mirror of
https://github.com/optim-enterprises-bv/secureblue.git
synced 2025-10-31 18:37:47 +00:00
chore: switch to bluebuild's justfile module with validation (#556)
This commit is contained in:
RoyalOughtness
99
docs/KARGS.md
Normal file
99
docs/KARGS.md
Normal file
@@ -0,0 +1,99 @@
|
||||
## Included in set-kargs-hardening
|
||||
|
||||
**Zero newly allocated pages and heaps, mitigating use-after-free vulnerabilities**
|
||||
|
||||
`init_on_alloc=1`
|
||||
|
||||
**Fills freed pages and heaps with zeroes, mitigating use-after-free vulnerabilities**
|
||||
|
||||
`init_on_free=1`
|
||||
|
||||
**Disables the merging of slabs, increasing difficulty of heap exploitation**
|
||||
|
||||
`slab_nomerge`
|
||||
|
||||
**Enables page allocator freelist randomization, reducing page allocation predictability**
|
||||
|
||||
`page_alloc.shuffle=1`
|
||||
|
||||
**Randomize kernel stack offset on each syscall, making certain types of attacks more difficult**
|
||||
|
||||
`randomize_kstack_offset=on`
|
||||
|
||||
**Disable vsyscall as it is both obsolete and enables an ROP attack vector**
|
||||
|
||||
`vsyscall=none`
|
||||
|
||||
**Enable kernel lockdown in the strictest mode**
|
||||
|
||||
`lockdown=confidentiality`
|
||||
|
||||
**Disable CPU-based entropy sources as it's not auditable and has resulted in vulnerabilities**
|
||||
|
||||
`random.trust_cpu=off`
|
||||
|
||||
**Disable trusting the use of the a seed passed by the bootloader**
|
||||
|
||||
`random.trust_bootloader=off`
|
||||
|
||||
**Mitigate DMA attacks by enabling IOMMU**
|
||||
|
||||
`iommu=force`
|
||||
`intel_iommu=on`
|
||||
`amd_iommu=force_isolation`
|
||||
|
||||
**Disable IOMMU bypass**
|
||||
|
||||
`iommu.passthrough=0`
|
||||
|
||||
**Synchronously invalidate IOMMU hardware TLBs**
|
||||
|
||||
`iommu.strict=1`
|
||||
|
||||
**Enable kernel page table isolation**
|
||||
|
||||
`pti=on`
|
||||
|
||||
**Only allows kernel modules that have been signed with a valid key to be loaded**
|
||||
|
||||
`module.sig_enforce=1`
|
||||
|
||||
**Automatically mitigate all known CPU vulnerabilities, including disabling SMT if necessary.**
|
||||
|
||||
`mitigations=auto,nosmt`
|
||||
|
||||
**Turn on spectre_v2 mitigations at boot time for all programs**
|
||||
|
||||
`spectre_v2=on`
|
||||
|
||||
**Disable spec store bypass for all programs**
|
||||
|
||||
`spec_store_bypass_disable=on`
|
||||
|
||||
**Enable the mechanism to flush the L1D cache on context switch.**
|
||||
|
||||
`l1d_flush=on`
|
||||
|
||||
**Mitigate unprivileged speculative access to data by using the microcode mitigation when available or by disabling AVX on affected systems where the microcode hasn’t been updated to include the mitigation.**
|
||||
|
||||
`gather_data_sampling=force`
|
||||
|
||||
### Force disable simultaneous multithreading
|
||||
|
||||
**Disables this hardware feature on user request, regardless of whether it is affected by known vulnerabilities**
|
||||
|
||||
`nosmt=force`
|
||||
|
||||
### Additional (unstable) kargs
|
||||
|
||||
**Fill IOMMU protection gap by setting the busmaster bit during early boot**
|
||||
|
||||
`efi=disable_early_pci_dma`
|
||||
|
||||
**Disable debugfs to prevent exposure of sensitive kernel information**
|
||||
|
||||
`debugfs=off`
|
||||
|
||||
**Disables support for 32-bit processes, and syscalls**
|
||||
|
||||
`ia32_emulation=0`
|
||||
Reference in New Issue
Block a user