msw/CISS.debian.installer
SHA256
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
bb4b256e72177bd90a2064d9de2a299f6f5b7f1e7dc82db9be465ad0e4c19fdf
CISS.debian.installer/func/4160_grub_bootparameter.sh
Marc S. Weidner 81bcb407fd
All checks were successful
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Successful in 1m55s
Details
V8.00.000.2025.06.17 
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
2025-07-16 23:25:32 +02:00

362 lines
26 KiB
Bash
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.installer
# SPDX-Security-Contact: security@coresecret.eu
guard_sourcing
#######################################
# Hardening Grub boot parameter.
# Globals:
# TARGET
# VAR_GRUB_CMDLINE_LINUX
# VAR_SETUP_PATH
# Arguments:
# None
# Returns:
# 0: on success
#######################################
setup_grub_bootparameter() {
### Install Kernel Hardening-Presets
cp "${VAR_SETUP_PATH}/includes/etc/sysctl.d/99_local.hardened.ini" "${TARGET}/etc/sysctl.d/99_local.hardened"
chmod 0644 "${TARGET}/etc/sysctl.d/99_local.hardened"
### Entropy collection improvements
mkdir -p "${TARGET}/usr/lib/modules-load.d"
cat << EOF >| "${TARGET}/usr/lib/modules-load.d/30_security-misc.conf"
## https://www.whonix.org/wiki/Dev/Entropy
## https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=927972
## https://forums.whonix.org/t/jitterentropy-rngd/7204
jitterentropy_rng
EOF
chmod 0644 "${TARGET}/usr/lib/modules-load.d/30_security-misc.conf"
grub_extract_current_string
###########################################################################################
# Audit events need to be captured on processes that start up prior to auditd, #
# so that potential malicious activity cannot go undetected. During boot if audit=1, then #
# the backlog will hold 64 records. If more than 64 records are created during boot, #
# auditd records will be lost and potential malicious activity could go undetected #
###########################################################################################
VAR_GRUB_CMDLINE_LINUX="${VAR_GRUB_CMDLINE_LINUX} audit=1 audit_backlog_limit=8192"
###########################################################################################
# Distrusts CPU bootloader for initial entropy at boot. #
# Distrusts the CPU for initial entropy at boot, as it is not possible to audit, #
# may contain weaknesses or a backdoor. #
###########################################################################################
# https://en.wikipedia.org/wiki/RDRAND#Reception #
# https://twitter.com/pid_eins/status/1149649806056280069 #
# https://archive.nytimes.com/www.nytimes.com/interactive/2013/09/05/us/documents-reveal-nsa-campaign-against-encryption.html
# https://forums.whonix.org/t/entropy-config-random-trust-cpu-yes-or-no-rng-core-default-quality/8566
# https://lkml.org/lkml/2022/6/5/271 #
###########################################################################################
VAR_GRUB_CMDLINE_LINUX="${VAR_GRUB_CMDLINE_LINUX} random.trust_cpu=off"
###########################################################################################
# Distrusts the bootloader for initial entropy at boot. #
# https://lkml.org/lkml/2022/6/5/271 #
###########################################################################################
VAR_GRUB_CMDLINE_LINUX="${VAR_GRUB_CMDLINE_LINUX} random.trust_bootloader=off"
###########################################################################################
# ASLR (Address Space Layout Randomization) causes central areas of memory to be assigned #
# random addresses each time a program is started. These include: Stack, Heap, Shared #
# libraries (e.g., libc), mmap regions, VDSO/VSyscall. The executable itself (only with #
# PIE binaries). The aim is to make it more difficult for attackers to predict memory #
# addresses, thereby preventing classic exploits that rely on known addresses from #
# succeeding. #
# 0: disabled Fixed memory addresses insecure, testable. #
# 1: Partial ASLR Heap, mmap are randomized, stack only partially randomized. #
# 2: Full ASLR (default) Stack, mmap, heap, VDSO, shared libraries all randomized. #
###########################################################################################
VAR_GRUB_CMDLINE_LINUX="${VAR_GRUB_CMDLINE_LINUX} randomize_va_space=2"
###########################################################################################
# Enables IOMMU to prevent DMA attacks. #
# intel_iommu=on amd_iommu=force_isolation iommu=force #
# Multiple IOMMU switches are redundant; iommu=force is usually sufficient. #
# Forces an IOMMU to be initialized and used completely, even if the BIOS or ACPI wanted #
# to disable it. It activates the basic DMA remapping function. However, it does not say #
# anything about how restrictive the mapping strategy is, passthrough, strict, see below #
###########################################################################################
