Merge pull request #10 from madaidan/patch-6

Enable more kernel hardening parameters
2025-07-21 21:32:13 +07:00 · 2019-06-23 18:45:24 +00:00
parent cd7346699c 2178fb37a8
commit aec6da28e9
1 changed files with 9 additions and 0 deletions
--- a/etc/default/grub.d/40_kernel_hardening.cfg
+++ b/etc/default/grub.d/40_kernel_hardening.cfg
@ -9,3 +9,12 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX page_poison=1"

 # Makes the kernel panic on uncorrectable errors in ECC memory that an attacker could exploit.
 GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX mce=0"
+
+# Enables Kernel Page Table Isolation which mitigates Meltdown and improves KASLR.
+GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX pti=on"
+
+# Disables smt which can be used to exploit the MDS vulnerability.
+GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX nosmt"
+
+# Enables all mitigations for the MDS vulnerability.
+GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX mds=full"