The officially official Devuan Forum!

You are not logged in.

#1 2021-06-26 04:28:43

Eaglet
Member
From: USSR
Registered: 2018-06-24
Posts: 56  
Website

[SOLVED] Kernel hardening for Intel CPU and fix memory leak in Linux

For best Linux kernel hardening for Intel CPU and fix memory leak in Linux systems add the following information to the file /etc/default/grub:

GRUB_CMDLINE_LINUX_DEFAULT="intel_pstate=force init_on_free=1 init_on_alloc=1 kvm.nx_huge_pages=force nosmt=force tsx=off mds=full,nosmt l1tf=full,force tsx_async_abort=full,nosmt random.trust_cpu=off acpi_osi=Linux drm.vblankoffdelay=1 kaslr pti=on slab_nomerge nosmt nf_conntrack.acct=1 cgroup_enable=memory swapaccount=1 numa_balancing=enable topology_updates=off noaliencache iommu=pt rodata=on pdcchassis=1 noinitrd x2apic_phys intremap=on apic_extnmi=all align_va_addr=off noht xen_emul_unplug=all acpi=copy_dsdt acpi_force_table_verification debug_guardpage_minorder=2 kmemleak=on kmemleak.stack=on kmemleak.scan=on kmemleak=scan kmemleak=clear rodata=on pcie_bus_safe ecrc=on pcie_port_pm=force noexec=on no_debug_objects dma_debug=off integrity_audit=1 iomem=strict kasan_multi_shot spectre_v1=on ssbd=force-off spec_store_bypass_disable=on intel_iommu=on spectre_v2_user=on spectre_v2=on processor.max_cstate=9 intel_idle.max_cstate=9 l1tf=flush edac_report=force hardened_usercopy=on seccomp=1 audit=1 mce=recovery slab_nomerge slub_debug=FZP intel_pstate=hwp_only noefi pti=on page_poison=1 vsyscall=none"

After adding this information, update your grub configuration:

update-grub

These Linux kernel changes are intended for secure Linux workstations. But these changes lead to a significant decrease in performance. You have a choice: performance or high security.

Last edited by Eaglet (2021-06-27 07:45:10)

Offline

#2 2021-06-26 13:16:52

Eaglet
Member
From: USSR
Registered: 2018-06-24
Posts: 56  
Website

Re: [SOLVED] Kernel hardening for Intel CPU and fix memory leak in Linux

Warning! This changes contains noEFI parameter!

Offline

#3 2021-06-26 17:05:10

Head_on_a_Stick
Member
From: London
Registered: 2019-03-24
Posts: 3,125  
Website

Re: [SOLVED] Kernel hardening for Intel CPU and fix memory leak in Linux

The hardening-runtime package will apply several of those parameters automatically.

Note that the kernel tuning can be applied via /etc/sysctl.d/ if a bootloader-independent configuration method is required.


Brianna Ghey — Rest In Power

Offline

#4 2021-06-26 18:27:18

Eaglet
Member
From: USSR
Registered: 2018-06-24
Posts: 56  
Website

Re: [SOLVED] Kernel hardening for Intel CPU and fix memory leak in Linux

Head_on_a_Stick wrote:

The hardening-runtime package will apply several of those parameters automatically.
Note that the kernel tuning can be applied via /etc/sysctl.d/ if a bootloader-independent configuration method is required.

1. The hardening-runtime package contains very few security options for the Linux kernel compared to the FULL list of security options that I have provided!

2. The hardening-runtime package contains very few security options for sysctl. I current use over 96 parameters in my sysctl.conf for heavy security hardening my Linux system: for kernel, network & etc.

I can read, study, analyze and apply the written in the documentation in the primary sources for Linux in practice. The Debian Help is very incomplete. As long as sysadmins, information security professionals, and engineers do not read the primary sources of technical information, the security of Linux systems will be threatened by their gullibility. I prefer to protect my systems myself, not using ready-made solutions with a limited (not complete) set of security parameters. My solutions take advantage of all the Linux systems security hardening capabilities that are provided by the Linux kernel, as well as those subsystems that are additionally used to secure Linux systems. Life and bitter practical experience taught me this. Smart people learn from their mistakes, it is impossible to teach fools!

