
||||
## 4. Networking
|
||||
|
||||
## See the documentation below for details on the majority of the selected commands.
|
||||
## https://www.kernel.org/doc/html/latest/admin-guide/kernel-parameters.html
|
||||
## https://wiki.archlinux.org/title/Kernel_parameters#GRUB
|
||||
|
||||
## 1. Kernel Space:
|
||||
##
|
||||
## https://madaidans-insecurities.github.io/guides/linux-hardening.html#boot-parameters
|
||||
|
||||
## Disable merging of slabs with similar size.
|
||||
## Reduces the risk of triggering heap overflows.
|
||||
## Prevents overwriting objects from merged caches and limits influencing slab cache layout.
|
||||
##
|
||||
## https://www.openwall.com/lists/kernel-hardening/2017/06/19/33
|
||||
## https://www.openwall.com/lists/kernel-hardening/2017/06/20/10
|
||||
##
|
||||
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX slab_nomerge"
|
||||
|
||||
## Enables sanity checks (F) and redzoning (Z).
|
||||
## Disabled due to kernel deciding to implicitly disable kernel pointer hashing
|
||||
## https://github.com/torvalds/linux/commit/792702911f581f7793962fbeb99d5c3a1b28f4c3
|
||||
#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX slub_debug=FZ"
|
||||
## Zero memory at allocation time and free time.
|
||||
## Fills newly allocated pages, freed pages, and heap objects with zeros.
|
||||
## Mitigates use-after-free exploits by erasing sensitive information in memory.
|
||||
##
|
||||
## https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=6471384af2a6530696fc0203bafe4de41a23c9ef
|
||||
##
|
||||
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX init_on_alloc=1"
|
||||
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX init_on_free=1"
|
||||
|
||||
## Zero memory at allocation and free time.
|
||||
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX init_on_alloc=1 init_on_free=1"
|
||||
|
||||
## Machine check exception handler decides whether the system should panic or not based on the exception that happened.
|
||||
## https://forums.whonix.org/t/kernel-hardening/7296/494
|
||||
#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX mce=0"
|
||||
|
||||
## Enables Kernel Page Table Isolation which mitigates Meltdown and improves KASLR.
|
||||
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX pti=on"
|
||||
|
||||
## Vsyscalls are obsolete, are at fixed addresses and are a target for ROP.
|
||||
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX vsyscall=none"
|
||||
|
||||
## Enables page allocator freelist randomization.
|
||||
## Enable the kernel page allocator to randomise free lists.
|
||||
## During early boot the page allocator has predictable FIFO behaviour for physical pages.
|
||||
## Limits some data exfiltration and ROP attacks that rely on inferring sensitive data location.
|
||||
## Also improves performance by optimising memory-side cache utilisation.
|
||||
##
|
||||
## https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=e900a918b0984ec8f2eb150b8477a47b75d17692
|
||||
## https://en.wikipedia.org/wiki/Return-oriented_programming#Attacks
|
||||
##
|
||||
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX page_alloc.shuffle=1"
|
||||
|
||||
## Enables randomisation of the kernel stack offset on syscall entries (introduced in kernel 5.13).
|
||||
## Enable kernel page table isolation to harden against kernel ASLR (KASLR) bypasses.
|
||||
## Mitigates the Meltdown CPU vulnerability.
|
||||
##
|
||||
## https://en.wikipedia.org/wiki/Kernel_page-table_isolation
|
||||
##
|
||||
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX pti=on"
|
||||
|
||||
## Enable randomisation of the kernel stack offset on syscall entries.
|
||||
## Hardens against memory corruption attacks due to increased entropy.
|
||||
## Limits attacks relying on deterministic stack addresses or cross-syscall address exposure.
|
||||
##
|
||||
## https://lkml.org/lkml/2019/3/18/246
|
||||
## https://a13xp0p0v.github.io/2020/02/15/CVE-2019-18683.html
|
||||
##
|
||||
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX randomize_kstack_offset=on"
