#!/bin/bash # SPDX-Version: 3.0 # SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; # SPDX-FileType: SOURCE # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. # SPDX-PackageName: CISS.debian.installer # SPDX-Security-Contact: security@coresecret.eu ### Options in "GRUB_CMDLINE_LINUX" are always effective. ### Options in "GRUB_CMDLINE_LINUX_DEFAULT" are effective ONLY during normal boot (NOT during recovery mode). guard_sourcing ####################################### # Hardening Grub boot parameter. # Globals: # TARGET # VAR_GRUB_CMDLINE_LINUX # VAR_SETUP_PATH # Arguments: # None # Returns: # 0: on success ####################################### setup_grub_bootparameter() { ### Install Kernel Hardening-Presets cp "${VAR_SETUP_PATH}/includes/etc/sysctl.d/99_local.hardened.ini" "${TARGET}/etc/sysctl.d/99_local.hardened" chmod 0644 "${TARGET}/etc/sysctl.d/99_local.hardened" ### Entropy collection improvements mkdir -p "${TARGET}/usr/lib/modules-load.d" cat << EOF >| "${TARGET}/usr/lib/modules-load.d/30_security-misc.conf" ## https://www.whonix.org/wiki/Dev/Entropy ## https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=927972 ## https://forums.whonix.org/t/jitterentropy-rngd/7204 jitterentropy_rng EOF chmod 0644 "${TARGET}/usr/lib/modules-load.d/30_security-misc.conf" grub_extract_current_string ########################################################################################### # Audit events need to be captured on processes that start up prior to auditd, # # so that potential malicious activity cannot go undetected. During boot if audit=1, then # # the backlog will hold 64 records. If more than 64 records are created during boot, # # auditd records will be lost and potential malicious activity could go undetected # ########################################################################################### VAR_GRUB_CMDLINE_LINUX_DEFAULT="${VAR_GRUB_CMDLINE_LINUX_DEFAULT} audit=1 audit_backlog_limit=8192" ########################################################################################### # Distrusts CPU bootloader for initial entropy at boot. # # Distrusts the CPU for initial entropy at boot, as it is not possible to audit, # # may contain weaknesses or a backdoor. # ########################################################################################### # https://en.wikipedia.org/wiki/RDRAND#Reception # # https://twitter.com/pid_eins/status/1149649806056280069 # # https://archive.nytimes.com/www.nytimes.com/interactive/2013/09/05/us/documents-reveal-nsa-campaign-against-encryption.html # https://forums.whonix.org/t/entropy-config-random-trust-cpu-yes-or-no-rng-core-default-quality/8566 # https://lkml.org/lkml/2022/6/5/271 # ########################################################################################### VAR_GRUB_CMDLINE_LINUX_DEFAULT="${VAR_GRUB_CMDLINE_LINUX_DEFAULT} random.trust_cpu=off" ########################################################################################### # Distrusts the bootloader for initial entropy at boot. # # https://lkml.org/lkml/2022/6/5/271 # ########################################################################################### VAR_GRUB_CMDLINE_LINUX_DEFAULT="${VAR_GRUB_CMDLINE_LINUX_DEFAULT} random.trust_bootloader=off" ########################################################################################### # ASLR (Address Space Layout Randomization) causes central areas of memory to be assigned # # random addresses each time a program is started. These include: Stack, Heap, Shared # # libraries (e.g., libc), mmap regions, VDSO/VSyscall. The executable itself (only with # # PIE binaries). The aim is to make it more difficult for attackers to predict memory # # addresses, thereby preventing classic exploits that rely on known addresses from # # succeeding. # # 0: disabled Fixed memory addresses – insecure, testable. # # 1: Partial ASLR Heap, mmap are randomized, stack only partially randomized. # # 2: Full ASLR (default) Stack, mmap, heap, VDSO, shared libraries all randomized. # ########################################################################################### VAR_GRUB_CMDLINE_LINUX_DEFAULT="${VAR_GRUB_CMDLINE_LINUX_DEFAULT} randomize_va_space=2" ########################################################################################### # Enables IOMMU to prevent DMA attacks. # # intel_iommu=on amd_iommu=force_isolation iommu=force # # Multiple IOMMU switches are redundant; iommu=force is usually sufficient. # # Forces an IOMMU to be initialized and used completely, even if the BIOS or ACPI wanted # # to disable it. It activates the basic DMA remapping function. However, it does not say # # anything about how restrictive