do not set kernel boot parameter page_poison=1 in Qubes since does no…

…t work QubesOS/qubes-issues#5212 (comment)
Kicksecure · Nov 5, 2019 · 94d40c6 · 94d40c6 · egberts · Oct 3, 2021
1 parent f57702c
commit 94d40c6
Showing 1 changed file with 7 additions and 2 deletions.
diff --git a/etc/default/grub.d/40_kernel_hardening.cfg b/etc/default/grub.d/40_kernel_hardening.cfg
@@ -7,8 +7,13 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX slab_nomerge"
 ## Enables sanity checks (F), redzoning (Z) and poisoning (P).
 GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX slub_debug=FZP"
 
-## Wipes free memory so it can't leak in various ways and prevents some use-after-free vulnerabilites.
-GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX page_poison=1"
+if command -v "qubesdb-read" >/dev/null 2>&1 ; then
+   ## https://github.com/QubesOS/qubes-issues/issues/5212#issuecomment-533873012
+   true "skip adding page_poison=1 in Qubes"
+else
+   ## Wipes free memory so it can't leak in various ways and prevents some use-after-free vulnerabilites.
+   GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX page_poison=1"
+fi
 
 ## Makes the kernel panic on uncorrectable errors in ECC memory that an attacker could exploit.
 GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX mce=0"