|
||||
|
||||
## Enables kernel lockdown.
|
||||
## Disable vsyscalls to reduce attack surface as they have been replaced by vDSO.
|
||||
## Vulnerable to ROP attacks as vsyscalls are located at fixed addresses in memory.
|
||||
##
|
||||
## Disabled for now as it enforces module signature verification which breaks
|
||||
## too many things.
|
||||
## https://forums.whonix.org/t/enforce-kernel-module-software-signature-verification-module-signing-disallow-kernel-module-loading-by-default/7880
|
||||
## https://lwn.net/Articles/446528/
|
||||
## https://en.wikipedia.org/wiki/VDSO
|
||||
##
|
||||
#if dpkg --compare-versions "${kver}" ge "5.4"; then
|
||||
# GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX lockdown=confidentiality"
|
||||
#fi
|
||||
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX vsyscall=none"
|
||||
|
||||
## Gather more entropy during boot.
|
||||
## Restrict access to debugfs by not registering the file system.
|
||||
## Deactivated since the file system can contain sensitive information.
|
||||
##
|
||||
## Requires linux-hardened kernel patch.
|
||||
## https://github.com/anthraxx/linux-hardened
|
||||
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX extra_latent_entropy"
|
||||
|
||||
## Restrict access to debugfs since it can contain a lot of sensitive information.
|
||||
## https://lkml.org/lkml/2020/7/16/122
|
||||
## https://github.com/torvalds/linux/blob/fb1201aececc59990b75ef59fca93ae4aa1e1444/Documentation/admin-guide/kernel-parameters.txt#L835-L848
|
||||
##
|
||||
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX debugfs=off"
|
||||
|
||||
## Force the kernel to panic on "oopses" (which may be due to false positives)
|
||||
## Force the kernel to panic on "oopses".
|
||||
## Can sometimes potentially indicate and thwart certain kernel exploitation attempts.
|
||||
## Also cause panics on machine check exceptions.
|
||||
## Panics may be due to false-positives such as bad drivers.
|
||||
##
|
||||
## https://forums.whonix.org/t/set-oops-panic-kernel-parameter-or-kernel-panic-on-oops-1-sysctl-for-better-security/7713
|
||||
## Implemented differently:
|
||||
## /usr/libexec/security-misc/panic-on-oops
|
||||
##
|
||||
## See /usr/libexec/security-misc/panic-on-oops for implementation.
|
||||
##
|
||||
#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX oops=panic"
|
||||
|
||||
## Modify machine check exception handler.
|
||||
## Can decide whether the system should panic or not based on the occurrence of an exception.
|
||||
##
|
||||
## https://www.kernel.org/doc/html/latest/arch/x86/x86_64/machinecheck.html
|
||||
## https://www.kernel.org/doc/html/latest/arch/x86/x86_64/boot-options.html#machine-check
|
||||
## https://forums.whonix.org/t/kernel-hardening/7296/494
|
||||
##
|
||||
## The default kernel setting will be utilised until provided sufficient evidence to modify.
|
||||
##
|
||||
#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX mce=0"
|
||||
|
||||
## Prevent sensitive kernel information leaks in the console during boot.
|
||||
## Must be used in combination with the kernel.printk sysctl.
|
||||
## See /usr/lib/sysctl.d/30_silent-kernel-printk.conf for implementation.
|
||||
##
|
||||
## https://www.kernel.org/doc/html/latest/core-api/printk-basics.html
|
||||
## https://wiki.archlinux.org/title/silent_boot
|
||||
##
|
||||
## See /etc/default/grub.d/41_quiet_boot.cfg for implementation.
|
||||
##
|
||||
#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX loglevel=0"
|
||||
#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX quiet"
