From dabcaf22e1006cc60297c55e3e254f080562d552 Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Wed, 13 Jul 2022 04:28:03 +1000 Subject: [PATCH 01/19] enforce default kernel.randomize_va_space --- etc/sysctl.d/30_security-misc.conf | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/etc/sysctl.d/30_security-misc.conf b/etc/sysctl.d/30_security-misc.conf index 80afdc8..31666a7 100644 --- a/etc/sysctl.d/30_security-misc.conf +++ b/etc/sysctl.d/30_security-misc.conf @@ -60,6 +60,8 @@ kernel.yama.ptrace_scope=2 ## Prevent setuid processes from creating coredumps. fs.suid_dumpable=0 +## Randomize the addresses for mmap base, heap, stack, and VDSO pages +kernel.randomize_va_space=2 #### meta start #### project Kicksecure @@ -157,4 +159,3 @@ kernel.perf_event_paranoid=3 # Do not accept router advertisments net.ipv6.conf.all.accept_ra=0 net.ipv6.conf.default.accept_ra=0 - From 79156262c9e3fe92344847b627afc64b2c7f7717 Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Wed, 13 Jul 2022 04:29:42 +1000 Subject: [PATCH 02/19] enforce default net.ipv4.icmp_ignore_bogus_error_responses --- etc/sysctl.d/30_security-misc.conf | 3 +++ 1 file changed, 3 insertions(+) diff --git a/etc/sysctl.d/30_security-misc.conf b/etc/sysctl.d/30_security-misc.conf index 31666a7..846c8b0 100644 --- a/etc/sysctl.d/30_security-misc.conf +++ b/etc/sysctl.d/30_security-misc.conf @@ -90,6 +90,9 @@ net.ipv6.conf.default.accept_redirects=0 ## Ignores ICMP requests. net.ipv4.icmp_echo_ignore_all=1 +## Ignores bogus ICMP error responses +net.ipv4.icmp_ignore_bogus_error_responses=1 + ## Enables TCP syncookies. net.ipv4.tcp_syncookies=1 From 57b5b2145c4e6779f0b879ee4199d46938f20965 Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Wed, 13 Jul 2022 04:30:43 +1000 Subject: [PATCH 03/19] enforce defualt net.ipv4.ip_forward --- etc/sysctl.d/30_security-misc.conf | 3 +++ 1 file changed, 3 insertions(+) diff --git a/etc/sysctl.d/30_security-misc.conf b/etc/sysctl.d/30_security-misc.conf index 846c8b0..1b93769 100644 --- a/etc/sysctl.d/30_security-misc.conf +++ b/etc/sysctl.d/30_security-misc.conf @@ -108,6 +108,9 @@ net.ipv6.conf.default.accept_source_route=0 net.ipv4.conf.default.rp_filter=1 net.ipv4.conf.all.rp_filter=1 +## Disables IP forwarding (we are not a router!) +net.ipv4.ip_forward=0 + #### meta end From f572332108c06eb77d24e776910463e69d49acd3 Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Wed, 13 Jul 2022 04:32:03 +1000 Subject: [PATCH 04/19] disable slub_debug --- etc/default/grub.d/40_kernel_hardening.cfg | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/etc/default/grub.d/40_kernel_hardening.cfg b/etc/default/grub.d/40_kernel_hardening.cfg index 929d71f..ed6039c 100644 --- a/etc/default/grub.d/40_kernel_hardening.cfg +++ b/etc/default/grub.d/40_kernel_hardening.cfg @@ -10,7 +10,9 @@ kver="$(dpkg-query --show --showformat='${Version}' "$kpkg")" 2>/dev/null || tru GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX slab_nomerge" ## Enables sanity checks (F) and redzoning (Z). -GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX slub_debug=FZ" +## Disabled due to kernel deciding to implicitly disable kernel pointer hashing +## https://github.com/torvalds/linux/commit/792702911f581f7793962fbeb99d5c3a1b28f4c3 +#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX slub_debug=FZ" ## Zero memory at allocation and free time. GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX init_on_alloc=1 init_on_free=1" From 74858d257b8de40f082ce21241e680a5eeaf4053 Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Wed, 13 Jul 2022 04:34:35 +1000 Subject: [PATCH 05/19] enable randomize_kstack_offset --- etc/default/grub.d/40_kernel_hardening.cfg | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/etc/default/grub.d/40_kernel_hardening.cfg