the mapping strategy is, passthrough, strict, see below # ########################################################################################### VAR_GRUB_CMDLINE_LINUX_DEFAULT="${VAR_GRUB_CMDLINE_LINUX_DEFAULT} iommu=force" ########################################################################################### # Enables strict enforcement of IOMMU TLB invalidation, so devices will never be able to # # access stale data contents. # # iommu.passthrough=0 # # Prevents devices from operating in identity-mapped passthrough mode. Without this # # parameter (or with =1), devices could be passed through without being monitored by the # # IOMMU in a truly restrictive manner. From a security standpoint, iommu.passthrough=0 is # # an important step toward DMA isolation for all devices, especially for untrusted PCI(e) # # devices. # # iommu.strict=1 # # Enables Strict Mode for dma-iommu.c (i.e., all DMA transactions are validated # # synchronously). Without this parameter, the kernel often runs in lazy mode, where # # mapping caches are used. # # Performance vs. security: strict=1= more secure, but potentially slower, especially # # with many small DMA transfers. # # https://github.com/torvalds/linux/blob/master/drivers/iommu/Kconfig#L97 # # Page 11 of https://lenovopress.lenovo.com/lp1467.pdf # ########################################################################################### VAR_GRUB_CMDLINE_LINUX_DEFAULT="${VAR_GRUB_CMDLINE_LINUX_DEFAULT} iommu.passthrough=0 iommu.strict=1" ########################################################################################### # Disable the busmaster bit on all PCI bridges during very early boot to avoid holes in # # IOMMU. # # https://mjg59.dreamwidth.org/54433.html # # https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=4444f8541dad16fefd9b8807ad1451e806ef1d94 ########################################################################################### VAR_GRUB_CMDLINE_LINUX_DEFAULT="${VAR_GRUB_CMDLINE_LINUX_DEFAULT} efi=disable_early_pci_dma" ########################################################################################### # Disables the merging of slabs of similar sizes. # # Sometimes a slab can be used vulnerably, which an attacker can exploit. # ########################################################################################### VAR_GRUB_CMDLINE_LINUX_DEFAULT="${VAR_GRUB_CMDLINE_LINUX_DEFAULT} slab_nomerge" ########################################################################################### # Zero memory at allocation and free time. # ########################################################################################### VAR_GRUB_CMDLINE_LINUX_DEFAULT="${VAR_GRUB_CMDLINE_LINUX_DEFAULT} init_on_alloc=1 init_on_free=1" ########################################################################################### # This option randomizes page allocator freelists, improving security by making page # # allocations less predictable. This also improves performance. # ########################################################################################### VAR_GRUB_CMDLINE_LINUX_DEFAULT="${VAR_GRUB_CMDLINE_LINUX_DEFAULT} page_alloc.shuffle=1" ########################################################################################### # When releasing (i.e., free_pages()), all bytes with a marker value (e.g., 0xAA) are # # overwritten. If later code (accidentally or maliciously) accesses this page, it will # # most likely crash or produce recognizable artifacts. Only supported if the kernel was # # built with CONFIG_PAGE_POISONING=y (default on Debian: enabled since Bookworm). # ########################################################################################### VAR_GRUB_CMDLINE_LINUX_DEFAULT="${VAR_GRUB_CMDLINE_LINUX_DEFAULT} page_poison=1" ########################################################################################### # Enables Kernel Page Table Isolation, which mitigates Meltdown, improves KASLR. # ########################################################################################### VAR_GRUB_CMDLINE_LINUX_DEFAULT="${VAR_GRUB_CMDLINE_LINUX_DEFAULT} pti=on" ########################################################################################### # The setting 'vsyscall' is obsolete, are at fixed addresses and are a target for ROP. # ########################################################################################### VAR_GRUB_CMDLINE_LINUX_DEFAULT="${VAR_GRUB_CMDLINE_LINUX_DEFAULT} vsyscall=none" ########################################################################################### # The kernel adds a small random padding offset to the stack pointer with every system # # call or kernel entry. The starting