|
||||
|
||||
## Disable support for x86 processes and syscalls.
|
||||
## Unconditionally disables IA32 emulation to substantially reduce attack surface.
|
||||
##
|
||||
## https://lore.kernel.org/all/20230623111409.3047467-7-nik.borisov@suse.com/
|
||||
##
|
||||
## Applicable when using Linux kernel >= 6.7 (retained here for future-proofing and completeness).
|
||||
##
|
||||
#ia32_emulation=0
|
||||
|
||||
## 2. Direct Memory Access:
|
||||
##
|
||||
## https://madaidans-insecurities.github.io/guides/linux-hardening.html#dma-attacks
|
||||
|
||||
## Enable CPU manufacturer-specific IOMMU drivers to protect against DMA attacks.
|
||||
##
|
||||
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX amd_iommu=force_isolation"
|
||||
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX intel_iommu=on"
|
||||
|
||||
## Enable and force use of IOMMU translation to protect against DMA attacks.
|
||||
## Strictly force DMA unmap operations to synchronously invalidate IOMMU hardware TLBs.
|
||||
## Ensures devices will never be able to access stale data contents.
|
||||
##
|
||||
## https://en.wikipedia.org/wiki/Input%E2%80%93output_memory_management_unit
|
||||
## https://en.wikipedia.org/wiki/DMA_attack
|
||||
## https://lenovopress.lenovo.com/lp1467.pdf
|
||||
##
|
||||
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX iommu=force"
|
||||
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX iommu.passthrough=0"
|
||||
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX iommu.strict=1"
|
||||
|
||||
## Disable the busmaster bit on all PCI bridges during the early boot process.
|
||||
## Patches weak-point in some existing IOMMU implementations.
|
||||
## May lead to issues such as complete system boot failure on certain devices.
|
||||
##
|
||||
## https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=4444f8541dad16fefd9b8807ad1451e806ef1d94
|
||||
## https://mjg59.dreamwidth.org/54433.html
|
||||
##
|
||||
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX efi=disable_early_pci_dma"
|
||||
|
||||
## 3. Entropy:
|
||||
##
|
||||
## https://madaidans-insecurities.github.io/guides/linux-hardening.html#rdrand
|
||||
|
||||
## Do not credit the CPU or bootloader seeds as entropy sources at boot.
|
||||
## The RDRAND CPU (RNG) instructions are proprietary and closed-source.
|
||||
## Numerous implementations of RDRAND have a long history of being defective.
|
||||
## The RNG seed passed by the bootloader could also potentially be tampered.
|
||||
## Maximising the entropy pool at boot is desirable for all cryptographic operations.
|
||||
## These settings ensure additional entropy is obtained from other sources to initialise the RNG.
|
||||
## Note that distrusting these (relatively fast) sources of entropy will increase boot time.
|
||||
##
|
||||
## https://en.wikipedia.org/wiki/RDRAND#Reception
|
||||
## https://systemd.io/RANDOM_SEEDS/
|
||||
## https://arstechnica.com/gadgets/2019/10/how-a-months-old-amd-microcode-bug-destroyed-my-weekend/
|
||||
## https://x.com/pid_eins/status/1149649806056280069
|
||||
## https://archive.nytimes.com/www.nytimes.com/interactive/2013/09/05/us/documents-reveal-nsa-campaign-against-encryption.html
|
||||
## https://forums.whonix.org/t/entropy-config-random-trust-cpu-yes-or-no-rng-core-default-quality/8566
|
||||
## https://github.com/NixOS/nixpkgs/pull/165355
|
||||
## https://lkml.org/lkml/2022/6/5/271
|
||||
##
|
||||
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX random.trust_bootloader=off"
|
||||
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX random.trust_cpu=off"
