Skip to content

Update various docs #344

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
raja-grewal wants to merge 11 commits into
base: master
Choose a base branch
from
Open

Update various docs #344

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
11 commits
Select commit Hold shift + click to select a range
1472d41
Add KSPP partial compliance notice for `proc_mem.force_override=ptrace`
raja-grewal Dec 29, 2025
4d49ab5
Update docs on `proc_mem.force_override`
raja-grewal Dec 29, 2025
6a92e95
Add minor notices to panic on oopses and warnings
raja-grewal Dec 29, 2025
61170e1
Reorder panic settings
raja-grewal Dec 29, 2025
cd0a59f
Merge Meltdown mitigtions for ARM64 and X86_64 CPUs
raja-grewal Dec 29, 2025
31e268d
README: typos
raja-grewal Dec 29, 2025
e376513
Add reference on IOMMU vulnerabilities
raja-grewal Dec 29, 2025
8fd95a0
Sort new split package install script for easier readability
raja-grewal Dec 29, 2025
56df8b6
Re-order boot params as introduced
raja-grewal Dec 29, 2025
d0512e4
Update links to kernel docs
raja-grewal Dec 30, 2025
73d3da1
Sort file
raja-grewal Dec 30, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
45 changes: 24 additions & 21 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -46,12 +46,12 @@ configuration file and significant hardening is applied to a myriad of component

- Restrict kernel profiling and the performance events system to `CAP_PERFMON`.

- Force the kernel to immediately panic on both "oopses" (which can potentially indicate
and thwart certain kernel exploitation attempts) and kernel warnings in the `WARN()` path.

- Force immediate system reboot on the occurrence of a single kernel panic, reducing the
risk and impact of denial-of-service attacks and both cold and warm boot attacks.

- Force the kernel to immediately panic on both "oopses" (which can potentially indicate
and thwart certain kernel exploitation attempts) and kernel warnings in the `WARN()` path.

- Optional - Force immediate kernel panic on OOM (out of memory) which with the above setting
will force an immediate system reboot as opposed to placing any reliance on the oom_killer
to avoid arbitrarily terminating security features based on their OOM score. Note this
Expand Down Expand Up @@ -224,9 +224,6 @@ Kernel space:
- Enable the kernel page allocator to randomize free lists to limit some data
exfiltration and ROP attacks, especially during the early boot process.

- Enable kernel page table isolation on x86_64 and ARM64 CPUs to increase
KASLR effectiveness and also mitigate the Meltdown CPU vulnerability.

Comment on lines -227 to -229
Copy link
Contributor

@ArrayBolt3 ArrayBolt3 Dec 30, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There isn't anywhere else in the README that appears to mention kernel page table isolation, so this shouldn't be removed.

- Enable randomization of the kernel stack offset on syscall entries to harden
against memory corruption attacks.

Expand All @@ -236,15 +233,15 @@ Kernel space:
- Restrict access to debugfs by not registering the file system since it can
contain sensitive information.

- Force the kernel to immediately panic on both "oopses" (which can potentially indicate
and thwart certain kernel exploitation attempts) and kernel warnings in the `WARN()` path.

- Force immediate system reboot on the occurrence of a single kernel panic, reducing the
risk and impact of denial-of-service attacks and both cold and warm boot attacks.

- Force the kernel to immediately panic on both "oopses" (which can potentially indicate
and thwart certain kernel exploitation attempts) and kernel warnings in the `WARN()` path.

- Optional - Force the kernel to immediately panic if it becomes tainted. Some reasons include
upon using out of specification hardware, bad page states, ACPI tables being overridden,
severe firmware bugs, in-kernel tests run, or mutating fwctl debug operations. It can also
severe firmware bugs, in-kernel tests run, or mutating `fwctl` debug operations. It can also
include the loading of proprietary or out-of-tree modules.

- Prevent sensitive kernel information leaks in the console during boot.
Expand All @@ -262,14 +259,14 @@ Kernel space:
- Disable the EFI persistent storage feature which prevents the kernel from writing crash logs
and other persistent data to either the UEFI variable storage or ACPI ERST backends.

- Optional - On compatible AMD CPUs enable Secure Memory Encryption (SME) to protect against
cold boot attacks and Secure Encrypted Virtualization (SEV) for further guest memory isolation.
- Restrict processes from modifying their own memory mappings unless actively done via
`ptrace()` for debugging in order to limit self-modification which can trigger exploits.

