From 92669dba186c6ac40ff601fd39639945cd7633c6 Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Sun, 21 Aug 2022 23:02:44 +1000 Subject: [PATCH 1/2] Comment out machine check exception --- etc/default/grub.d/40_kernel_hardening.cfg | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/etc/default/grub.d/40_kernel_hardening.cfg b/etc/default/grub.d/40_kernel_hardening.cfg index 5f8476e..30dd19a 100644 --- a/etc/default/grub.d/40_kernel_hardening.cfg +++ b/etc/default/grub.d/40_kernel_hardening.cfg @@ -17,8 +17,9 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX slab_nomerge" ## Zero memory at allocation and free time. GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX init_on_alloc=1 init_on_free=1" -## Makes the kernel panic on uncorrectable errors in ECC memory that an attacker could exploit. -GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX mce=0" +## Machine check exception handler decides whether the system should panic or not based on the exception that happened. +## https://forums.whonix.org/t/kernel-hardening/7296/494 +#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX mce=0" ## Enables Kernel Page Table Isolation which mitigates Meltdown and improves KASLR. GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX pti=on" From d500205f556ba896417eb0bae1df0144b00ef7b9 Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Sun, 21 Aug 2022 23:03:13 +1000 Subject: [PATCH 2/2] Update README.md --- README.md | 3 --- 1 file changed, 3 deletions(-) diff --git a/README.md b/README.md index db4fe8e..0e1cf1b 100644 --- a/README.md +++ b/README.md @@ -68,9 +68,6 @@ use-after-free vulnerabilities and erase sensitive information in memory. * Page allocator freelist randomization is enabled. -* The machine check tolerance level is decreased which makes the kernel panic -on uncorrectable errors in ECC memory that could be exploited. - * Kernel Page Table Isolation is enabled to mitigate Meltdown and increase KASLR effectiveness.