|
||||
|
||||
## Obtain more entropy during boot as the runtime memory allocator is being initialised.
|
||||
## Entropy will be extracted from up to the first 4GB of RAM.
|
||||
## Requires the linux-hardened kernel patch.
|
||||
##
|
||||
## https://www.kicksecure.com/wiki/Hardened-kernel#linux-hardened
|
||||
## https://github.com/anthraxx/linux-hardened/commit/c3e7df1dba1eb8105d6d5143079a6a0ad9e9ebc7
|
||||
## https://github.com/anthraxx/linux-hardened/commit/a04458f97fe1f7e95888c77c0165b646375db9c4
|
||||
##
|
||||
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX extra_latent_entropy"
|
||||
|
||||
## 4. Networking
|
||||
##
|
||||
## https://madaidans-insecurities.github.io/guides/linux-hardening.html#kasr-boot-parameters
|
||||
|
||||
## Disable the entire IPv6 stack functionality.
|
||||
## Removes attack surface associated with the IPv6 module.
|
||||
##
|
||||
## https://www.kernel.org/doc/html/latest/networking/ipv6.html
|
||||
## https://wiki.archlinux.org/title/IPv6#Disable_IPv6
|
||||
##
|
||||
## Enabling makes redundant many network hardening sysctl's in usr/lib/sysctl.d/990-security-misc.conf.
|
||||
##
|
||||
#ipv6.disable=1
|
@ -1,8 +0,0 @@
|
||||
## Requires every module to be signed before being loaded.
|
||||
## Any module that is unsigned or signed with an invalid key cannot be loaded.
|
||||
## This makes it harder to load a malicious module.
|
||||
##
|
||||
## Not enabled by default yet due to issues:
|
||||
## https://forums.whonix.org/t/enforce-kernel-module-software-signature-verification-module-signing-disallow-kernel-module-loading-by-default/7880/61
|
||||
## https://github.com/dell/dkms/issues/359
|
||||
#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX module.sig_enforce=1"
|
@ -1,16 +1,25 @@
|
||||
## Copyright (C) 2023 - 2024 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
|
||||
## See the file COPYING for copying conditions.
|
||||
|
||||
## Remount Secure provides enhanced security via mmount options:
|
||||
## https://www.kicksecure.com/wiki/Security-misc#Remount_Secure
|
||||
|
||||
## Option A (No Security):
|
||||
## Disable Remount Secure.
|
||||
##
|
||||
#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX remountsecure=0"
|
||||
|
||||
## Re-mount with nodev, nosuid only.
|
||||
## Option B (Low Security):
|
||||
## Re-mount with nodev and nosuid only.
|
||||
##
|
||||
#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX remountsecure=1"
|
||||
|
||||
## Re-mount with nodev, nosuid and most with noexec except for /home.
|
||||
## Option C (Medium Security):
|
||||
## Re-mount with nodev, nosuid, and noexec for most mount points, excluding /home.
|
||||
##
|
||||
#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX remountsecure=2"
|
||||
|
||||
## Re-mount with nodev, nosuid and all with noexec including /home.
|
||||
## Option D (Highest Security)
|
||||
## Re-mount with nodev, nosuid, and noexec for all mount points including /home.
|
||||
##
|
||||
#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX remountsecure=3"
|
25
etc/default/grub.d/40_signed_modules.cfg
Normal file
25
etc/default/grub.d/40_signed_modules.cfg
Normal file
@ -0,0 +1,25 @@
|
||||
## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
|
||||
## See the file COPYING for copying conditions.
|
||||
|
||||
## Require every kernel module to be signed before being loaded.
|
||||
## Any module that is unsigned or signed with an invalid key cannot be loaded.
|
||||
## This prevents all out-of-tree kernel modules unless signed.
|
||||
## This makes it harder to load a malicious module.
|
||||
##
|
||||
## https://forums.whonix.org/t/enforce-kernel-module-software-signature-verification-module-signing-disallow-kernel-module-loading-by-default/7880/61
|
||||
## https://github.com/dell/dkms/issues/359
|
||||
##
|
||||
## Not enabled by default yet due to several issues.
|
||||
##
|
||||
#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX module.sig_enforce=1"
|
||||
|
||||
## Enable kernel lockdown to enforce security boundary between user and kernel space.
|
||||
## Confidentiality mode enforces module signature verification.
|
||||
##
|
||||
## https://forums.whonix.org/t/enforce-kernel-module-software-signature-verification-module-signing-disallow-kernel-module-loading-by-default/7880