b/etc/default/grub.d/40_kernel_hardening.cfg index ed6039c..f3d6487 100644 --- a/etc/default/grub.d/40_kernel_hardening.cfg +++ b/etc/default/grub.d/40_kernel_hardening.cfg @@ -29,6 +29,10 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX vsyscall=none" ## Enables page allocator freelist randomization. GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX page_alloc.shuffle=1" +## Enables randomisation of the kernel stack offset on syscall entries (introduced in kernel 5.13). +## https://lkml.org/lkml/2019/3/18/246 +GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX randomize_kstack_offset=on" + ## Enables kernel lockdown. ## ## Disabled for now as it enforces module signature verification which breaks From d0779a96fc054df925523a76510c1aae5d672f96 Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Wed, 13 Jul 2022 04:36:34 +1000 Subject: [PATCH 06/19] add reference --- etc/default/grub.d/40_distrust_cpu.cfg | 1 + 1 file changed, 1 insertion(+) diff --git a/etc/default/grub.d/40_distrust_cpu.cfg b/etc/default/grub.d/40_distrust_cpu.cfg index f7610d3..5910d55 100644 --- a/etc/default/grub.d/40_distrust_cpu.cfg +++ b/etc/default/grub.d/40_distrust_cpu.cfg @@ -8,4 +8,5 @@ ## https://twitter.com/pid_eins/status/1149649806056280069 ## https://archive.nytimes.com/www.nytimes.com/interactive/2013/09/05/us/documents-reveal-nsa-campaign-against-encryption.html ## https://forums.whonix.org/t/entropy-config-random-trust-cpu-yes-or-no-rng-core-default-quality/8566 +## https://lkml.org/lkml/2022/6/5/271 GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX random.trust_cpu=off" From 33df16af805597057c7aad0d5a4fb135ed9e286b Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Wed, 13 Jul 2022 04:37:03 +1000 Subject: [PATCH 07/19] disables random.trust_bootloader --- etc/default/grub.d/40_distrust_bootloader.cfg | 7 +++++++ 1 file changed, 7 insertions(+) create mode 100644 etc/default/grub.d/40_distrust_bootloader.cfg diff --git a/etc/default/grub.d/40_distrust_bootloader.cfg b/etc/default/grub.d/40_distrust_bootloader.cfg new file mode 100644 index 0000000..2174db2 --- /dev/null +++ b/etc/default/grub.d/40_distrust_bootloader.cfg @@ -0,0 +1,7 @@ +## Copyright (C) 2019 - 2022 ENCRYPTED SUPPORT LP +## See the file COPYING for copying conditions. + +## Distrusts the bootloader for initial entropy at boot. +## +## https://lkml.org/lkml/2022/6/5/271 +GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX random.trust_bootloader=off" From a47922ad28fc9ebba93615a6ffdaaeb4887cc140 Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Wed, 13 Jul 2022 04:47:07 +1000 Subject: [PATCH 08/19] enforce of IOMMU TLB invalidation --- etc/default/grub.d/40_enable_iommu.cfg | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/etc/default/grub.d/40_enable_iommu.cfg b/etc/default/grub.d/40_enable_iommu.cfg index f4aa582..8d395d2 100644 --- a/etc/default/grub.d/40_enable_iommu.cfg +++ b/etc/default/grub.d/40_enable_iommu.cfg @@ -10,3 +10,8 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX intel_iommu=on amd_iommu=on" ## https://mjg59.dreamwidth.org/54433.html ## https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=4444f8541dad16fefd9b8807ad1451e806ef1d94 GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX efi=disable_early_pci_dma" + +## Enables strict enforcement of IOMMU TLB invalidation so devices will never be able to access stale data contents +## https://github.com/torvalds/linux/blob/master/drivers/iommu/Kconfig#L97 +## Page 11 of https://lenovopress.lenovo.com/lp1467.pdf +GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX iommu.passthrough=0 iommu.strict=1" From 4e93b4d37e4c6d23a0ac76ddb2144c6504a66ad1 Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Wed, 13 Jul 2022 21:10:39 +1000 Subject: [PATCH 09/19] Revert "enforce defualt net.ipv4.ip_forward" This reverts commit 57b5b2145c4e6779f0b879ee4199d46938f20965. --- etc/sysctl.d/30_security-misc.conf | 3 --- 1 file changed, 3 deletions(-) diff --git a/etc/sysctl.d/30_security-misc.conf b/etc/sysctl.d/30_security-misc.conf index 1b93769..846c8b0 100644 --- a/etc/sysctl.d/30_security-misc.conf +++ b/etc/sysctl.d/30_security-misc.conf @@ -108,9 +108,6 @@ net.ipv6.conf.default.accept_source_route=0 net.ipv4.conf.default.rp_filter=1 net.ipv4.conf.all.rp_filter=1 -## Disables IP forwarding (we are not a router!) -net.ipv4.ip_forward=0 - #### meta end From 2b237039cf1db66100f7f0bb4880981ee0489abf Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Wed, 13 Jul 2022 22:25:53 +1000 Subject: [PATCH 10/19] Update README.md --- README.md | 19 ++++++++++--------- 1 file changed, 10 insertions(+), 9 deletions(-) diff --git a/README.md b/README.md index d7c9ea4..76ef0fe 100644 --- a/README.md +++ b/README.md @@ -40,6 +40,8 @@ arbitrary code execution in kernel mode. * The bits of entropy used for mmap ASLR are increased, therefore improving its effectiveness. +* Randomises the addresses for mmap base, heap, stack, and VDSO pages. + * Prevents unintentional writes to attacker-controlled files. * Prevents common symlink and hardlink TOCTOU races. @@ -54,19 +56,13 @@ prevents writing potentially sensitive contents of memory to disk. ### Boot parameters -Boot parameters are configured via the `/etc/modprobe.d/30_security-misc.conf` -configuration file. +Boot parameters are outlined in configuration files located in the +`etc/default/grub.d/` directory. * Slab merging is disabled which significantly increases the difficulty of heap exploitation by preventing overwriting objects from merged caches and by making it harder to influence slab cache layout. -* Sanity checks are enabled which add various checks to prevent corruption -in certain slab operations. - -* Redzoning is enabled which adds extra areas around slabs that detect when -a slab is overwritten past its real size which can help detect overflows. - * Memory zeroing at allocation and free time is enabled to mitigate some use-after-free vulnerabilities and erase sensitive information in memory. @@ -83,10 +79,15 @@ are a potential target for ROP. * The kernel panics on oopses to thwart certain kernel exploits. +* Enables randomisation of the kernel stack offset on syscall entries. + * All mitigations for known CPU vulnerabilities are enabled and SMT is disabled. -* IOMMU is enabled to prevent DMA attacks. +* IOMMU is enabled to prevent DMA attacks along with strict enforcement of IOMMU +TLB invalidation so devices will never be able to access stale data contents. + +* Distrust the 'randomly' generated CPU and bootloader seeds. ### Blacklisted kernel modules From c77a2a78bc48df2af7653a306bd1b046a8f99a6b Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Tue, 19 Jul 2022 00:37:31 +1000 Subject: [PATCH 11/19] enforce default net.ipv6.icmp_ignore_bogus_error_responses --- etc/sysctl.d/30_security-misc.conf | 1 + 1 file changed, 1 insertion(+) diff --git a/etc/sysctl.d/30_security-misc.conf b/etc/sysctl.d/30_security-misc.conf index 846c8b0..0e7bc3d 100644 --- a/etc/sysctl.d/30_security-misc.conf +++ b/etc/sysctl.d/30_security-misc.conf @@ -89,6 +89,7 @@ net.ipv6.conf.default.accept_redirects=0 ## Ignores ICMP requests. net.ipv4.icmp_echo_ignore_all=1 +net.ipv6.icmp.echo_ignore_all=1 ## Ignores bogus ICMP error responses net.ipv4.icmp_ignore_bogus_error_responses=1 From bb831d57bcdcc8195a4b8169a4ddc25fb0c61173 Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Tue, 19 Jul 2022 00:38:32 +1000 Subject: [PATCH 12/19] delete repeated commands --- etc/sysctl.d/30_security-misc.conf | 2 -- 1 file