Offline

#5 2021-06-26 18:33:49

Head_on_a_Stick
Member
From: London
Registered: 2019-03-24
Posts: 3,125  
Website

Re: [SOLVED] Kernel hardening for Intel CPU and fix memory leak in Linux

Eaglet wrote:

Smart people learn from their mistakes

Only a fool learns from their own mistakes wink


Brianna Ghey — Rest In Power

Offline

#6 2021-06-26 18:37:38

Eaglet
Member
From: USSR
Registered: 2018-06-24
Posts: 56  
Website

Re: [SOLVED] Kernel hardening for Intel CPU and fix memory leak in Linux

Head_on_a_Stick wrote:
Eaglet wrote:

Smart people learn from their mistakes

Only a fool learns from their own mistakes wink

You are wrong: you cannot teach a fool, because he is a fool! ;-)

Offline

#7 2021-06-26 19:33:10

andyprough
Member
Registered: 2019-10-19
Posts: 327  

Re: [SOLVED] Kernel hardening for Intel CPU and fix memory leak in Linux

I've seen a number of people post these lists of "super secure settings" that the poster allegedly has learned about, but for which they leave little or no description as to what each change does. I can only assume that zero readers try them, since it's just a "trust me this works" list.

Offline

#8 2021-06-26 20:00:00

Eaglet
Member
From: USSR
Registered: 2018-06-24
Posts: 56  
Website

Re: [SOLVED] Kernel hardening for Intel CPU and fix memory leak in Linux

andyprough wrote:

I've seen a number of people post these lists of "super secure settings" that the poster allegedly has learned about, but for which they leave little or no description as to what each change does. I can only assume that zero readers try them, since it's just a "trust me this works" list.

For an explanation of each kernel parameter, see the official documentation for the Linux kernel (different versions). You, if you have the necessary qualifications, can check each parameter I have given. I don't think you will argue that the official Linux kernel documentation is lying to you? ;-)

Offline

#9 2021-06-27 07:42:56

Eaglet
Member
From: USSR
Registered: 2018-06-24
Posts: 56  
Website

Re: [SOLVED] Kernel hardening for Intel CPU and fix memory leak in Linux

Hello comrades! If you have technical questions on this topic, ask, I will be happy to answer them.

Offline

#10 2021-06-27 12:47:32

ComputerBob
Member
From: The Sunshine State
Registered: 2018-10-11
Posts: 83  
Website

Re: [SOLVED] Kernel hardening for Intel CPU and fix memory leak in Linux

In order for me to even CONSIDER making these types of changes, the person who wants me to do them has to be someone who has long- established themself as a TRUSTED expert who has a documented history of helping people like me.


ComputerBob - Making Geek-Speak Chic (TM)
ComputerBob.com - Nearly 6,000 Posts and 22 Million Views since 1998
My Massive Stroke
Help! (off-topic)

Offline

#11 2021-06-27 13:44:14

dice
Member
Registered: 2020-11-22
Posts: 559  
Website

Re: [SOLVED] Kernel hardening for Intel CPU and fix memory leak in Linux

Thanks for sharing

one should definitely read up on linux kernel parameters. https://www.kernel.org/doc/html/v4.14/a … eters.html

I tried a few of those parameters awhile ago, i think disabling smt caused my rig to lock up.

Offline

#12 2021-06-27 15:50:18

Eaglet
Member
From: USSR
Registered: 2018-06-24
Posts: 56  
Website

Re: [SOLVED] Kernel hardening for Intel CPU and fix memory leak in Linux

ComputerBob wrote:

In order for me to even CONSIDER making these types of changes, the person who wants me to do them has to be someone who has long- established themself as a TRUSTED expert who has a documented history of helping people like me.

I am not forcing you to do anything if you have not noticed. A smart person will study the proposal, perhaps with the help of other people, if his knowledge is not enough, and then decide whether he needs it. Don't insult me with your distrust!

Offline

#13 2021-06-27 15:56:12

Eaglet
Member
From: USSR
Registered: 2018-06-24
Posts: 56  
Website

Re: [SOLVED] Kernel hardening for Intel CPU and fix memory leak in Linux

dice wrote:

Thanks for sharing

one should definitely read up on linux kernel parameters. https://www.kernel.org/doc/html/v4.14/a … eters.html

I tried a few of those parameters awhile ago, i think disabling smt caused my rig to lock up.

If you have problems booting with the new Linux kernel parameters, then you can edit the boot parameters in the Grub menu when the bootloader starts. Unfortunately, I cannot check the performance of these parameters on many computers, since I do not have such an opportunity. I only urge specialists, especially in information security, to carefully read the official documentation for the possibility of self-defense of the Linux kernel.

Offline

#14 2021-06-27 16:31:08

ComputerBob
Member
From: The Sunshine State
Registered: 2018-10-11
Posts: 83  
Website

Re: [SOLVED] Kernel hardening for Intel CPU and fix memory leak in Linux

Eaglet wrote:
ComputerBob wrote:

In order for me to even CONSIDER making these types of changes, the person who wants me to do them has to be someone who has long- established themself as a TRUSTED expert who has a documented history of helping people like me.