|
||||
##
|
||||
## ## Not enabled by default yet due to several issues.
|
||||
##
|
||||
#if dpkg --compare-versions "${kver}" ge "5.4"; then
|
||||
# GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX lockdown=confidentiality"
|
||||
#fi
|
@ -1,27 +0,0 @@
|
||||
## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
|
||||
## See the file COPYING for copying conditions.
|
||||
|
||||
## Prevent kernel info leaks in console during boot.
|
||||
## https://phabricator.whonix.org/T950
|
||||
|
||||
## LANG=C str_replace is provided by package helper-scripts.
|
||||
|
||||
## The following command actually removed "quiet" from the kernel command line.
|
||||
## If verbosity is desired, the user might want to keep this line.
|
||||
## Remove "quiet" from GRUB_CMDLINE_LINUX_DEFAULT because "quiet" must be first.
|
||||
GRUB_CMDLINE_LINUX_DEFAULT="$(echo "$GRUB_CMDLINE_LINUX_DEFAULT" | LANG=C str_replace "quiet" "")"
|
||||
|
||||
## If verbosity is desired, the user might want to out-comment the following line.
|
||||
GRUB_CMDLINE_LINUX_DEFAULT="$GRUB_CMDLINE_LINUX_DEFAULT quiet loglevel=0"
|
||||
|
||||
## NOTE:
|
||||
## After editing this file, running:
|
||||
## sudo update-grub
|
||||
## is required.
|
||||
##
|
||||
## If higher verbosity is desired, the user might also want to delete file
|
||||
## /etc/sysctl.d/30_silent-kernel-printk.conf
|
||||
## (or out-comment its settings).
|
||||
##
|
||||
## Alternatively, the user could consider to install the debug-misc package,
|
||||
## which will undo the settings found here.
|
29
etc/default/grub.d/41_quiet_boot.cfg
Normal file
29
etc/default/grub.d/41_quiet_boot.cfg
Normal file
@ -0,0 +1,29 @@
|
||||
## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
|
||||
## See the file COPYING for copying conditions.
|
||||
|
||||
## Some default configuration files automatically include the "quiet" parameter.
|
||||
## Thefore, first remove "quiet" from GRUB_CMDLINE_LINUX_DEFAULT since "quiet" must be first.
|
||||
## LANG=C str_replace is provided by package helper-scripts.
|
||||
##
|
||||
## https://github.com/Kicksecure/security-misc/pull/233#issuecomment-2228792461
|
||||
##
|
||||
GRUB_CMDLINE_LINUX_DEFAULT="$(echo "$GRUB_CMDLINE_LINUX_DEFAULT" | LANG=C str_replace "quiet" "")"
|
||||
|
||||
## Prevent sensitive kernel information leaks in the console during boot.
|
||||
## Must be used in combination with the kernel.printk sysctl.
|
||||
## See /usr/lib/sysctl.d/30_silent-kernel-printk.conf for implementation.
|
||||
##
|
||||
## https://www.kernel.org/doc/html/latest/core-api/printk-basics.html
|
||||
## https://wiki.archlinux.org/title/silent_boot
|
||||
##
|
||||
## For easier debugging, these are not applied to the recovery boot option.
|
||||
## Switch the pair of commands to universally apply parameters to all boot options.
|
||||
##
|
||||
GRUB_CMDLINE_LINUX_DEFAULT="$GRUB_CMDLINE_LINUX_DEFAULT loglevel=0"
|
||||
GRUB_CMDLINE_LINUX_DEFAULT="$GRUB_CMDLINE_LINUX_DEFAULT quiet"
|
||||
#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX loglevel=0"
|
||||
#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX quiet"
|
||||
|
||||
## For Increased Log Verbosity:
|
||||
## Adjust (or comment out) the kernel.printk sysctl in /usr/lib/sysctl.d/30_silent-kernel-printk.conf.
|
||||
## Alternatively, installing the debug-misc package will undo these settings.
|
Loading…
Reference in New Issue
Block a user