Merge pull request #237 from raja-grewal/intel_pmt

Disable some Intel PMT kernel modules

README.md

@@ -210,6 +210,9 @@ disabling should first be blacklisted for a suitable amount of time.
 -   Not yet enabled: Intel Management Engine (ME): Provides some disabling of the interface between the
     Intel ME and the OS. See discussion: https://github.com/Kicksecure/security-misc/issues/239
 
+-   Intel Platform Monitoring Technology Telemetry (PMT): Disable some functionality
+    of the Intel PMT components.
+    
 -   Network File Systems: Disable uncommon and legacy network file systems.
 
 -   Network Protocols: Wide array of uncommon and legacy network protocols are disabled.

etc/modprobe.d/30_security-misc_disable.conf

@@ -103,6 +103,15 @@ install gnss-usb /usr/bin/disabled-gps-by-security-misc
 #install mei_wdt /usr/bin/disabled-intelme-by-security-misc
 #install microread_mei /usr/bin/disabled-intelme-by-security-misc
 
+## Intel Platform Monitoring Technology Telemetry (PMT):
+## Disable some functionality of the Intel PMT components.
+##
+## https://github.com/intel/Intel-PMT
+##
+install pmt_class /usr/bin/disabled-intelpmt-by-security-misc
+install pmt_crashlog /usr/bin/disabled-intelpmt-by-security-misc
+install pmt_telemetry /usr/bin/disabled-intelpmt-by-security-misc
+
 ## Network File Systems:
 ## Disable uncommon network file systems to reduce attack surface.
 ##

usr/bin/disabled-intelpmt-by-security-misc

@@ -0,0 +1,10 @@
+#!/bin/bash
+
+## Copyright (C) 2024 - 2024 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
+## See the file COPYING for copying conditions.
+
+## Alerts the user that a kernel module failed to load due to it being blacklisted by default.
+
+echo "$0: ERROR: This Intel Platform Monitoring Technology Telemetry (PMT) kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf | args: $@" >&2
+
+exit 1