From 2178fb37a85808df0c455f7dd76fc72516d6ff28 Mon Sep 17 00:00:00 2001
From: madaidan <50278627+madaidan@users.noreply.github.com>
Date: Sun, 23 Jun 2019 17:54:34 +0000
Subject: [PATCH] Add more kernel hardening parameters

---
 etc/default/grub.d/40_kernel_hardening.cfg | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/etc/default/grub.d/40_kernel_hardening.cfg b/etc/default/grub.d/40_kernel_hardening.cfg
index d1b2038..ec26311 100644
--- a/etc/default/grub.d/40_kernel_hardening.cfg
+++ b/etc/default/grub.d/40_kernel_hardening.cfg
@@ -9,3 +9,12 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX page_poison=1"
 
 # Makes the kernel panic on uncorrectable errors in ECC memory that an attacker could exploit.
 GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX mce=0"
+
+# Enables Kernel Page Table Isolation which mitigates Meltdown and improves KASLR.
+GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX pti=on"
+
+# Disables smt which can be used to exploit the MDS vulnerability.
+GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX nosmt"
+
+# Enables all mitigations for the MDS vulnerability.
+GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX mds=full"