mirror of
https://github.com/PrivSec-dev/privsec.dev
synced 2025-02-20 18:31:35 -05:00
Merge d8cf8ab5fd
into 41aa51be81
This commit is contained in:
commit
047794c677
@ -297,14 +297,6 @@ mitigations=auto,nosmt spectre_v2=on spectre_bhi=on spec_store_bypass_disable=on
|
||||
|
||||
Note however that disabling SMT may have a significant performance impact --- [for this reason the popular linux‑hardened kernel for Arch does not disable SMT](https://github.com/anthraxx/linux-hardened/issues/37#issuecomment-619597365) by default. Assess your own risk tolerance, and, if you choose to keep SMT enabled, simply remove all occurrences of `nosmt` and `nosmt=force` from these parameters.
|
||||
|
||||
##### Kernel
|
||||
|
||||
```
|
||||
slab_nomerge init_on_alloc=1 init_on_free=1 pti=on vsyscall=none ia32_emulation=0 page_alloc.shuffle=1 randomize_kstack_offset=on debugfs=off oops=panic quiet loglevel=0
|
||||
```
|
||||
|
||||
Kicksecure does not enforce either `module.sig_enforce=1` or `lockdown=confidentiality` by default as they lead to a lot of hardware compatibility issues; consider enabling these if possible on your system. Additionally, [`mce=0` is no longer recommended](https://forums.whonix.org/t/kernel-hardening/7296/493).
|
||||
|
||||
##### Entropy generation
|
||||
|
||||
```
|
||||
@ -343,6 +335,14 @@ Further reading:
|
||||
- [Avoiding gaps in IOMMU protection at boot](https://mjg59.dreamwidth.org/54433.html)
|
||||
- [Madaidan: DMA attacks](https://madaidans-insecurities.github.io/guides/linux-hardening.html#dma-attacks)
|
||||
|
||||
##### Kernel
|
||||
|
||||
```
|
||||
slab_nomerge init_on_alloc=1 init_on_free=1 pti=on vsyscall=none ia32_emulation=0 page_alloc.shuffle=1 randomize_kstack_offset=on debugfs=off
|
||||
```
|
||||
|
||||
Consider adding `oops=panic` to the list of kernel parameters as well. This tells the kernel to panic when there are oops errors, thus preventing a broken process from being run. However, there may be some harmless errors generated by drivers, and these can cause the system to unexpectedly crash with this parameter.
|
||||
|
||||
#### Kernel Modules
|
||||
|
||||
_See ["2.5.2 Blacklisting kernel modules"](https://madaidans-insecurities.github.io/guides/linux-hardening.html#kasr-kernel-modules) in Madaidan's guide._
|
||||
|
Loading…
Reference in New Issue
Block a user