Update various docs

README.md

@@ -46,12 +46,12 @@ configuration file and significant hardening is applied to a myriad of component
 
 - Restrict kernel profiling and the performance events system to `CAP_PERFMON`.
 
-- Force the kernel to immediately panic on both "oopses" (which can potentially indicate
-  and thwart certain kernel exploitation attempts) and kernel warnings in the `WARN()` path.
-
 - Force immediate system reboot on the occurrence of a single kernel panic, reducing the
   risk and impact of denial-of-service attacks and both cold and warm boot attacks.
 
+- Force the kernel to immediately panic on both "oopses" (which can potentially indicate
+  and thwart certain kernel exploitation attempts) and kernel warnings in the `WARN()` path.
+
 - Optional - Force immediate kernel panic on OOM (out of memory) which with the above setting
   will force an immediate system reboot as opposed to placing any reliance on the oom_killer
   to avoid arbitrarily terminating security features based on their OOM score. Note this
@@ -172,6 +172,8 @@ CPU mitigations:
 
 - Spectre Side Channels (BTI and BHI)
 
+- Enable Kernel Page Table Isolation (PTI)
+
 - Meltdown
 
 - Speculative Store Bypass (SSB)
@@ -224,9 +226,6 @@ Kernel space:
 - Enable the kernel page allocator to randomize free lists to limit some data
   exfiltration and ROP attacks, especially during the early boot process.
 
-- Enable kernel page table isolation on x86_64 and ARM64 CPUs to increase
-  KASLR effectiveness and also mitigate the Meltdown CPU vulnerability.
-
 - Enable randomization of the kernel stack offset on syscall entries to harden
   against memory corruption attacks.
 
@@ -236,15 +235,15 @@ Kernel space:
 - Restrict access to debugfs by not registering the file system since it can
   contain sensitive information.
 
-- Force the kernel to immediately panic on both "oopses" (which can potentially indicate
-  and thwart certain kernel exploitation attempts) and kernel warnings in the `WARN()` path.
-
 - Force immediate system reboot on the occurrence of a single kernel panic, reducing the
   risk and impact of denial-of-service attacks and both cold and warm boot attacks.
 
+- Force the kernel to immediately panic on both "oopses" (which can potentially indicate
+  and thwart certain kernel exploitation attempts) and kernel warnings in the `WARN()` path.
+
 - Optional - Force the kernel to immediately panic if it becomes tainted. Some reasons include
   upon using out of specification hardware, bad page states, ACPI tables being overridden,
-  severe firmware bugs, in-kernel tests run, or mutating fwctl debug operations. It can also
+  severe firmware bugs, in-kernel tests run, or mutating `fwctl` debug operations. It can also
   include the loading of proprietary or out-of-tree modules.
 
 - Prevent sensitive kernel information leaks in the console during boot.
@@ -262,14 +261,14 @@ Kernel space:
 - Disable the EFI persistent storage feature which prevents the kernel from writing crash logs
   and other persistent data to either the UEFI variable storage or ACPI ERST backends.
 
-- Optional - On compatible AMD CPUs enable Secure Memory Encryption (SME) to protect against
-  cold boot attacks and Secure Encrypted Virtualization (SEV) for further guest memory isolation.
+- Restrict processes from modifying their own memory mappings unless actively done via
+  `ptrace()` for debugging in order to limit self-modification which can trigger exploits.
 
 - Prevent runaway privileged processes from writing to block devices that are mounted by
   filesystems to protect against filesystem corruption and kernel crashes.
 
-- Restrict processes from modifying their own memory mappings unless actively done via
-  `ptrace()` in order to limit self-modification which can trigger exploits.
+- Optional - On compatible AMD CPUs enable Secure Memory Encryption (SME) to protect against
+  cold boot attacks and Secure Encrypted Virtualization (SEV) for further guest memory isolation.
 
 Direct memory access:
 
@@ -283,16 +282,13 @@ Entropy:
 
 - Do not credit the CPU seeds as an entropy source at boot in order to maximize the
   absolute quantity of entropy in the combined pool. This is desirable for all
-  cryptographic operations, to avoid reliance on proprietary RDRAND and RDSEED CPU
+  cryptographic operations to avoid reliance on proprietary RDRAND and RDSEED CPU
   instructions for random number generation that have long history of being defective.
 
 - Do not credit the bootloader seeds as an entropy source at boot to maximize the
   absolute quantity of entropy in the combined pool. This is desirable for all
   cryptographic operations as seeds passed by the bootloader could be tampered.
 
-- Obtain more entropy at boot from RAM as the runtime memory allocator is
-  being initialized.
-
 - Obtain more entropy at boot from RAM as the runtime memory allocator is being
   initialized to maximize the absolute quantity of entropy in the combined pool.
 
@@ -321,23 +317,32 @@ there are a few cases of partial or non-compliance due to technical limitations.
 More than 30 kernel boot parameters and over 30 sysctl settings are fully aligned with
 the KSPP's recommendations.
 
