From 3fa329fc412a61e4debe994072c1293f0ba566db Mon Sep 17 00:00:00 2001 From: Tommy Date: Sun, 16 Jun 2024 13:05:32 -0700 Subject: [PATCH 1/2] Minor clean up of kernel parameter settings Signed-off-by: Tommy --- content/posts/linux/Desktop Linux Hardening.md | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/content/posts/linux/Desktop Linux Hardening.md b/content/posts/linux/Desktop Linux Hardening.md index 13bf6608c..084ef48b3 100644 --- a/content/posts/linux/Desktop Linux Hardening.md +++ b/content/posts/linux/Desktop Linux Hardening.md @@ -291,7 +291,7 @@ If you are using Kicksecure or Whonix, most of this hardening is included by def #### Boot Parameters -_See ["2.3 Boot parameters"](https://madaidans-insecurities.github.io/guides/linux-hardening.html#boot-parameters) in Madaidan's guide and [Kicksecure boot parameters](https://github.com/Kicksecure/security-misc/tree/master/etc/default/grub.d). If desired, [formal documentation of boot parameters](https://www.kernel.org/doc/html/latest/admin-guide/kernel-parameters.html) is available upstream._ +_See ["2.3 Boot parameters"](https://madaidans-insecurities.github.io/guides/linux-hardening.html#boot-parameters) in Madaidan's guide. If desired, [formal documentation of boot parameters](https://www.kernel.org/doc/html/latest/admin-guide/kernel-parameters.html) is available upstream._ Copy these parameters into [your bootloader's configuration](https://wiki.archlinux.org/title/Kernel_parameters#Configuration). On rpm‑ostree distributions, make sure to use `rpm-ostree kargs` rather than editing GRUB configuration directly. @@ -305,14 +305,6 @@ mitigations=auto,nosmt spectre_v2=on spectre_bhi=on spec_store_bypass_disable=on Note however that disabling SMT may have a significant performance impact --- [for this reason the popular linux‑hardened kernel for Arch does not disable SMT](https://github.com/anthraxx/linux-hardened/issues/37#issuecomment-619597365) by default. Assess your own risk tolerance, and, if you choose to keep SMT enabled, simply remove all occurrences of `nosmt` and `nosmt=force` from these parameters. -##### Kernel - -``` -slab_nomerge init_on_alloc=1 init_on_free=1 pti=on vsyscall=none ia32_emulation=0 page_alloc.shuffle=1 randomize_kstack_offset=on debugfs=off oops=panic quiet loglevel=0 -``` - -Kicksecure does not enforce either `module.sig_enforce=1` or `lockdown=confidentiality` by default as they lead to a lot of hardware compatibility issues; consider enabling these if possible on your system. Additionally, [`mce=0` is no longer recommended](https://forums.whonix.org/t/kernel-hardening/7296/493). - ##### Entropy generation ``` @@ -351,6 +343,14 @@ Further reading: - [Avoiding gaps in IOMMU protection at boot](https://mjg59.dreamwidth.org/54433.html) - [Madaidan: DMA attacks](https://madaidans-insecurities.github.io/guides/linux-hardening.html#dma-attacks) +##### Kernel + +``` +slab_nomerge init_on_alloc=1 init_on_free=1 pti=on vsyscall=none ia32_emulation=0 page_alloc.shuffle=1 randomize_kstack_offset=on debugfs=off +``` + +Consider adding `oops=panic` to the list of kernel parameters as well. This tells the kernel to panic when there are oops error, thus preventing a broken process from being run. However, there may be some harmless errors generated by drivers, and these can cause the system to unexpectedly crash with this parameter. + #### Kernel Modules _See ["2.5.2 Blacklisting kernel modules"](https://madaidans-insecurities.github.io/guides/linux-hardening.html#kasr-kernel-modules) in Madaidan's guide._ From d8cf8ab5fd8ab44eaf4c38e7ef627030e514680d Mon Sep 17 00:00:00 2001 From: Tommy Date: Sun, 16 Jun 2024 15:54:01 -0700 Subject: [PATCH 2/2] Typo fix Signed-off-by: Tommy --- content/posts/linux/Desktop Linux Hardening.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/posts/linux/Desktop Linux Hardening.md b/content/posts/linux/Desktop Linux Hardening.md index 084ef48b3..d9556a2e1 100644 --- a/content/posts/linux/Desktop Linux Hardening.md +++ b/content/posts/linux/Desktop Linux Hardening.md @@ -349,7 +349,7 @@ Further reading: slab_nomerge init_on_alloc=1 init_on_free=1 pti=on vsyscall=none ia32_emulation=0 page_alloc.shuffle=1 randomize_kstack_offset=on debugfs=off ``` -Consider adding `oops=panic` to the list of kernel parameters as well. This tells the kernel to panic when there are oops error, thus preventing a broken process from being run. However, there may be some harmless errors generated by drivers, and these can cause the system to unexpectedly crash with this parameter. +Consider adding `oops=panic` to the list of kernel parameters as well. This tells the kernel to panic when there are oops errors, thus preventing a broken process from being run. However, there may be some harmless errors generated by drivers, and these can cause the system to unexpectedly crash with this parameter. #### Kernel Modules