On 05/01/2017 11:14 AM, Reg Tiangha wrote: > On 05/01/2017 10:38 AM, Jean-Philippe Ouellet wrote: >> *Sigh*... Yep. We were right to be concerned (of course). And now we >> have something other than our tin foil hats to point at too: >> >> https://semiaccurate.com/2017/05/01/remote-security-exploit-2008-intel-platforms/ >> >> I want my RISC-V laptop already! >> > I don't know if it helps things, but I recently disabled the > CONFIG_INTEL_MEI, CONFIG_INTEL_MEI_ME, and CONFIG_INTEL_MEI_TXE kernel > options in my kernel branches as soon as I was made aware of their > existence. My hope is that the ME hardware can't be exploited using > those methods if they don't exist in the kernel in the first place; that > someone would have to find another way. But again, I have no idea if > that's useful or not. For what it's worth, my systems still boot and run > properly, but the newest machine I have access to is of the Sandy Bridge > era; I have no idea if newer machines actually need those options baked > into the kernel in order to run. Can anyone advise? > > https://github.com/rtiangha/qubes-linux-kernel > > Also, if anyone has any other ideas on kernel options to disable for > various security concerns (ME related or not), let me know. For the > moment, I've implemented almost all of the KSPP's recommended settings > that are applicable to a certain kernel branch, except for the ones > about loadable modules since I don't know how it affect u2mfn or any > other user-compiled kernel modules a Qubes user may want to install. I > haven't encountered any issues on my machines (or at least, any that > I've noticed), but those could use more testing as well: > > https://github.com/rtiangha/qubes-linux-kernel > > > Ugh, forgot to hit CTRL-SHIFT-V, ha!
https://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/oe7qfr%24dro%242%40blaine.gmane.org. For more options, visit https://groups.google.com/d/optout.
