diff --git a/config/files/usr/share/ublue-os/just/60-custom.just b/config/files/usr/share/ublue-os/just/60-custom.just index 00f2285..a2b6a15 100644 --- a/config/files/usr/share/ublue-os/just/60-custom.just +++ b/config/files/usr/share/ublue-os/just/60-custom.just @@ -3,11 +3,30 @@ import '100-bling.just' # Add additional boot parameters for hardening (requires reboot) set-kargs-hardening: - rpm-ostree kargs --append="init_on_alloc=1" --append="init_on_free=1" --append="slab_nomerge" --append="page_alloc.shuffle=1" --append="randomize_kstack_offset=on" --append="vsyscall=none" --append="debugfs=off" --append="lockdown=confidentiality" --append="random.trust_cpu=off" --append="random.trust_bootloader=off" --append="intel_iommu=on" --append="amd_iommu=on" --append="iommu.passthrough=0" --append="iommu.strict=1" --append="pti=on" --append="mitigations=auto,nosmt" + rpm-ostree kargs \ + --append-if-missing="init_on_alloc=1" \ + --append-if-missing="init_on_free=1" \ + --append-if-missing="slab_nomerge" \ + --append-if-missing="page_alloc.shuffle=1" \ + --append-if-missing="randomize_kstack_offset=on" \ + --append-if-missing="vsyscall=none" \ + --append-if-missing="debugfs=off" \ + --append-if-missing="lockdown=confidentiality" \ + --append-if-missing="random.trust_cpu=off" \ + --append-if-missing="random.trust_bootloader=off" \ + --append-if-missing="iommu=force" \ + --append-if-missing="intel_iommu=on" \ + --append-if-missing="amd_iommu=force_isolation" \ + --append-if-missing="iommu.passthrough=0" \ + --append-if-missing="iommu.strict=1" \ + --append-if-missing="pti=on" \ + --append-if-missing="module.sig_enforce=1" \ + --append-if-missing="mitigations=auto,nosmt" set-kargs-hardening-unstable: echo "Warning: setting these kargs may lead to boot issues on some hardware." - rpm-ostree kargs --append="efi=disable_early_pci_dma" --append="module.sig_enforce=1" + rpm-ostree kargs \ + --append-if-missing="efi=disable_early_pci_dma" harden-flatpak: flatpak override --user --filesystem=host-os:ro --env=LD_PRELOAD=/var/run/host/usr/lib64/libhardened_malloc.so diff --git a/config/files/usr/share/ublue-os/just/60-custom.just.readme.md b/config/files/usr/share/ublue-os/just/60-custom.just.readme.md new file mode 100644 index 0000000..7753493 --- /dev/null +++ b/config/files/usr/share/ublue-os/just/60-custom.just.readme.md @@ -0,0 +1,70 @@ + +**Zero newly allocated pages and heaps, mitigating use-after-free vulnerabilities** + +`init_on_alloc=1` + +**Fills freed pages and heaps with zeroes, mitigating use-after-free vulnerabilities** + +`init_on_free=1` + +**Disables the merging of slabs, increasing difficulty of heap exploitation** + +`slab_nomerge` + +**Enables page allocator freelist randomization, reducing page allocation predictability** + +`page_alloc.shuffle=1` + +**Randomize kernel stack offset on each syscall, making certain types of attacks more difficult** + +`randomize_kstack_offset=on` + +**Disable vsyscall as it is both obsolete and enable an ROP attack vector** + +`vsyscall=none` + +**Disable debugfs to prevent exposure of sensitive kernel information** + +`debugfs=off` + +**Enable kernel lockdown in the strictest mode** + +`lockdown=confidentiality` + +**Disable CPU-based entropy sources as it's not auditable and has resulted in vulnerabilities** + +`random.trust_cpu=off` + +**Disable trusting the use of the a seed passed by the bootloader** + +`random.trust_bootloader=off` + +**Mitigate DMA attacks by enabling IOMMU** + +`iommu=force` +`intel_iommu=on` +`amd_iommu=force_isolation` + +**Disable IOMMU bypass** + +`iommu.passthrough=0` + +**Synchronously invalidate IOMMU hardware TLBs** + +`iommu.strict=1` + +**Enable kernel page table isolation** + +`pti=on` + +**Only allows kernel modules that have been signed with a valid key to be loaded** + +`module.sig_enforce=1` + +**Automatically mitigate all known CPU vulnerabilities, including disabling SMT if necessary.** + +`mitigations=auto,nosmt` + +**Fill IOMMU protection gap by setting the busmaster bit during early boot** + +`efi=disable_early_pci_dma` \ No newline at end of file