+**Partial compliance:**
+
+1. Kernel boot parameter `proc_mem.force_override=never`
+
+Restrict processes from modifying their own memory mappings by completely disables use of
+`/proc/PID/mem` to write to protected pages. Can be enabled easily if required.
+
+* [security-misc pull request #332](https://github.com/Kicksecure/security-misc/pull/332)
+
 **Non-compliance:**
 
-1. `sysctl user.max_user_namespaces=0`
+2. `sysctl user.max_user_namespaces=0`
 
 Disables user namespaces entirely. Not recommended due to the potential for widespread breakages.
 
 * [security-misc pull request #263](https://github.com/Kicksecure/security-misc/pull/263)
 
-2. `sysctl fs.binfmt_misc.status=0`
+3. `sysctl fs.binfmt_misc.status=0`
 
 Disables the registration of interpreters for miscellaneous binary formats. Currently not
 feasible due to compatibility issues with Firefox.
 
 * [security-misc pull request #249](https://github.com/Kicksecure/security-misc/pull/249)
 * [security-misc issue #267](https://github.com/Kicksecure/security-misc/issues/267)
 
-3. Kernel boot parameter `hash_pointers=always`
+4. Kernel boot parameter `hash_pointers=always`
 
 Force all exposed pointers to be hashed and must be used in combination with the already enabled
 `slab_debug=FZ` kernel boot parameter. Currently is not possible as requires Linux kernel >= 6.17.

etc/default/grub.d/40_cpu_mitigations.cfg#security-misc-shared

@@ -9,8 +9,8 @@
 
 ## Enable known mitigations for CPU vulnerabilities.
 ## Note, the mitigations for SSB and Retbleed are not currently mentioned in the first link.
-## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/index.html
-## https://www.kernel.org/doc/html/latest/admin-guide/kernel-parameters.html
+## https://docs.kernel.org/admin-guide/hw-vuln/index.html
+## https://docs.kernel.org/admin-guide/kernel-parameters.html
 ## https://forums.whonix.org/t/should-all-kernel-patches-for-cpu-bugs-be-unconditionally-enabled-vs-performance-vs-applicability/7647
 
 ## Check for potential updates directly from AMD and Intel.
@@ -41,7 +41,7 @@
 ##
 ## https://github.com/Kicksecure/security-misc/issues/199#issuecomment-3327391859
 ## https://github.com/secureblue/secureblue/issues/1405
-## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/attack_vector_controls.html
+## https://docs.kernel.org/admin-guide/hw-vuln/attack_vector_controls.html
 ##
 ## KSPP=yes
 ## KSPP sets the kernel parameters.
@@ -56,7 +56,7 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX mitigations=auto,nosmt"
 ## Disabling will significantly decrease system performance on multi-threaded tasks.
 ## Note, this setting will prevent re-enabling SMT via the sysfs interface.
 ##
-## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/core-scheduling.html
+## https://docs.kernel.org/admin-guide/hw-vuln/core-scheduling.html
 ## https://forums.whonix.org/t/should-all-kernel-patches-for-cpu-bugs-be-unconditionally-enabled-vs-performance-vs-applicability/7647/17
 ## https://github.com/anthraxx/linux-hardened/issues/37#issuecomment-619597365
 ##
@@ -76,24 +76,25 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX nosmt=force"
 ## Enable mitigation for the Intel branch history injection vulnerability.
 ## Currently affects both AMD and Intel CPUs.
 ##
-## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/spectre.html
+## https://docs.kernel.org/admin-guide/hw-vuln/spectre.html
 ##
 GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX spectre_v2=on"
 GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX spectre_bhi=on"
 
 ## Meltdown:
 ## Mitigate Spectre Variant 3 using kernel page table isolation (PTI).
-## Force enable PTI of user and kernel address spaces on all cores.
-## Mitigations for X86_64 CPUs are done in /etc/default/grub.d/40_kernel_hardening.cfg using "pti=on".
-## Currently affects ARM64 CPUs.
+## Enables kernel PTI to harden against kernel ASLR (KASLR) bypasses.
+## Force enables PTI of user and kernel address spaces on all ARM cores.
+## Currently affects AMD, ARM64, and Intel CPUs.
 ##
 ## https://en.wikipedia.org/wiki/Meltdown_(security_vulnerability)
 ## https://en.wikipedia.org/wiki/Kernel_page-table_isolation
 ##
 ## KSPP=yes
-## KSPP sets CONFIG_UNMAP_KERNEL_AT_EL0=y.
+## KSPP sets "pti=on", CONFIG_MITIGATION_PAGE_TABLE_ISOLATION=y, and CONFIG_UNMAP_KERNEL_AT_EL0=y.
 ##
 GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX kpti=1"
+GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX pti=on"
 
 ## Speculative Store Bypass (SSB):
 ## Mitigate Spectre Variant 4 by disabling speculative store bypass system-wide.
@@ -111,7 +112,7 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX ssbd=force-on"
 ## If L1D flushing is conditional, mitigate the vulnerability for certain KVM hypervisor configurations.
 ## Currently affects Intel CPUs.
 ##
-## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/l1tf.html
+## https://docs.kernel.org/admin-guide/hw-vuln/l1tf.html
 ##
 GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX l1tf=full,force"
 GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX kvm-intel.vmentry_l1d_flush=always"
@@ -120,7 +121,7 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX kvm-intel.vmentry_l1d_flush=always"
 ## Mitigate the vulnerability by clearing the CPU buffer cache and disabling SMT.
 ## Currently affects Intel CPUs.
 ##
-## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/mds.html
+## https://docs.kernel.org/admin-guide/hw-vuln/mds.html
 ##
 GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX mds=full,nosmt"
 
@@ -129,7 +130,7 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX mds=full,nosmt"
 ## If TSX is enabled, clear CPU buffer rings on transitions and disable SMT.
 ## Currently affects Intel CPUs.
 ##
-## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/tsx_async_abort.html
+## https://docs.kernel.org/admin-guide/hw-vuln/tsx_async_abort.html
 ##
 GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX tsx=off"
 GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX tsx_async_abort=full,nosmt"
@@ -138,30 +139,30 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX tsx_async_abort=full,nosmt"
 ## Mitigate the vulnerability by marking all huge pages in the EPT as non-executable.
 ## Currently affects Intel CPUs.
 ##
-## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/multihit.html
+## https://docs.kernel.org/admin-guide/hw-vuln/multihit.html
 ##
 GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX kvm.nx_huge_pages=force"
 
 ## Special Register Buffer Data Sampling (SRBDS):
 ## Mitigation of the vulnerability is only possible via microcode update from Intel.
 ## Currently affects Intel CPUs.
 ##
-## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/special-register-buffer-data-sampling.html
+## https://docs.kernel.org/admin-guide/hw-vuln/special-register-buffer-data-sampling.html
 ## https://access.redhat.com/solutions/5142691
 
 ## L1D Flushing:
 ## Mitigate leaks from the L1D cache on context switches by enabling the prctl() interface.
 ## Currently affects Intel CPUs.
 ##
-## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/l1d_flush.html
+## https://docs.kernel.org/admin-guide/hw-vuln/l1d_flush.html
 ##
 GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX l1d_flush=on"
 
 ## Processor MMIO Stale Data:
 ## Mitigate the vulnerabilities by appropriately clearing the CPU buffer and disabling SMT.
 ## Currently affects Intel CPUs.
 ##
-## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/processor_mmio_stale_data.html
+## https://docs.kernel.org/admin-guide/hw-vuln/processor_mmio_stale_data.html
 ##
 GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX mmio_stale_data=full,nosmt"
 
@@ -180,15 +181,15 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX retbleed=auto,nosmt"
 ## Mitigate the vulnerability for certain KVM hypervisor configurations.
 ## Currently affects AMD Zen 1-2 CPUs.
 ##
-## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/cross-thread-rsb.html
+## https://docs.kernel.org/admin-guide/hw-vuln/cross-thread-rsb.html
 ##
 GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX kvm.mitigate_smt_rsb=1"
 
 ## Speculative Return Stack Overflow (SRSO):
 ## Mitigate the vulnerability by ensuring all RET instructions speculate to a controlled location.
 ## Currently affects AMD Zen 1-4 CPUs.
 ##
-## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/srso.html
+## https://docs.kernel.org/admin-guide/hw-vuln/srso.html
 ##
 ## The default kernel setting will be utilized until provided sufficient evidence to modify.
 ## Using "spec_rstack_overflow=ibpb" may provide superior protection to the default software-based approach.
@@ -201,23 +202,23 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX kvm.mitigate_smt_rsb=1"
 ## Note, without a suitable microcode update, this will entirely disable use of the AVX instructions set.
 ## Currently affects Intel CPUs.
 ##
-## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/gather_data_sampling.html
+## https://docs.kernel.org/admin-guide/hw-vuln/gather_data_sampling.html
 ##
 GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX gather_data_sampling=force"
 
 ## Register File Data Sampling (RFDS):
 ## Mitigate the vulnerability by appropriately clearing the CPU buffer.
 ## Currently affects Intel Atom CPUs (which encompasses E-cores on hybrid architectures).
 ##
-## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/reg-file-data-sampling.html
+## https://docs.kernel.org/admin-guide/hw-vuln/reg-file-data-sampling.html
 ##
 GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX reg_file_data_sampling=on"
 
 ## Indirect Target Selection (ITS):
 ## Mitigate the vulnerability by not allowing indirect branches in the lower half of the cacheline.
 ## Currently affects Intel CPUs.
 ##
-## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/indirect-target-selection.html
+## https://docs.kernel.org/admin-guide/hw-vuln/indirect-target-selection.html
 ##
 GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX indirect_target_selection=force"
 
@@ -226,6 +227,6 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX indirect_target_selection=force"
 ## Comprehensive protection may also require disabling SMT to limit cross-thread attacks.
 ## Currently affects both AMD and Intel CPUs.
 ##
-## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/vmscape.html
+## https://docs.kernel.org/admin-guide/hw-vuln/vmscape.html
 ##
 GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX vmscape=force"