V8.00.000.2025.06.17
All checks were successful
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Successful in 41s
All checks were successful
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Successful in 41s
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
This commit is contained in:
@@ -155,15 +155,15 @@ grub_parameter:
|
||||
- "iommu=force"
|
||||
|
||||
##############################################################################################################################
|
||||
# Enables strict enforcement of IOMMU TLB invalidation, so devices will never be able to access stale data contents. #
|
||||
# Enables strict enforcement of IOMMU TLB invalidation, so devices will never be able to access stale data contents.
|
||||
# iommu.passthrough=0
|
||||
# Prevents devices from operating in identity-mapped passthrough mode. Without this parameter (or with =1), devices could be
|
||||
# passed through without being monitored by the IOMMU in a truly restrictive manner. From a security standpoint,
|
||||
# iommu.passthrough=0 is an important step toward DMA isolation for all devices, especially for untrusted PCI(e) devices. #
|
||||
# iommu.passthrough=0 is an important step toward DMA isolation for all devices, especially for untrusted PCI(e) devices.
|
||||
# iommu.strict=1
|
||||
# Enables Strict Mode for dma-iommu.c (i.e., all DMA transactions are validated synchronously). Without this parameter, the
|
||||
# kernel often runs in lazy mode, where mapping caches are used.
|
||||
# Performance vs. security: strict=1= more secure, but potentially slower, especially with many small DMA transfers. #
|
||||
# Performance vs. security: strict=1= more secure, but potentially slower, especially with many small DMA transfers.
|
||||
# https://github.com/torvalds/linux/blob/master/drivers/iommu/Kconfig#L97
|
||||
# Page 11 of https://lenovopress.lenovo.com/lp1467.pdf
|
||||
##############################################################################################################################
|
||||
@@ -171,7 +171,7 @@ grub_parameter:
|
||||
- "iommu.strict=1"
|
||||
|
||||
##############################################################################################################################
|
||||
# Disable the busmaster bit on all PCI bridges during very early boot to avoid holes in IOMMU. #
|
||||
# Disable the busmaster bit on all PCI bridges during very early boot to avoid holes in IOMMU.
|
||||
# https://mjg59.dreamwidth.org/54433.html
|
||||
# https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=4444f8541dad16fefd9b8807ad1451e806ef1d94
|
||||
##############################################################################################################################
|
||||
@@ -244,7 +244,7 @@ grub_parameter:
|
||||
# Automatically adjusted: Depending on CPU family, stepping, microcode.
|
||||
# Consistency guaranteed: No contradictions between flags possible
|
||||
# (e.g., spec_store_bypass_disable=on vs. nospec_store_bypass_disable=off).
|
||||
# Future-proof: Even new features (e.g., bhi=flush or srbds) are automatically activated without having to know about them. #
|
||||
# Future-proof: Even new features (e.g., bhi=flush or srbds) are automatically activated without having to know about them.
|
||||
##############################################################################################################################
|
||||
- "mitigations=auto,nosmt"
|
||||
|
||||
@@ -268,21 +268,21 @@ grub_parameter:
|
||||
|
||||
##############################################################################################################################
|
||||
# If mitigations=auto,nosmt is set, see before, then these flags should not be set individually because they are redundant.
|
||||
# Enable mitigations for the L1TF vulnerability through disabling SMT and L1D flush runtime control. #
|
||||
# Enable mitigations for the L1TF vulnerability through disabling SMT and L1D flush runtime control.
|
||||
# https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/l1tf.html
|
||||
##############################################################################################################################
|
||||
#- "l1tf=full,force"
|
||||
|
||||
##############################################################################################################################
|
||||
# If mitigations=auto,nosmt is set, see before, then these flags should not be set individually because they are redundant.
|
||||
# Enable mitigations for the MDS vulnerability through clearing buffer cache and disabling SMT. #
|
||||
# Enable mitigations for the MDS vulnerability through clearing buffer cache and disabling SMT.
|
||||
# https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/mds.html
|
||||
##############################################################################################################################
|
||||
#- "mds=full,nosmt"
|
||||
|
||||
##############################################################################################################################
|
||||
# If mitigations=auto,nosmt is set, see before, then these flags should not be set individually because they are redundant.
