Kernel Hardening - security-misc

“page_poison=1” and the P on the “slub_debug” option are mainly used for Tails’ RAM poisoning. These may improve security anyway by preventing some use-after-free vulnerabilites. These might not work properly in a VM as it doesn’t have access to all of the host’s RAM.

“mce=0” is only useful for ECC memory. It might be good to have just incase but it also might not work properly in a VM.

“vsyscall=none” disables vsyscalls which were removed so this setting is redundant.

The rest except “slab_nomerge” seems to be related to live mode or some other features unrelated to security.

It seems to be enabled by default now. I didn’t know that. I checked Whonix and it’s enabled there too.

1 Like