VAR_GRUB_CMDLINE_LINUX="${VAR_GRUB_CMDLINE_LINUX} iommu=force"
###########################################################################################
# Enables strict enforcement of IOMMU TLB invalidation, so devices will never be able to #
# access stale data contents. #
# iommu.passthrough=0 #
# Prevents devices from operating in identity-mapped passthrough mode. Without this #
# parameter (or with =1), devices could be passed through without being monitored by the #
# IOMMU in a truly restrictive manner. From a security standpoint, iommu.passthrough=0 is #
# an important step toward DMA isolation for all devices, especially for untrusted PCI(e) #
# devices. #
# iommu.strict=1 #
# Enables Strict Mode for dma-iommu.c (i.e., all DMA transactions are validated #
# synchronously). Without this parameter, the kernel often runs in lazy mode, where #
# mapping caches are used. #
# Performance vs. security: strict=1= more secure, but potentially slower, especially #
# with many small DMA transfers. #
# https://github.com/torvalds/linux/blob/master/drivers/iommu/Kconfig#L97 #
# Page 11 of https://lenovopress.lenovo.com/lp1467.pdf #
###########################################################################################
VAR_GRUB_CMDLINE_LINUX="${VAR_GRUB_CMDLINE_LINUX} iommu.passthrough=0 iommu.strict=1"
###########################################################################################
# Disable the busmaster bit on all PCI bridges during very early boot to avoid holes in #
# IOMMU. #
# https://mjg59.dreamwidth.org/54433.html #
# https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=4444f8541dad16fefd9b8807ad1451e806ef1d94
###########################################################################################
VAR_GRUB_CMDLINE_LINUX="${VAR_GRUB_CMDLINE_LINUX} efi=disable_early_pci_dma"
###########################################################################################
# Disables the merging of slabs of similar sizes. #
# Sometimes a slab can be used vulnerably, which an attacker can exploit. #
###########################################################################################
VAR_GRUB_CMDLINE_LINUX="${VAR_GRUB_CMDLINE_LINUX} slab_nomerge"
###########################################################################################
# Zero memory at allocation and free time. #
###########################################################################################
VAR_GRUB_CMDLINE_LINUX="${VAR_GRUB_CMDLINE_LINUX} init_on_alloc=1 init_on_free=1"
###########################################################################################
# This option randomizes page allocator freelists, improving security by making page #
# allocations less predictable. This also improves performance. #
###########################################################################################
VAR_GRUB_CMDLINE_LINUX="${VAR_GRUB_CMDLINE_LINUX} page_alloc.shuffle=1"
###########################################################################################
# When releasing (i.e., free_pages()), all bytes with a marker value (e.g., 0xAA) are #
# overwritten. If later code (accidentally or maliciously) accesses this page, it will #
# most likely crash or produce recognizable artifacts. Only supported if the kernel was #
# built with CONFIG_PAGE_POISONING=y (default on Debian: enabled since Bookworm). #
###########################################################################################
VAR_GRUB_CMDLINE_LINUX="${VAR_GRUB_CMDLINE_LINUX} page_poison=1"
###########################################################################################
# Enables Kernel Page Table Isolation, which mitigates Meltdown, improves KASLR. #
###########################################################################################
VAR_GRUB_CMDLINE_LINUX="${VAR_GRUB_CMDLINE_LINUX} pti=on"
###########################################################################################
# The setting 'vsyscall' is obsolete, are at fixed addresses and are a target for ROP. #
###########################################################################################
VAR_GRUB_CMDLINE_LINUX="${VAR_GRUB_CMDLINE_LINUX} vsyscall=none"
###########################################################################################
# The kernel adds a small random padding offset to the stack pointer with every system #
# call or kernel entry. The starting point for local variables is at a different position #
# within the stack with every call. This makes ROP chains (return-oriented programming) #
# or stack pivoting attacks significantly more difficult. #
###########################################################################################
VAR_GRUB_CMDLINE_LINUX="${VAR_GRUB_CMDLINE_LINUX} randomize_kstack_offset=on"