changed, 2 deletions(-) diff --git a/etc/sysctl.d/30_security-misc.conf b/etc/sysctl.d/30_security-misc.conf index 0e7bc3d..3862e1d 100644 --- a/etc/sysctl.d/30_security-misc.conf +++ b/etc/sysctl.d/30_security-misc.conf @@ -84,8 +84,6 @@ net.ipv6.conf.default.accept_redirects=0 ## Disables ICMP redirect sending. net.ipv4.conf.all.send_redirects=0 net.ipv4.conf.default.send_redirects=0 -net.ipv6.conf.all.accept_redirects=0 -net.ipv6.conf.default.accept_redirects=0 ## Ignores ICMP requests. net.ipv4.icmp_echo_ignore_all=1 From 73f1e233327cc0edec83eac322b7f03bcb7fba22 Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Tue, 19 Jul 2022 02:29:46 +1000 Subject: [PATCH 13/19] shuffle and rewording --- etc/default/grub.d/40_cpu_mitigations.cfg | 39 ++++++++++++----------- 1 file changed, 20 insertions(+), 19 deletions(-) diff --git a/etc/default/grub.d/40_cpu_mitigations.cfg b/etc/default/grub.d/40_cpu_mitigations.cfg index 7d6eb65..1977eeb 100644 --- a/etc/default/grub.d/40_cpu_mitigations.cfg +++ b/etc/default/grub.d/40_cpu_mitigations.cfg @@ -1,11 +1,17 @@ ## Copyright (C) 2019 - 2022 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. -## Enables all mitigations for CPU vulnerabilities. +## Enables all known mitigations for CPU vulnerabilities. ## +## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/index.html ## https://forums.whonix.org/t/should-all-kernel-patches-for-cpu-bugs-be-unconditionally-enabled-vs-performance-vs-applicability/7647 -## Enable all mitigations for Spectre Variant 2. +## Force disable SMT as it has caused numerous CPU vulnerabilities. +## +## https://forums.whonix.org/t/should-all-kernel-patches-for-cpu-bugs-be-unconditionally-enabled-vs-performance-vs-applicability/7647/17 +GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX nosmt=force" + +## Enable mitigations for Spectre variant 2 (indirect branch speculation). ## ## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/spectre.html GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX spectre_v2=on" @@ -13,30 +19,25 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX spectre_v2=on" ## Disable Speculative Store Bypass. GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX spec_store_bypass_disable=on" -## Disable TSX, enable all mitigations for the TSX Async Abort -## vulnerability and disable SMT. -## -## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/tsx_async_abort.html -GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX tsx=off tsx_async_abort=full,nosmt" - -## Enable all mitigations for the MDS vulnerability and disable -## SMT. -## -## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/mds.html -GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX mds=full,nosmt" - -## Enable all mitigations for the L1TF vulnerability and disable SMT +## Enable mitigations for the L1TF vulnerability through disabling SMT ## and L1D flush runtime control. ## ## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/l1tf.html GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX l1tf=full,force" -## Force disable SMT as it has caused numerous CPU vulnerabilities. +## Enable mitigations for the MDS vulnerability through clearing buffer cache +## and disabling SMT. ## -## https://forums.whonix.org/t/should-all-kernel-patches-for-cpu-bugs-be-unconditionally-enabled-vs-performance-vs-applicability/7647/17 -GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX nosmt=force" +## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/mds.html +GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX mds=full,nosmt" + +## Patches the TAA vulnerability by disabling TSX and enables mitigations using +## TSX Async Abort along with disabling SMT. +## +## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/tsx_async_abort.html +GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX tsx=off tsx_async_abort=full,nosmt" ## Mark all huge pages in the EPT as non-executable to mitigate iTLB multihit. ## -## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/multihit.html#mitigation-control-on-the-kernel-command-line-and-kvm-module-parameter +## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/multihit.html GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX kvm.nx_huge_pages=force" From 8531fbf99dea1b4cd806babd6072a8a1f0506eb3 Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Tue, 19 Jul 2022 02:30:49 +1000 Subject: [PATCH 14/19] CPU mitigation - SRBDS --- etc/default/grub.d/40_cpu_mitigations.cfg | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/etc/default/grub.d/40_cpu_mitigations.cfg b/etc/default/grub.d/40_cpu_mitigations.cfg index 1977eeb..fa9bd80 100644 --- a/etc/default/grub.d/40_cpu_mitigations.cfg +++ b/etc/default/grub.d/40_cpu_mitigations.cfg @@ -41,3 +41,8 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX tsx=off tsx_async_abort=full,nosmt" ## ## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/multihit.html GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX kvm.nx_huge_pages=force" + +## Enables mitigations for SRBDS to prevent MDS attacks on RDRAND and RDSEED instructions. +## +## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/special-register-buffer-data-sampling.html +GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX srbds=on" From 59e90ff1226bd6330d85244cf7c73ecf7fd5fdf1 Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Tue, 19 Jul 2022 02:32:41 +1000 Subject: [PATCH 15/19] CPU mitigation - L1D FLushing --- etc/default/grub.d/40_cpu_mitigations.cfg | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/etc/default/grub.d/40_cpu_mitigations.cfg b/etc/default/grub.d/40_cpu_mitigations.cfg index fa9bd80..9caafb8 100644 --- a/etc/default/grub.d/40_cpu_mitigations.cfg +++ b/etc/default/grub.d/40_cpu_mitigations.cfg @@ -46,3 +46,8 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX kvm.nx_huge_pages=force" ## ## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/special-register-buffer-data-sampling.html GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX srbds=on" + +## Enables the prctl interface to prevent leaks from L1D on context switches. +## +## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/l1d_flush.html +GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX l1d_flush=on" From c3ebb9160ffbbd2972cc898e3c1c0055d89beb5c Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Tue, 19 Jul 2022 02:33:16 +1000 Subject: [PATCH 16/19] CPU mitigation - MMIO Stale Data --- etc/default/grub.d/40_cpu_mitigations.cfg | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/etc/default/grub.d/40_cpu_mitigations.cfg b/etc/default/grub.d/40_cpu_mitigations.cfg index 9caafb8..7eb5875 100644 --- a/etc/default/grub.d/40_cpu_mitigations.cfg +++ b/etc/default/grub.d/40_cpu_mitigations.cfg @@ -51,3 +51,8 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX srbds=on" ## ## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/l1d_flush.html GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX l1d_flush=on" + +## Mitigates numerous MMIO Stale Data vulnerabilities and disables SMT. +## +## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/processor_mmio_stale_data.html +GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX mmio_stale_data=full,nosmt" From bfd78a2c06153ebadfee39190055edf0a13958f4 Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Tue, 19 Jul 2022 03:16:08 +1000 Subject: [PATCH 17/19] update SRBDS mitigation --- etc/default/grub.d/40_cpu_mitigations.cfg | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/etc/default/grub.d/40_cpu_mitigations.cfg