scottk/secureblue
1
0
Fork 0
mirror of https://github.com/optim-enterprises-bv/secureblue.git synced 2025-11-01 02:47:46 +00:00
Code Issues Packages Projects Releases Wiki Activity

chore: switch to bluebuild's justfile module with validation (#556)

Browse Source
This commit is contained in:
RoyalOughtness
2024-11-11 16:11:37 -08:00
committed by GitHub
parent 702184e3d5
commit e86816d052
9 changed files with 8 additions and 31 deletions
Download Patch File Download Diff File Expand all files Collapse all files

99
docs/KARGS.md Normal file
View File

@@ -0,0 +1,99 @@
## Included in set-kargs-hardening
**Zero newly allocated pages and heaps, mitigating use-after-free vulnerabilities**
`init_on_alloc=1`
**Fills freed pages and heaps with zeroes, mitigating use-after-free vulnerabilities**
`init_on_free=1`
**Disables the merging of slabs, increasing difficulty of heap exploitation**
`slab_nomerge`
**Enables page allocator freelist randomization, reducing page allocation predictability**
`page_alloc.shuffle=1`
**Randomize kernel stack offset on each syscall, making certain types of attacks more difficult**
`randomize_kstack_offset=on`
**Disable vsyscall as it is both obsolete and enables an ROP attack vector**
`vsyscall=none`
**Enable kernel lockdown in the strictest mode**
`lockdown=confidentiality`
**Disable CPU-based entropy sources as it's not auditable and has resulted in vulnerabilities**
`random.trust_cpu=off`
**Disable trusting the use of the a seed passed by the bootloader**
`random.trust_bootloader=off`
**Mitigate DMA attacks by enabling IOMMU**
`iommu=force`
`intel_iommu=on`
`amd_iommu=force_isolation`
**Disable IOMMU bypass**
`iommu.passthrough=0`
**Synchronously invalidate IOMMU hardware TLBs**
`iommu.strict=1`
**Enable kernel page table isolation**
`pti=on`
**Only allows kernel modules that have been signed with a valid key to be loaded**
`module.sig_enforce=1`
**Automatically mitigate all known CPU vulnerabilities, including disabling SMT if necessary.**
`mitigations=auto,nosmt`
**Turn on spectre_v2 mitigations at boot time for all programs**
`spectre_v2=on`
**Disable spec store bypass for all programs**
`spec_store_bypass_disable=on`
**Enable the mechanism to flush the L1D cache on context switch.**
`l1d_flush=on`
**Mitigate unprivileged speculative access to data by using the microcode mitigation when available or by disabling AVX on affected systems where the microcode hasnt been updated to include the mitigation.**
`gather_data_sampling=force`
### Force disable simultaneous multithreading
**Disables this hardware feature on user request, regardless of whether it is affected by known vulnerabilities**
`nosmt=force`
### Additional (unstable) kargs
**Fill IOMMU protection gap by setting the busmaster bit during early boot**
`efi=disable_early_pci_dma`
**Disable debugfs to prevent exposure of sensitive kernel information**
`debugfs=off`
**Disables support for 32-bit processes, and syscalls**
`ia32_emulation=0`

2
docs/POSTINSTALL-README.md
View File

@@ -39,7 +39,7 @@ ujust enroll-secure-boot-key
## Set hardened kargs
> [!NOTE]
> Learn about the hardening applied by the kargs set by the command below [here](/files/system/usr/share/ublue-os/just/70-secureblue.just.readme.md).
> Learn about the hardening applied by the kargs set by the command below [here](KARGS.md).
```
ujust set-kargs-hardening

2
docs/README.md
View File

@@ -37,7 +37,7 @@ The following are not in scope:
- Adds per-network MAC randomization
- Blacklisting numerous unused kernel modules to reduce attack surface <sup>[details](https://github.com/secureblue/secureblue/blob/live/files/system/etc/modprobe.d/blacklist.conf)</sup>
- Enabling only the [flathub-verified](https://flathub.org/apps/collection/verified/1) remote by default
- Sets numerous hardening kernel arguments (Inspired by [Madaidan's Hardening Guide](https://madaidans-insecurities.github.io/guides/linux-hardening.html)) <sup>[details](https://github.com/secureblue/secureblue/blob/live/files/system/usr/share/ublue-os/just/70-secureblue.just.readme.md)</sup>
- Sets numerous hardening kernel arguments (Inspired by [Madaidan's Hardening Guide](https://madaidans-insecurities.github.io/guides/linux-hardening.html)) <sup>[details](KARGS.md)</sup>
- Reduce the sudo timeout to 1 minute
- Require wheel user authentication via polkit for `rpm-ostree install` <sup>[why?](https://github.com/rohanssrao/silverblue-privesc)
- Brute force protection by locking user accounts for 24 hours after 50 failed login attempts, hardened password encryption and password quality suggestions