I’ve just created it.
3 Likes
Merged.
3 Likes
pti=on, nosmt and mds=full are other boot parameters that increase security.
pit=on enables Kernel Page Table Isolation which mitigates the Meltdown vulnerability and improves KASLR effectiveness. This should mitigate Meltdown without the need of microcode updates. It’s also recommended for use by the KSPP.
nosmt disables SMT which can be used to exploit the MDS vulnerability (another CPU bug).
mds=full enables all mitigations for the MDS vulnerability. See MDS - Microarchitectural Data Sampling — The Linux Kernel documentation
Tails has also updated their kernel hardening design doc with nosmt and mds=full.
https://tails.boum.org/contribute/design/kernel_hardening/
Edit: I created a pull request for them.
1 Like
Would hardening against DMA attacks help anything? I’m not sure if there would be any advantage as Whonix is usually in a virtual machine.
1 Like
Awesome, please keep it coming!
Thanks for the pull request! Enable more kernel hardening parameters by madaidan · Pull Request #10 · Kicksecure/security-misc · GitHub
Any opinion? @HulaHoop
2 Likes
madaidan via Whonix Forum:
Would hardening against DMA attacks help anything? I’m not sure if there would be any advantage as Whonix is usually in a virtual machine.
Useful to add.
security-misc will be installed on Whonix Host; on hardened debian
(rename required); and in Qubes (though not sure @marmarek planned to
install it in dom0 as well) as per:
Also looping in @marmarek so we don’t overstretch the purpose of the
package. Might result in a usability vs security situation where we
overstretch security (in that case, we’d separate the packages).
2 Likes
I’ll create another pull request to blacklist thunderbolt and firewire (they can be used for DMA attacks) and to enable IOMMU.
Are there any other protections I could add (for DMA attacks)?
Looks great!
Here is the kernel manual for 4.19 (Buster kernel version) for anymore good stuff.
https://www.kernel.org/doc/html/v4.19/admin-guide/kernel-parameters.html
2 Likes
Please test this on a system that you know doesn’t have IOMMU so you can see if it causes problems with startup like panics.
2 Likes
Enable more kernel hardening parameters by madaidan · Pull Request #10 · Kicksecure/security-misc · GitHub I am wondering about the syntax.
Is nosmt in itself a valid kernel parameter?
Should that not be mds=full,nosmt? That is what Tails is using as per:
https://git-tails.immerda.ch/tails/plain/config/amnesia
(discourse collecting all the links in the original post is really handy for quick reference of all links ever posted in this forum thread.)
3 Likes
It would read better this way. Because mds on its own is not enough to block all attacks without the second option.
2 Likes
Please protest if this is actually wrong.
I don’t have access to a system that doesn’t have IOMMU but I did test enabling intel IOMMU on an AMD CPU and nothing has broken.
I think it’s right. The kernel docs also puts them as mds=full,nosmt.
I’ve created another pull request for the DMA attack protection.
2 Likes
The readme should also be updated to include all of these changes,
1 Like
Please add to security-misc/debian/control at master · Kicksecure/security-misc · GitHub - readme is generated from that (sometimes, on script manual run).
1 Like
1 Like
1 Like
The text really helped. Well written. Applied a syntax fix on top.
1 Like