Kernel Hardening

I’ve just created it.




pti=on, nosmt and mds=full are other boot parameters that increase security.

pit=on enables Kernel Page Table Isolation which mitigates the Meltdown vulnerability and improves KASLR effectiveness. This should mitigate Meltdown without the need of microcode updates. It’s also recommended for use by the KSPP.

nosmt disables SMT which can be used to exploit the MDS vulnerability (another CPU bug).

mds=full enables all mitigations for the MDS vulnerability. See https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/mds.html

Tails has also updated their kernel hardening design doc with nosmt and mds=full.


Edit: I created a pull request for them.

Would hardening against DMA attacks help anything? I’m not sure if there would be any advantage as Whonix is usually in a virtual machine.

Awesome, please keep it coming!

Thanks for the pull request! https://github.com/Whonix/security-misc/pull/10

Any opinion? @HulaHoop

1 Like

madaidan via Whonix Forum:

Would hardening against DMA attacks help anything? I’m not sure if there would be any advantage as Whonix is usually in a virtual machine.

Useful to add.

security-misc will be installed on Whonix Host; on hardened debian
(rename required); and in Qubes (though not sure @marmarek planned to
install it in dom0 as well) as per:

Also looping in @marmarek so we don’t overstretch the purpose of the
package. Might result in a usability vs security situation where we
overstretch security (in that case, we’d separate the packages).

1 Like

I’ll create another pull request to blacklist thunderbolt and firewire (they can be used for DMA attacks) and to enable IOMMU.

Are there any other protections I could add (for DMA attacks)?

Looks great!

Here is the kernel manual for 4.19 (Buster kernel version) for anymore good stuff.



Please test this on a system that you know doesn’t have IOMMU so you can see if it causes problems with startup like panics.


https://github.com/Whonix/security-misc/pull/10 I am wondering about the syntax.

Is nosmt in itself a valid kernel parameter?

Should that not be mds=full,nosmt? That is what Tails is using as per:

(discourse collecting all the links in the original post is really handy for quick reference of all links ever posted in this forum thread.)


It would read better this way. Because mds on its own is not enough to block all attacks without the second option.


Please protest if this is actually wrong.

I don’t have access to a system that doesn’t have IOMMU but I did test enabling intel IOMMU on an AMD CPU and nothing has broken.

I think it’s right. The kernel docs also puts them as mds=full,nosmt.

I’ve created another pull request for the DMA attack protection.


The readme should also be updated to include all of these changes,

1 Like

Please add to https://github.com/Whonix/security-misc/blob/master/debian/control#L19 - readme is generated from that (sometimes, on script manual run).

1 Like
1 Like

Is this right?

1 Like
1 Like

The text really helped. Well written. Applied a syntax fix on top.

1 Like

A post was split to a new topic: kernel recompilation for better hardening

[Imprint] [Privacy Policy] [Cookie Policy] [Terms of Use] [E-Sign Consent] [DMCA] [Investors] [Priority Support] [Professional Support]