- Prevent runaway privileged processes from writing to block devices that are mounted by
filesystems to protect against filesystem corruption and kernel crashes.

- Restrict processes from modifying their own memory mappings unless actively done via
`ptrace()` in order to limit self-modification which can trigger exploits.
- Optional - On compatible AMD CPUs enable Secure Memory Encryption (SME) to protect against
cold boot attacks and Secure Encrypted Virtualization (SEV) for further guest memory isolation.

Direct memory access:

Expand All @@ -283,16 +280,13 @@ Entropy:

- Do not credit the CPU seeds as an entropy source at boot in order to maximize the
absolute quantity of entropy in the combined pool. This is desirable for all
cryptographic operations, to avoid reliance on proprietary RDRAND and RDSEED CPU
cryptographic operations to avoid reliance on proprietary RDRAND and RDSEED CPU
instructions for random number generation that have long history of being defective.

- Do not credit the bootloader seeds as an entropy source at boot to maximize the
absolute quantity of entropy in the combined pool. This is desirable for all
cryptographic operations as seeds passed by the bootloader could be tampered.

- Obtain more entropy at boot from RAM as the runtime memory allocator is
being initialized.

- Obtain more entropy at boot from RAM as the runtime memory allocator is being
initialized to maximize the absolute quantity of entropy in the combined pool.

Expand Down Expand Up @@ -321,23 +315,32 @@ there are a few cases of partial or non-compliance due to technical limitations.
More than 30 kernel boot parameters and over 30 sysctl settings are fully aligned with
the KSPP's recommendations.

**Partial compliance:**

1. Kernel boot parameter `proc_mem.force_override=never`

Restrict processes from modifying their own memory mappings by completely disables use of
`/proc/PID/mem` to write to protected pages. Can be enabled easily if required.

* [security-misc pull request #332](https://github.com/Kicksecure/security-misc/pull/332)

**Non-compliance:**

1. `sysctl user.max_user_namespaces=0`
2. `sysctl user.max_user_namespaces=0`

Disables user namespaces entirely. Not recommended due to the potential for widespread breakages.

* [security-misc pull request #263](https://github.com/Kicksecure/security-misc/pull/263)

2. `sysctl fs.binfmt_misc.status=0`
3. `sysctl fs.binfmt_misc.status=0`

Disables the registration of interpreters for miscellaneous binary formats. Currently not
feasible due to compatibility issues with Firefox.

* [security-misc pull request #249](https://github.com/Kicksecure/security-misc/pull/249)
* [security-misc issue #267](https://github.com/Kicksecure/security-misc/issues/267)

3. Kernel boot parameter `hash_pointers=always`
4. Kernel boot parameter `hash_pointers=always`

Force all exposed pointers to be hashed and must be used in combination with the already enabled
`slab_debug=FZ` kernel boot parameter. Currently is not possible as requires Linux kernel >= 6.17.
Expand Down
2 changes: 1 addition & 1 deletion debian/security-misc-desktop.install
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,8 +5,8 @@

## This file was generated using 'genmkfile debinstfile'.

etc/sudoers.d/security-misc-desktop#security-misc-desktop => /etc/sudoers.d/security-misc-desktop
etc/bluetooth/30_security-misc.conf#security-misc-desktop => /etc/bluetooth/30_security-misc.conf
etc/sudoers.d/security-misc-desktop#security-misc-desktop => /etc/sudoers.d/security-misc-desktop
Comment on lines -8 to +9
Copy link
Contributor

@ArrayBolt3 ArrayBolt3 Dec 30, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we revert the changes to this and the other install file? These don't really have to be sorted, and once ArrayBolt3/genmkfile@31d3171 gets merged these files will automatically get sorted when needed.

usr/lib/NetworkManager/conf.d/80_ipv6-privacy.conf#security-misc-desktop => /usr/lib/NetworkManager/conf.d/80_ipv6-privacy.conf
usr/lib/NetworkManager/conf.d/80_randomize-mac.conf#security-misc-desktop => /usr/lib/NetworkManager/conf.d/80_randomize-mac.conf
usr/lib/systemd/networkd.conf.d/80_ipv6-privacy-extensions.conf#security-misc-desktop => /usr/lib/systemd/networkd.conf.d/80_ipv6-privacy-extensions.conf
Loading