b/etc/default/grub.d/40_cpu_mitigations.cfg index 7eb5875..4537871 100644 --- a/etc/default/grub.d/40_cpu_mitigations.cfg +++ b/etc/default/grub.d/40_cpu_mitigations.cfg @@ -43,9 +43,10 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX tsx=off tsx_async_abort=full,nosmt" GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX kvm.nx_huge_pages=force" ## Enables mitigations for SRBDS to prevent MDS attacks on RDRAND and RDSEED instructions. +## Only mitigated through microcode updates from Intel. ## ## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/special-register-buffer-data-sampling.html -GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX srbds=on" +## https://access.redhat.com/solutions/5142691 ## Enables the prctl interface to prevent leaks from L1D on context switches. ## From 1660aaa6dd1013ede105baebbb8ff3e1afc7b268 Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Tue, 19 Jul 2022 03:38:41 +1000 Subject: [PATCH 18/19] update details around disabling SMT --- etc/default/grub.d/40_cpu_mitigations.cfg | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/etc/default/grub.d/40_cpu_mitigations.cfg b/etc/default/grub.d/40_cpu_mitigations.cfg index 4537871..a54de29 100644 --- a/etc/default/grub.d/40_cpu_mitigations.cfg +++ b/etc/default/grub.d/40_cpu_mitigations.cfg @@ -6,11 +6,6 @@ ## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/index.html ## https://forums.whonix.org/t/should-all-kernel-patches-for-cpu-bugs-be-unconditionally-enabled-vs-performance-vs-applicability/7647 -## Force disable SMT as it has caused numerous CPU vulnerabilities. -## -## https://forums.whonix.org/t/should-all-kernel-patches-for-cpu-bugs-be-unconditionally-enabled-vs-performance-vs-applicability/7647/17 -GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX nosmt=force" - ## Enable mitigations for Spectre variant 2 (indirect branch speculation). ## ## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/spectre.html @@ -48,6 +43,13 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX kvm.nx_huge_pages=force" ## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/special-register-buffer-data-sampling.html ## https://access.redhat.com/solutions/5142691 +## Force disable SMT as it has caused numerous CPU vulnerabilities. +## The only full mitigation of cross-HT attacks is to disable SMT. +## +## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/core-scheduling.html +## https://forums.whonix.org/t/should-all-kernel-patches-for-cpu-bugs-be-unconditionally-enabled-vs-performance-vs-applicability/7647/17 +GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX nosmt=force" + ## Enables the prctl interface to prevent leaks from L1D on context switches. ## ## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/l1d_flush.html From ca764d8de0f17bb7e6d44e3d79ea1805276fc521 Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Wed, 20 Jul 2022 04:06:35 +1000 Subject: [PATCH 19/19] force kernel to panic on "oopses" --- etc/default/grub.d/40_kernel_hardening.cfg | 3 +++ 1 file changed, 3 insertions(+) diff --git a/etc/default/grub.d/40_kernel_hardening.cfg b/etc/default/grub.d/40_kernel_hardening.cfg index f3d6487..a6dfb3e 100644 --- a/etc/default/grub.d/40_kernel_hardening.cfg +++ b/etc/default/grub.d/40_kernel_hardening.cfg @@ -53,3 +53,6 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX extra_latent_entropy" ## https://lkml.org/lkml/2020/7/16/122 ## https://github.com/torvalds/linux/blob/fb1201aececc59990b75ef59fca93ae4aa1e1444/Documentation/admin-guide/kernel-parameters.txt#L835-L848 GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX debugfs=off" + +## Force the kernel to panic on "oopses" (which may be due to false positives) +GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX oops=panic"