point for local variables is at a different position # # within the stack with every call. This makes ROP chains (return-oriented programming) # # or stack pivoting attacks significantly more difficult. # ########################################################################################### VAR_GRUB_CMDLINE_LINUX_DEFAULT="${VAR_GRUB_CMDLINE_LINUX_DEFAULT} randomize_kstack_offset=on" ########################################################################################### # Prevents the debugfsfile system from being made available at boot time. This is a # # useful hardening measure because debugfs reveals a lot of potentially security-relevant # # kernel information by default, which can be misused by normal users (and by exploits). # ########################################################################################### VAR_GRUB_CMDLINE_LINUX_DEFAULT="${VAR_GRUB_CMDLINE_LINUX_DEFAULT} debugfs=off" ########################################################################################### # Force the kernel to panic on "oopses" (which may be due to false positives). # # panic=N (e.g., panic=60): Wait N seconds and then reboot. # # panic=0 No automatic action (System remains stuck in panic state). # # panic=-1 Also explicitly prevents any automatic reboot. # ########################################################################################### VAR_GRUB_CMDLINE_LINUX_DEFAULT="${VAR_GRUB_CMDLINE_LINUX_DEFAULT} oops=panic panic=-1" ########################################################################################### # Enable a subset of known mitigations for CPU vulnerabilities and disable SMT. # # mitigations=auto Enables all available CPU-specific security measures based on the # # detected CPU, microcode version, and kernel build configuration, if applicable. # # 'nosmt' Disables Simultaneous Multithreading (SMT) (e.g., Hyper-Threading on Intel) # # system-wide to prevent shared cache attacks (SMoTHER, MDS, L1TF, TAA, Snoop-assisted). # # Why is 'mitigations=auto,nosmt' better than setting everything manually? # # Automatically adjusted: Depending on CPU family, stepping, microcode. # # Consistency guaranteed: No contradictions between flags possible # # (e.g., spec_store_bypass_disable=on vs. nospec_store_bypass_disable=off). # # Future-proof: Even new kernel features (e.g., bhi=flush or srbds) are automatically # # activated without having to know about them. # ########################################################################################### VAR_GRUB_CMDLINE_LINUX_DEFAULT="${VAR_GRUB_CMDLINE_LINUX_DEFAULT} mitigations=auto,nosmt" ########################################################################################### # If mitigations=auto,nosmt is set, see before, then these flags should not be set # # individually because they are redundant. Enable mitigations for both Spectre Variant 2 # # (indirect branch speculation) and Intel branch history injection (BHI) vulnerabilities. # # https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/spectre.html # ########################################################################################### # VAR_GRUB_CMDLINE_LINUX_DEFAULT="${VAR_GRUB_CMDLINE_LINUX_DEFAULT} spectre_v2=on spectre_v2_user=on spectre_bhi=on" ########################################################################################### # If mitigations=auto,nosmt is set, see before, then these flags should not be set # # individually because they are redundant. # # Disable Speculative Store Bypass (Spectre Variant 4). # # https://www.suse.com/support/kb/doc/?id=000019189 # ########################################################################################### # VAR_GRUB_CMDLINE_LINUX_DEFAULT="${VAR_GRUB_CMDLINE_LINUX_DEFAULT} spec_store_bypass_disable=on nospec_store_bypass_disable=off" ########################################################################################### # If mitigations=auto,nosmt is set, see before, then these flags should not be set # # individually because they are redundant. # # Enable mitigations for the L1TF vulnerability through disabling SMT and L1D flush # # runtime control. # # https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/l1tf.html # ########################################################################################### # VAR_GRUB_CMDLINE_LINUX_DEFAULT="${VAR_GRUB_CMDLINE_LINUX_DEFAULT} l1tf=full,force" ########################################################################################### # If mitigations=auto,nosmt is set, see before, then these flags should not be set # # individually because they are redundant. # # Enable mitigations for the MDS vulnerability through clearing buffer cache # # and