From 61941da37509a4bb809212536b79f461a209f584 Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Mon, 15 Jul 2024 22:38:09 +1000 Subject: [PATCH 1/2] Create `disabled-intelpmt-by-security-misc` --- usr/bin/disabled-intelpmt-by-security-misc | 10 ++++++++++ 1 file changed, 10 insertions(+) create mode 100755 usr/bin/disabled-intelpmt-by-security-misc diff --git a/usr/bin/disabled-intelpmt-by-security-misc b/usr/bin/disabled-intelpmt-by-security-misc new file mode 100755 index 0000000..44f04bc --- /dev/null +++ b/usr/bin/disabled-intelpmt-by-security-misc @@ -0,0 +1,10 @@ +#!/bin/bash + +## Copyright (C) 2024 - 2024 ENCRYPTED SUPPORT LP +## See the file COPYING for copying conditions. + +## Alerts the user that a kernel module failed to load due to it being blacklisted by default. + +echo "$0: ERROR: This Intel Platform Monitoring Technology Telemetry (PMT) kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf | args: $@" >&2 + +exit 1 From 724435e56ea059183241044a4fc09423187533eb Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Mon, 15 Jul 2024 22:38:43 +1000 Subject: [PATCH 2/2] Disable some Intel Platform Monitoring Technology Telemetry (PMT) modules --- README.md | 3 +++ etc/modprobe.d/30_security-misc_disable.conf | 9 +++++++++ 2 files changed, 12 insertions(+) diff --git a/README.md b/README.md index b5cf7a3..d4c965c 100644 --- a/README.md +++ b/README.md @@ -156,6 +156,9 @@ disabling should first be blacklisted for a suitable amount of time. - Intel Management Engine (ME): Provides some disabling of the interface between the Intel ME and the OS. +- Intel Platform Monitoring Technology Telemetry (PMT): Disable some functionality + of the Intel PMT components. + - Network File Systems: Disable uncommon and legacy network file systems. - Network Protocols: Wide array of uncommon and legacy network protocols are disabled. diff --git a/etc/modprobe.d/30_security-misc_disable.conf b/etc/modprobe.d/30_security-misc_disable.conf index f82ccb6..9cb1156 100644 --- a/etc/modprobe.d/30_security-misc_disable.conf +++ b/etc/modprobe.d/30_security-misc_disable.conf @@ -70,6 +70,15 @@ install gnss-usb /usr/bin/disabled-gps-by-security-misc install mei /usr/bin/disabled-intelme-by-security-misc install mei-me /usr/bin/disabled-intelme-by-security-misc +## Intel Platform Monitoring Technology Telemetry (PMT): +## Disable some functionality of the Intel PMT components. +## +## https://github.com/intel/Intel-PMT +## +install pmt_class /usr/bin/disabled-intelpmt-by-security-misc +install pmt_crashlog /usr/bin/disabled-intelpmt-by-security-misc +install pmt_telemetry /usr/bin/disabled-intelpmt-by-security-misc + ## Network File Systems: ## Disable uncommon network file systems to reduce attack surface. ##