PrivSec-dev/privsec.dev
1
0
Fork 0
mirror of https://github.com/PrivSec-dev/privsec.dev synced 2025-02-20 18:31:35 -05:00
Code

Update content/posts/linux/Desktop-Linux-Hardening.md

Browse Source 
Co-authored-by: WfKe9vLwSvv7rN <96372288+WfKe9vLwSvv7rN@users.noreply.github.com>
Signed-off-by: Raja Grewal <rg_public@proton.me>
This commit is contained in:
Raja Grewal 2022-11-27 11:40:18 +00:00 committed by GitHub
parent 16ac651487
commit dc28dd7fec
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 2 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
content/posts/linux/Desktop-Linux-Hardening.md
View File

@ -284,7 +284,8 @@ random.trust_cpu=off random.trust_bootloader=off
As sources of initial entropy at boot, both the CPU and bootloader should be [distrusted](https://lkml.org/lkml/2022/6/5/271). For CPUs, the RBRAND instructions set is [impossible to audit](https://madaidans-insecurities.github.io/guides/linux-hardening.html#rdrand), and moving forward as a precaution, the bootloader should be treated identically. Note that both of these kernel parameters will increase boot time. As sources of initial entropy at boot, both the CPU and bootloader should be [distrusted](https://lkml.org/lkml/2022/6/5/271). For CPUs, the RBRAND instructions set is [impossible to audit](https://madaidans-insecurities.github.io/guides/linux-hardening.html#rdrand), and moving forward as a precaution, the bootloader should be treated identically. Note that both of these kernel parameters will increase boot time.
- DMA mitigations #### DMA mitigations
``` ```
intel_iommu=on amd_iommu=on efi=disable_early_pci_dma iommu.passthrough=0 iommu.strict=1 intel_iommu=on amd_iommu=on efi=disable_early_pci_dma iommu.passthrough=0 iommu.strict=1
``` ```