|
||||
# Patches the TAA vulnerability by disabling TSX and enables mitigations using TSX Async Abort along with disabling SMT. #
|
||||
# Patches the TAA vulnerability by disabling TSX and enables mitigations using TSX Async Abort along with disabling SMT.
|
||||
# https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/tsx_async_abort.html
|
||||
##############################################################################################################################
|
||||
#- "tsx=off"
|
||||
@@ -295,7 +295,7 @@ grub_parameter:
|
||||
- "kvm.nx_huge_pages=force"
|
||||
|
||||
##############################################################################################################################
|
||||
# Force disable SMT as it has caused numerous CPU vulnerabilities. The only full mitigation of cross-HT attacks is disabling. #
|
||||
# Force disable SMT as it has caused numerous CPU vulnerabilities. The only full mitigation of cross-HT attacks is disabling.
|
||||
# https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/core-scheduling.html
|
||||
##############################################################################################################################
|
||||
- "nosmt=force"
|
||||
@@ -312,7 +312,7 @@ grub_parameter:
|
||||
# mmio_stale_data=full All known measures active
|
||||
# mmio_stale_data=full,nosmt Full mitigation + SMT disabling
|
||||
# mmio_stale_data=auto Activated depending on CPU/microcode
|
||||
# mmio_stale_data=full,force Forces mitigation even on CPUs that are supposedly not affected. #
|
||||
# mmio_stale_data=full,force Forces mitigation even on CPUs that are supposedly not affected.
|
||||
# https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/processor_mmio_stale_data.html
|
||||
##############################################################################################################################
|
||||
- "mmio_stale_data=full,force"
|
||||
@@ -332,7 +332,7 @@ grub_parameter:
|
||||
# users (such as root) have limited access to kernel data and debug mechanisms.
|
||||
# 'confidentiality': Maximum restriction to ensure the security and integrity of the system. This prevents direct access to
|
||||
# hardware and debug interfaces, for example. Useful for highly secure environments as it reduces the attack surface to kernel
|
||||
# data. However, some applications that require debugging or hardware access may have problems. #
|
||||
# data. However, some applications that require debugging or hardware access may have problems.
|
||||
# https://blog.cloudflare.com/de-de/linux-kernel-hardening/
|
||||
# https://www.linux-magazine.com/Issues/2020/239/Lockdown-Mode
|
||||
##############################################################################################################################
|
||||
@@ -341,7 +341,7 @@ grub_parameter:
|
||||
##############################################################################################################################
|
||||
# Enables 'Read-Only Data Protection', which implements read-only memory areas for kernel data structures. This protects the
|
||||
# kernel from certain types of exploit (e.g., buffer overflows). 'on': Forces the corresponding areas to remain read-only.
|
||||
# https://www.kernel.org/doc/html/v6.10/admin-guide/kernel-parameters.html #
|
||||
# https://www.kernel.org/doc/html/v6.10/admin-guide/kernel-parameters.html
|
||||
##############################################################################################################################
|
||||
- "rodata=on"
|
||||
|
||||
@@ -382,7 +382,7 @@ grub_parameter:
|
||||
##############################################################################################################################
|
||||
# Checks every copy_to_user() / copy_from_user()operation. Prevents kernels from accidentally copying unallocated memory to
|
||||
# userspace. Stop exploits that trigger buffer overflows or use-after-free via copy_*_user(), for example. Effect: Detects
|
||||
# heap/SLOB abuse, overwrites. Leads to BUG() & stack trace if suspicious access is detected. #
|
||||
# heap/SLOB abuse, overwrites. Leads to BUG() & stack trace if suspicious access is detected.
|
||||
##############################################################################################################################
|
||||
- "hardened_usercopy=1"
|
||||
|
||||
|
||||
Reference in New Issue
Block a user