disabling SMT. # # https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/mds.html # ########################################################################################### # VAR_GRUB_CMDLINE_LINUX_DEFAULT="${VAR_GRUB_CMDLINE_LINUX_DEFAULT} mds=full,nosmt" ########################################################################################### # If mitigations=auto,nosmt is set, see before, then these flags should not be set # # individually because they are redundant. # # Patches the TAA vulnerability by disabling TSX and enables mitigations using TSX Async # # Abort along with disabling SMT. # # https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/tsx_async_abort.html # ########################################################################################### # VAR_GRUB_CMDLINE_LINUX_DEFAULT="${VAR_GRUB_CMDLINE_LINUX_DEFAULT} tsx=off tsx_async_abort=full,nosmt" ########################################################################################### # Mark all huge pages in the EPT as non-executable to mitigate iTLB multihit. # # https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/multihit.html # ########################################################################################### VAR_GRUB_CMDLINE_LINUX_DEFAULT="${VAR_GRUB_CMDLINE_LINUX_DEFAULT} kvm.nx_huge_pages=force" ########################################################################################### # Force disable SMT as it has caused numerous CPU vulnerabilities. # # The only full mitigation of cross-HT attacks is to disable SMT. # # https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/core-scheduling.html # ########################################################################################### VAR_GRUB_CMDLINE_LINUX_DEFAULT="${VAR_GRUB_CMDLINE_LINUX_DEFAULT} nosmt=force" ########################################################################################### # Enables the prctl interface to prevent leaks from L1D on context switches. # # https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/l1d_flush.html # ########################################################################################### VAR_GRUB_CMDLINE_LINUX_DEFAULT="${VAR_GRUB_CMDLINE_LINUX_DEFAULT} l1d_flush=on" ########################################################################################### # Mitigates numerous MMIO Stale Data vulnerabilities and disables SMT. # # mmio_stale_data=off No mitigation (unsafe) # # mmio_stale_data=full All known measures active # # mmio_stale_data=full,nosmt Full mitigation + SMT disabling # # mmio_stale_data=auto Activated depending on CPU/microcode # # mmio_stale_data=full,force Forces mitigation even on CPUs that are supposedly not # # affected # # https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/processor_mmio_stale_data.html ########################################################################################### VAR_GRUB_CMDLINE_LINUX_DEFAULT="${VAR_GRUB_CMDLINE_LINUX_DEFAULT} mmio_stale_data=full,force" ########################################################################################### # Enable mitigations for RETBleed (Arbitrary Speculative Code Execution with # # Return Instructions) vulnerability and disable SMT. # # If 'mitigations=auto,nosmt' is set, the kernel already activates all retbleed-relevant # # mitigations, provided the CPU is affected; 'retbleed=auto,nosmt' explicitly overrides # # the internal assessment and forces full protection. If maximum hardening is required, # # and one does not want to rely on "auto-detection" then it is recommended to additionally# # set 'retbleed=auto,nosmt' otherwise, 'mitigations=auto,nosmt' is sufficient. # # https://www.suse.com/support/kb/doc/?id=000020693 # ########################################################################################### VAR_GRUB_CMDLINE_LINUX_DEFAULT="${VAR_GRUB_CMDLINE_LINUX_DEFAULT} retbleed=auto" ########################################################################################### # Enables kernel lockdown mode with a focus on confidentiality. The kernel is # # configured in such a way that even privileged users (such as root) have limited access # # to kernel data and debug mechanisms. 'confidentiality': Maximum restriction to ensure # # the security and integrity of the system. This prevents direct access to hardware and # # debug interfaces, for example. Useful for highly secure environments as it reduces the # # attack surface to kernel data. However, some applications that require debugging or # # hardware access may have problems. # # https://blog.cloudflare.com/de-de/linux-kernel-hardening/ # # https://www.linux-magazine.com/Issues/2020/239/Lockdown-Mode # ########################################################################################### VAR_GRUB_CMDLINE_LINUX_DEFAULT="${VAR_GRUB_CMDLINE_LINUX_DEFAULT} lockdown=confidentiality" ########################################################################################### # Enables 'Read-Only Data Protection', which implements read-only memory areas # # for kernel data structures. This protects the kernel from certain types of exploit # # (e.g., buffer overflows). 