raja
July 15, 2024, 12:49pm
38
The following are the bulk of the changes, I am still experimenting with other potential additions.
Kicksecure:master ← raja-grewal:kernel_modules
opened 11:41AM - 15 Jul 24 UTC
Reduces attack surface by expanding the list of disabled kernel modules relating… to file systems, GPS, network file systems, network protocols/drivers, Thunderbolt, and some miscellaneous drivers. Also provides option to disable more Bluetooth modules.
Applies some suggestions in Issue https://github.com/Kicksecure/security-misc/issues/224.
## Changes
Updated `security-misc.maintscript`.
Moved some previously blacklisted modules to the disabled list.
Replaces`disabled-vivid-by-security-misc` with a more general `disabled-miscellaneous-by-security-misc` that can be used for other modules.
## Mandatory Checklist
- [x] Legal agreements accepted. By contributing to this organisation, you acknowledge you have read, understood, and agree to be bound by these these agreements:
[Terms of Service](https://www.kicksecure.com/wiki/Terms_of_Service), [Privacy Policy](https://www.kicksecure.com/wiki/Privacy_Policy), [Cookie Policy](https://www.kicksecure.com/wiki/Cookie_Policy), [E-Sign Consent](https://www.kicksecure.com/wiki/E-Sign_Consent), [DMCA](https://www.kicksecure.com/wiki/DMCA), [Imprint](https://www.kicksecure.com/wiki/Imprint)
## Optional Checklist
The following items are optional but might be requested in certain cases.
- [x] I have tested it locally
- [x] I have reviewed and updated any documentation if relevant
- [ ] I am providing new code and test(s) for it
^ Standard disabling of largely legacy modules. Note a lot of these are superfluous as they link to already disabled modules. However, some of them do not so I though best just to comprehensively disable them.
Kicksecure:master ← raja-grewal:uvcvideo
opened 11:55AM - 15 Jul 24 UTC
Blacklist the `uvcvideo` USB-based video streaming driver for devices like webca… ms and digital camcorders.
This driver should ideally be only loaded by the kernel when specifically required.
Completely disabling it was first suggested in Issue https://github.com/Kicksecure/security-misc/issues/224.
## Changes
Add `uvcvideo` to blacklist and provide provision for it to be disabled.
## Mandatory Checklist
- [x] Legal agreements accepted. By contributing to this organisation, you acknowledge you have read, understood, and agree to be bound by these these agreements:
[Terms of Service](https://www.kicksecure.com/wiki/Terms_of_Service), [Privacy Policy](https://www.kicksecure.com/wiki/Privacy_Policy), [Cookie Policy](https://www.kicksecure.com/wiki/Cookie_Policy), [E-Sign Consent](https://www.kicksecure.com/wiki/E-Sign_Consent), [DMCA](https://www.kicksecure.com/wiki/DMCA), [Imprint](https://www.kicksecure.com/wiki/Imprint)
## Optional Checklist
The following items are optional but might be requested in certain cases.
- [x] I have tested it locally
- [x] I have reviewed and updated any documentation if relevant
- [ ] I am providing new code and test(s) for it
^ Blacklisting uvcvideo could potentially cause breakages for some devices. So kept this as a separate PR. Additionally, for people who never intend to use webcams and etc., they can uncomment a line and disable the module entirely.
Kicksecure:master ← raja-grewal:intel_me
opened 12:24PM - 15 Jul 24 UTC
Disable more Intel Management Engine (ME) kernel modules.
## Changes
Add s… ome Intel ME modules to the list of disabled kernel modules.
## Mandatory Checklist
- [x] Legal agreements accepted. By contributing to this organisation, you acknowledge you have read, understood, and agree to be bound by these these agreements:
[Terms of Service](https://www.kicksecure.com/wiki/Terms_of_Service), [Privacy Policy](https://www.kicksecure.com/wiki/Privacy_Policy), [Cookie Policy](https://www.kicksecure.com/wiki/Cookie_Policy), [E-Sign Consent](https://www.kicksecure.com/wiki/E-Sign_Consent), [DMCA](https://www.kicksecure.com/wiki/DMCA), [Imprint](https://www.kicksecure.com/wiki/Imprint)
## Optional Checklist
The following items are optional but might be requested in certain cases.
- [x] I have tested it locally
- [x] I have reviewed and updated any documentation if relevant
- [ ] I am providing new code and test(s) for it
^ More Intel ME components are specifically disabled.
Kicksecure:master ← raja-grewal:intel_pmt
opened 12:40PM - 15 Jul 24 UTC
Disable some Intel Platform Monitoring Technology Telemetry (PMT) kernel modules… .
Disabling was first suggested in Issue https://github.com/Kicksecure/security-misc/issues/224.
## Changes
Add some Intel PMT modules to the list of disabled kernel modules.
Create `disabled-intelpmt-by-security-misc`.
## Mandatory Checklist
- [x] Legal agreements accepted. By contributing to this organisation, you acknowledge you have read, understood, and agree to be bound by these these agreements:
[Terms of Service](https://www.kicksecure.com/wiki/Terms_of_Service), [Privacy Policy](https://www.kicksecure.com/wiki/Privacy_Policy), [Cookie Policy](https://www.kicksecure.com/wiki/Cookie_Policy), [E-Sign Consent](https://www.kicksecure.com/wiki/E-Sign_Consent), [DMCA](https://www.kicksecure.com/wiki/DMCA), [Imprint](https://www.kicksecure.com/wiki/Imprint)
## Optional Checklist
The following items are optional but might be requested in certain cases.
- [x] I have tested it locally
- [x] I have reviewed and updated any documentation if relevant
- [ ] I am providing new code and test(s) for it
^ Disables Intel PMT.
2 Likes