I am not forcing you to do anything if you have not noticed. A smart person will study the proposal, perhaps with the help of other people, if his knowledge is not enough, and then decide whether he needs it. Don't insult me with your distrust!

I didn't mean to insult you.

When it comes to my computer, I distrust ANYONE who hasn't already earned my trust over time.

Also, I run a web site that has had 22 million visits from all over the world. I study its server logs every day. In all these years, I can't even remember the last time my site received a visitor from Russia (you have since changed your location to USSR) that wasn't malicious and needed to be blocked. So, I am especially suspicious of security advice from anyone who is from Russia.

Sorry, my feelings are based on my own experience, and are not personal against you.

Last edited by ComputerBob (2021-06-27 16:32:42)


ComputerBob - Making Geek-Speak Chic (TM)
ComputerBob.com - Nearly 6,000 Posts and 22 Million Views since 1998
My Massive Stroke
Help! (off-topic)

Offline

#15 2021-06-27 16:57:21

Eaglet
Member
From: USSR
Registered: 2018-06-24
Posts: 56  
Website

Re: [SOLVED] Kernel hardening for Intel CPU and fix memory leak in Linux

ComputerBob wrote:
Eaglet wrote:

I am not forcing you to do anything if you have not noticed. A smart person will study the proposal, perhaps with the help of other people, if his knowledge is not enough, and then decide whether he needs it. Don't insult me with your distrust!

I didn't mean to insult you.

When it comes to my computer, I distrust ANYONE who hasn't already earned my trust over time.

Also, I run a web site that has had 22 million visits from all over the world. I study its server logs every day. In all these years, I can't even remember the last time my site received a visitor from Russia (you have since changed your location to USSR) that wasn't malicious and needed to be blocked. So, I am especially suspicious of security advice from anyone who is from Russia.

Sorry, my feelings are based on my own experience, and are not personal against you.

1. I, unlike you, trust only myself. 2. No need to spam and talk off topic. 3. In every country in the world there are different people, both good and bad. 4. This is my last reply to your posts, I will only reply to posts on a technical topic.

Offline

#16 2021-06-28 07:47:32

Eaglet
Member
From: USSR
Registered: 2018-06-24
Posts: 56  
Website

Re: [SOLVED] Kernel hardening for Intel CPU and fix memory leak in Linux

It's a shame that no one wants to discuss the technical details of the proposed parameters. There are parameters in the proposed parameters, the use of which I could not get a definite answer from some specialists in configuring the Linux kernel:

kmemleak=on kmemleak.stack=on kmemleak.scan=on kmemleak=scan kmemleak=clear 

But, I think, the solution I proposed with these parameters will be correct, based on the logic of this subset of the Linux kernel.

Offline

#17 2021-06-28 12:12:24

dice
Member
Registered: 2020-11-22
Posts: 559  
Website

Re: [SOLVED] Kernel hardening for Intel CPU and fix memory leak in Linux

Eaglet wrote:
dice wrote:

Thanks for sharing

one should definitely read up on linux kernel parameters. https://www.kernel.org/doc/html/v4.14/a … eters.html

I tried a few of those parameters awhile ago, i think disabling smt caused my rig to lock up.

If you have problems booting with the new Linux kernel parameters, then you can edit the boot parameters in the Grub menu when the bootloader starts. Unfortunately, I cannot check the performance of these parameters on many computers, since I do not have such an opportunity. I only urge specialists, especially in information security, to carefully read the official documentation for the possibility of self-defense of the Linux kernel.

I havent used your list of parameters, i tried some of the tails linux recommended  parameters , not sure exactly which one locked up my computer but the mds=full,nosmt seems to stand out to me, after removing that i had no issues. It definitely a case by case basis, not all intel computers are made the same.

https://tails.boum.org/contribute/desig … hardening/

Offline

#18 2021-06-28 19:52:14

Eaglet
Member
From: USSR
Registered: 2018-06-24
Posts: 56  
Website

Re: [SOLVED] Kernel hardening for Intel CPU and fix memory leak in Linux

dice wrote:

I havent used your list of parameters, i tried some of the tails linux recommended  parameters , not sure exactly which one locked up my computer but the mds=full,nosmt seems to stand out to me, after removing that i had no issues. It definitely a case by case basis, not all intel computers are made the same.

https://tails.boum.org/contribute/desig … hardening/

Tails and Whonix have a much smaller set of security options than what I have proposed. In each specific case, you need to select your own set of security parameters for the Linux kernel. In my case, everything works due to the fact that I have a fairly ancient Intel processor. I am glad that you are interested in this topic, since few people are interested in the information security of their operating system and hardware.

Offline

Board footer