PrivSec-dev/privsec.dev
1
0
Fork 0
mirror of https://github.com/PrivSec-dev/privsec.dev synced 2025-02-20 18:31:35 -05:00
Code

Update content/posts/linux/Desktop-Linux-Hardening.md

Browse Source 
Co-authored-by: WfKe9vLwSvv7rN <96372288+WfKe9vLwSvv7rN@users.noreply.github.com>
Signed-off-by: Raja Grewal <rg_public@proton.me>
This commit is contained in:
Raja Grewal 2022-11-27 11:40:18 +00:00 committed by GitHub
parent 16ac651487
commit dc28dd7fec
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 2 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
content/posts/linux/Desktop-Linux-Hardening.md
View File

@ -284,7 +284,8 @@ random.trust_cpu=off random.trust_bootloader=off
As sources of initial entropy at boot, both the CPU and bootloader should be [distrusted](https://lkml.org/lkml/2022/6/5/271). For CPUs, the RBRAND instructions set is [impossible to audit](https://madaidans-insecurities.github.io/guides/linux-hardening.html#rdrand), and moving forward as a precaution, the bootloader should be treated identically. Note that both of these kernel parameters will increase boot time.
- DMA mitigations
#### DMA mitigations
```
intel_iommu=on amd_iommu=on efi=disable_early_pci_dma iommu.passthrough=0 iommu.strict=1
```