###########################################################################################
# Prevents the debugfsfile system from being made available at boot time. This is a #
# useful hardening measure because debugfs reveals a lot of potentially security-relevant #
# kernel information by default, which can be misused by normal users (and by exploits). #
###########################################################################################
VAR_GRUB_CMDLINE_LINUX="${VAR_GRUB_CMDLINE_LINUX} debugfs=off"
###########################################################################################
# Force the kernel to panic on "oopses" (which may be due to false positives). #
# panic=N (e.g., panic=60): Wait N seconds and then reboot. #
# panic=0 No automatic action (System remains stuck in panic state). #
# panic=-1 Also explicitly prevents any automatic reboot. #
###########################################################################################
VAR_GRUB_CMDLINE_LINUX="${VAR_GRUB_CMDLINE_LINUX} oops=panic panic=-1"
###########################################################################################
# Enable a subset of known mitigations for CPU vulnerabilities and disable SMT. #
# mitigations=auto Enables all available CPU-specific security measures based on the #
# detected CPU, microcode version, and kernel build configuration, if applicable. #
# 'nosmt' Disables Simultaneous Multithreading (SMT) (e.g., Hyper-Threading on Intel) #
# system-wide to prevent shared cache attacks (SMoTHER, MDS, L1TF, TAA, Snoop-assisted). #
# Why is 'mitigations=auto,nosmt' better than setting everything manually? #
# Automatically adjusted: Depending on CPU family, stepping, microcode. #
# Consistency guaranteed: No contradictions between flags possible #
# (e.g., spec_store_bypass_disable=on vs. nospec_store_bypass_disable=off). #
# Future-proof: Even new kernel features (e.g., bhi=flush or srbds) are automatically #
# activated without having to know about them. #
###########################################################################################
VAR_GRUB_CMDLINE_LINUX="${VAR_GRUB_CMDLINE_LINUX} mitigations=auto,nosmt"
###########################################################################################
# If mitigations=auto,nosmt is set, see before, then these flags should not be set #
# individually because they are redundant. Enable mitigations for both Spectre Variant 2 #
# (indirect branch speculation) and Intel branch history injection (BHI) vulnerabilities. #
# https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/spectre.html #
###########################################################################################
# VAR_GRUB_CMDLINE_LINUX="${VAR_GRUB_CMDLINE_LINUX} spectre_v2=on spectre_v2_user=on spectre_bhi=on"
###########################################################################################
# If mitigations=auto,nosmt is set, see before, then these flags should not be set #
# individually because they are redundant. #
# Disable Speculative Store Bypass (Spectre Variant 4). #
# https://www.suse.com/support/kb/doc/?id=000019189 #
###########################################################################################
# VAR_GRUB_CMDLINE_LINUX="${VAR_GRUB_CMDLINE_LINUX} spec_store_bypass_disable=on nospec_store_bypass_disable=off"
###########################################################################################
# If mitigations=auto,nosmt is set, see before, then these flags should not be set #
# individually because they are redundant. #
# Enable mitigations for the L1TF vulnerability through disabling SMT and L1D flush #
# runtime control. #
# https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/l1tf.html #
###########################################################################################
# VAR_GRUB_CMDLINE_LINUX="${VAR_GRUB_CMDLINE_LINUX} l1tf=full,force"
###########################################################################################
# If mitigations=auto,nosmt is set, see before, then these flags should not be set #
# individually because they are redundant. #
# Enable mitigations for the MDS vulnerability through clearing buffer cache #
# and disabling SMT. #
# https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/mds.html #
###########################################################################################
# VAR_GRUB_CMDLINE_LINUX="${VAR_GRUB_CMDLINE_LINUX} mds=full,nosmt"
###########################################################################################
# If mitigations=auto,nosmt is set, see before, then these flags should not be set #
# individually because they are redundant. #
# Patches the TAA vulnerability by disabling TSX and enables mitigations using TSX Async #
# Abort along with disabling SMT. #
# https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/tsx_async_abort.html #
###########################################################################################