'on': Forces the corresponding areas to remain read-only. # # https://www.kernel.org/doc/html/v6.10/admin-guide/kernel-parameters.html # ########################################################################################### VAR_GRUB_CMDLINE_LINUX_DEFAULT="${VAR_GRUB_CMDLINE_LINUX_DEFAULT} rodata=on" ########################################################################################### # Kernel Electric-Fence (KFENCE) is a low-overhead sampling-based memory safety # # error detector. KFENCE detects heap out-of-bounds access, use-after-free, and # # invalid-free errors. KFENCE is designed to be enabled in production kernels, and has # # near zero performance overhead. Compared to KASAN, KFENCE trades performance for # # precision. The main motivation behind KFENCE’s design is that with enough total uptime # # KFENCE will detect bugs in code paths not typically exercised by non-production test # # workloads. One way to quickly achieve a large enough total uptime is when the tool is # # deployed across a large fleet of machines. # # https://docs.kernel.org/dev-tools/kfence.html # ########################################################################################### VAR_GRUB_CMDLINE_LINUX_DEFAULT="${VAR_GRUB_CMDLINE_LINUX_DEFAULT} kfence.sample_interval=100" ########################################################################################### # CFI Ensures that only controlled, predefined transitions are possible in the # # programs' control flow. kcfi (Kernel Control Flow Integrity): Specific implementation of# # CFI for the Linux kernel that is particularly robust and provides accurate control flow # # validation. kcfi relies on compiler-based technologies (e.g., LLVM) that insert special # # checks and instrumentation into the kernel code. # # https://kspp.github.io/Recommended_Settings#kernel-command-line-options # ########################################################################################### VAR_GRUB_CMDLINE_LINUX_DEFAULT="${VAR_GRUB_CMDLINE_LINUX_DEFAULT} cfi=kcfi" ########################################################################################### # Remove additional (32-bit) attack surface, unless you really need them. # # https://www.kernel.org/doc/html/v6.10/admin-guide/kernel-parameters.html # # https://kspp.github.io/Recommended_Settings#kernel-command-line-options # ########################################################################################### VAR_GRUB_CMDLINE_LINUX_DEFAULT="${VAR_GRUB_CMDLINE_LINUX_DEFAULT} ia32_emulation=0" ########################################################################################### # Removes mapping for 32-bit VDSO (for ia32binaries). On 32-bit processes that rely on # # VDSO, this causes a fallback to classic syscalls (slower) or errors. On a system # # without CONFIG_IA32_EMULATION or with ia32_emulation=0, vdso32=0 is effective but # # redundant. # ########################################################################################### VAR_GRUB_CMDLINE_LINUX_DEFAULT="${VAR_GRUB_CMDLINE_LINUX_DEFAULT} vdso32=0" ########################################################################################### # Checks every copy_to_user() / copy_from_user()operation. Prevents kernels from # # accidentally copying unallocated memory to userspace. Stop exploits that trigger # # buffer overflows or use-after-free via copy_*_user(), for example. Effect: Detects # # heap/SLOB abuse, overwrites. Leads to BUG() & stack trace if suspicious access is # # detected. # ########################################################################################### VAR_GRUB_CMDLINE_LINUX_DEFAULT="${VAR_GRUB_CMDLINE_LINUX_DEFAULT} hardened_usercopy=1" ########################################################################################### # Sets the minimum log output of the kernel at boot time to level 0 (= KERN_EMERG). # ########################################################################################### VAR_GRUB_CMDLINE_LINUX_DEFAULT="${VAR_GRUB_CMDLINE_LINUX_DEFAULT} loglevel=0" grub_finalize_string do_in_target "${TARGET}" update-grub do_log "info" "true" "Setting GRUB kernel parameters: ${VAR_GRUB_CMDLINE_LINUX_DEFAULT}" return 0 } # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh