Whats up, guys. Hows it going? Well, 2 questions that I have.
There are a lot of so called Linux hardening guides.
And when I want to harden my Linux kernel I do in my boot config
something like this:
1) lockdown=confidentiality
The kernel lockdown LSM can eliminate many methods
that user space code could abuse to escalate to kernel
privileges and extract sensitive information. This LSM
is necessary to implement a clear security boundary
between user space and the kernel.
2) intel_iommu=on, or
3) amd_iommu=on
this fights against DMA attacks
4) efi=disable_early_pci_dma
This option fixes a hole in the above IOMMU by disabling
the busmaster bit on all PCI bridges during very early boot.
5) init_on_alloc=1
6) init_on_free=1
This enables zeroing of memory during allocation and free
time which can help mitigate use-after-free vulnerabilities
and erase sensitive information in memory.
7) page_alloc.shuffle=1
This option randomizes page allocator freelists, improving
security by making page allocations less predictable. This
also improves performance.
8) ...
9) ...
In fact, there are hundreds of such kernel boot parameters.
Could some of you write NetBSDs analogies of 1),2),3),4),5),6),7),
that i wrote above? I mean, how can I make "efi=disable_early_pci_dma"
in NetBSD? What's the way to turn on "amd_iommu=on" in NetBSD?
You got the idea, right?
And the second question is: let's say one is having USB stick
with fat32 (or ntfs) file systems. How does one safely mount fat32 and ntfs
usb drives under NetBSD? Could some of you write roadmap (commands):
what should I do and which binary packets should I install in my fresh NetBSD
system to be able to mount and work with fat32 and ntfs USB drives.
Many thanks.