PrivSec-dev/privsec.dev
1
0
Fork 0
mirror of https://github.com/PrivSec-dev/privsec.dev synced 2025-02-20 18:31:35 -05:00
Code

Corrections regarding Kicksecure kernel hardening

Browse Source
This commit is contained in:
Raja Grewal 2022-11-09 21:52:55 +11:00
parent 31cd175cfa
commit 0a5f398eaf
No known key found for this signature in database
GPG Key ID: 3AE213D7DCCA7CCB
1 changed files with 4 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
content/posts/linux/Desktop-Linux-Hardening.md
View File

@ -257,12 +257,14 @@ Note that these configurations do not disable unprivileged user namespaces. Ther
Read through this section on how to harden your boot parameters:
- [2.3 Boot Parameters](https://madaidans-insecurities.github.io/guides/linux-hardening.html#boot-parameters)
Kicksecure comes with these boot parameters by default. This section is fairly short, so I'd recommend that you read it through. With that being said, here are all of the parameters that you would need:
Kicksecure comes with some of these boot parameters enabled by default. This section is fairly short, so I'd recommend that you read it through. With that being said, here are all of the parameters that you would need:
```
slab_nomerge init_on_alloc=1 init_on_free=1 page_alloc.shuffle=1 pti=on vsyscall=none debugfs=off oops=panic module.sig_enforce=1 lockdown=confidentiality mce=0 quiet loglevel=0 spectre_v2=on spec_store_bypass_disable=on tsx=off tsx_async_abort=full,nosmt mds=full,nosmt l1tf=full,force nosmt=force kvm.nx_huge_pages=force randomize_kstack_offset=on
slab_nomerge init_on_alloc=1 init_on_free=1 page_alloc.shuffle=1 pti=on vsyscall=none debugfs=off oops=panic module.sig_enforce=1 lockdown=confidentiality mce=0 quiet loglevel=0 spectre_v2=on spec_store_bypass_disable=on tsx=off tsx_async_abort=full, mds=full, l1tf=full,force nosmt=force kvm.nx_huge_pages=force randomize_kstack_offset=on
```
Regarding Kicksecure, it [no longer](https://forums.whonix.org/t/kernel-hardening/7296/493) uses `mce=0` and does not enforce either `module.sig_enforce=1` or ` lockdown=confidentiality` as they lead a lot of hardware compatibility issues. They also [add](https://github.com/Kicksecure/security-misc/blob/master/etc/default/grub.d/40_cpu_mitigations.cfg) the `l1d_flush=on` and `mmio_stale_data=full,nosmt` mitigations and apply the additional `extra_latent_entropy` parameter.
Note that [SMT](https://en.wikipedia.org/wiki/Simultaneous_multithreading) is disabled due to it being the cause of various security vulnerabilities. Also, on rpm-ostree based distributions, you should set the kernel parameters using `rpm-ostree kargs` rather than messing with `GRUB` configurations directly.
### Restricting access to /proc and /sys