From bc06efb6e100c861323edd256167e30fc8980118 Mon Sep 17 00:00:00 2001 From: Tommy Date: Fri, 21 Oct 2022 15:20:42 -0400 Subject: [PATCH] Mention Microcode Updates Signed-off-by: Tommy --- content/posts/linux/Desktop-Linux-Hardening.md | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/content/posts/linux/Desktop-Linux-Hardening.md b/content/posts/linux/Desktop-Linux-Hardening.md index c63a3fe..d445ae4 100644 --- a/content/posts/linux/Desktop-Linux-Hardening.md +++ b/content/posts/linux/Desktop-Linux-Hardening.md @@ -186,6 +186,15 @@ The configuration for this varies per distribution, but typically it can be set Note that unlike on macOS, this will only change the umask for the shell. Files created by running applications will not have their permissions set to 600. +### Microcode updates +You should make sure that your system has microcode updates to get security fixes for vulnerabilities like [Meltdown and Spectre](https://meltdownattack.com/). + +Debian does not ship microcode updates out of the box, so be sure to [enable the non-free repository](https://wiki.debian.org/SourcesList) and install the `microcode` package. + +On Arch Linux, make sure you have the `intel-ucode` or `amd-ucode` package installed. + +Avoid the Linux-libre kernel at all cost, as they actively block [microcode updates to be loaded in runtime](https://www.phoronix.com/news/GNU-Linux-Libre-5.13). If you are looking to use [GUIX](https://guix.gnu.org/en/download/), you should absolutely use something like the [Nonguix](https://gitlab.com/nonguix/nonguix) repository and get the microcode updates. + ### Firmware Updates Hardware vendors typically offer updates to Linux systems through the [Linux Vendor Firmware Service](https://fwupd.org/). You can download the updates using the following commands: