From d29a616142562492db6c45c299f002100e905828 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Wed, 17 Jul 2024 08:39:20 -0400 Subject: [PATCH] minor --- etc/default/grub.d/40_cpu_mitigations.cfg | 4 ++-- etc/default/grub.d/40_kernel_hardening.cfg | 8 ++++---- etc/default/grub.d/40_remount_secure.cfg | 4 ++-- etc/default/grub.d/41_quiet_boot.cfg | 2 +- 4 files changed, 9 insertions(+), 9 deletions(-) diff --git a/etc/default/grub.d/40_cpu_mitigations.cfg b/etc/default/grub.d/40_cpu_mitigations.cfg index e303f9f..55b6c17 100644 --- a/etc/default/grub.d/40_cpu_mitigations.cfg +++ b/etc/default/grub.d/40_cpu_mitigations.cfg @@ -109,9 +109,9 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX retbleed=auto,nosmt" ## GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX gather_data_sampling=force" -## Enable Register File Data Sampling (RFDS) mitigation on Intel Atom CPUs which +## Enable Register File Data Sampling (RFDS) mitigation on Intel Atom CPUs which ## encompasses E-cores on hybrid architectures. ## ## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/reg-file-data-sampling.html ## -GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX reg_file_data_sampling=on" \ No newline at end of file +GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX reg_file_data_sampling=on" diff --git a/etc/default/grub.d/40_kernel_hardening.cfg b/etc/default/grub.d/40_kernel_hardening.cfg index 8285744..946f2a4 100644 --- a/etc/default/grub.d/40_kernel_hardening.cfg +++ b/etc/default/grub.d/40_kernel_hardening.cfg @@ -82,7 +82,7 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX debugfs=off" ## Can sometimes potentially indicate and thwart certain kernel exploitation attempts. ## Also cause panics on machine check exceptions. ## Panics may be due to false-positives such as bad drivers. -## +## ## https://forums.whonix.org/t/set-oops-panic-kernel-parameter-or-kernel-panic-on-oops-1-sysctl-for-better-security/7713 ## ## See /usr/libexec/security-misc/panic-on-oops for implementation. @@ -157,7 +157,7 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX efi=disable_early_pci_dma" ## Do not credit the CPU or bootloader seeds as entropy sources at boot. ## The RDRAND CPU (RNG) instructions are proprietary and closed-source. -## Numerous implementations of RDRAND have a long history of being defective. +## Numerous implementations of RDRAND have a long history of being defective. ## The RNG seed passed by the bootloader could also potentially be tampered. ## Maximising the entropy pool at boot is desirable for all cryptographic operations. ## These settings ensure additional entropy is obtained from other sources to initialise the RNG. @@ -191,10 +191,10 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX extra_latent_entropy" ## Disable the entire IPv6 stack functionality. ## Removes attack surface associated with the IPv6 module. -## +## ## https://www.kernel.org/doc/html/latest/networking/ipv6.html ## https://wiki.archlinux.org/title/IPv6#Disable_IPv6 ## ## Enabling makes redundant many network hardening sysctl's in usr/lib/sysctl.d/990-security-misc.conf. ## -#ipv6.disable=1 \ No newline at end of file +#ipv6.disable=1 diff --git a/etc/default/grub.d/40_remount_secure.cfg b/etc/default/grub.d/40_remount_secure.cfg index c180456..3427bf1 100644 --- a/etc/default/grub.d/40_remount_secure.cfg +++ b/etc/default/grub.d/40_remount_secure.cfg @@ -1,7 +1,7 @@ ## Copyright (C) 2023 - 2024 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. -## Remount Secure provides enhanced security via mmount options: +## Remount Secure provides enhanced security via mmount options: ## https://www.kicksecure.com/wiki/Security-misc#Remount_Secure ## Option A (No Security): @@ -20,6 +20,6 @@ #GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX remountsecure=2" ## Option D (Highest Security) -## Re-mount with nodev, nosuid, and noexec for all mount points including /home. +## Re-mount with nodev, nosuid, and noexec for all mount points including /home. ## #GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX remountsecure=3" diff --git a/etc/default/grub.d/41_quiet_boot.cfg b/etc/default/grub.d/41_quiet_boot.cfg index 4beed93..9a23579 100644 --- a/etc/default/grub.d/41_quiet_boot.cfg +++ b/etc/default/grub.d/41_quiet_boot.cfg @@ -26,4 +26,4 @@ GRUB_CMDLINE_LINUX_DEFAULT="$GRUB_CMDLINE_LINUX_DEFAULT quiet" ## For Increased Log Verbosity: ## Adjust (or comment out) the kernel.printk sysctl in /usr/lib/sysctl.d/30_silent-kernel-printk.conf. -## Alternatively, installing the debug-misc package will undo these settings. \ No newline at end of file +## Alternatively, installing the debug-misc package will undo these settings.