# VAR_GRUB_CMDLINE_LINUX="${VAR_GRUB_CMDLINE_LINUX} tsx=off tsx_async_abort=full,nosmt"
###########################################################################################
# Mark all huge pages in the EPT as non-executable to mitigate iTLB multihit. #
# https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/multihit.html #
###########################################################################################
VAR_GRUB_CMDLINE_LINUX="${VAR_GRUB_CMDLINE_LINUX} kvm.nx_huge_pages=force"
###########################################################################################
# Force disable SMT as it has caused numerous CPU vulnerabilities. #
# The only full mitigation of cross-HT attacks is to disable SMT. #
# https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/core-scheduling.html #
###########################################################################################
VAR_GRUB_CMDLINE_LINUX="${VAR_GRUB_CMDLINE_LINUX} nosmt=force"
###########################################################################################
# Enables the prctl interface to prevent leaks from L1D on context switches. #
# https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/l1d_flush.html #
###########################################################################################
VAR_GRUB_CMDLINE_LINUX="${VAR_GRUB_CMDLINE_LINUX} l1d_flush=on"
###########################################################################################
# Mitigates numerous MMIO Stale Data vulnerabilities and disables SMT. #
# mmio_stale_data=off No mitigation (unsafe) #
# mmio_stale_data=full All known measures active #
# mmio_stale_data=full,nosmt Full mitigation + SMT disabling #
# mmio_stale_data=auto Activated depending on CPU/microcode #
# mmio_stale_data=full,force Forces mitigation even on CPUs that are supposedly not #
# affected #
# https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/processor_mmio_stale_data.html
###########################################################################################
VAR_GRUB_CMDLINE_LINUX="${VAR_GRUB_CMDLINE_LINUX} mmio_stale_data=full,force"
###########################################################################################
# Enable mitigations for RETBleed (Arbitrary Speculative Code Execution with #
# Return Instructions) vulnerability and disable SMT. #
# If 'mitigations=auto,nosmt' is set, the kernel already activates all retbleed-relevant #
# mitigations, provided the CPU is affected; 'retbleed=auto,nosmt' explicitly overrides #
# the internal assessment and forces full protection. If maximum hardening is required, #
# and one does not want to rely on "auto-detection" then it is recommended to additionally#
# set 'retbleed=auto,nosmt' otherwise, 'mitigations=auto,nosmt' is sufficient. #
# https://www.suse.com/support/kb/doc/?id=000020693 #
###########################################################################################
VAR_GRUB_CMDLINE_LINUX="${VAR_GRUB_CMDLINE_LINUX} retbleed=auto"
###########################################################################################
# Enables kernel lockdown mode with a focus on confidentiality. The kernel is #
# configured in such a way that even privileged users (such as root) have limited access #
# to kernel data and debug mechanisms. 'confidentiality': Maximum restriction to ensure #
# the security and integrity of the system. This prevents direct access to hardware and #
# debug interfaces, for example. Useful for highly secure environments as it reduces the #
# attack surface to kernel data. However, some applications that require debugging or #
# hardware access may have problems. #
# https://blog.cloudflare.com/de-de/linux-kernel-hardening/ #
# https://www.linux-magazine.com/Issues/2020/239/Lockdown-Mode #
###########################################################################################
VAR_GRUB_CMDLINE_LINUX="${VAR_GRUB_CMDLINE_LINUX} lockdown=confidentiality"
###########################################################################################
# Enables 'Read-Only Data Protection', which implements read-only memory areas #
# for kernel data structures. This protects the kernel from certain types of exploit #
# (e.g., buffer overflows). 'on': Forces the corresponding areas to remain read-only. #
# https://www.kernel.org/doc/html/v6.10/admin-guide/kernel-parameters.html #
###########################################################################################
VAR_GRUB_CMDLINE_LINUX="${VAR_GRUB_CMDLINE_LINUX} rodata=on"
###########################################################################################
# Kernel Electric-Fence (KFENCE) is a low-overhead sampling-based memory safety #
# error detector. KFENCE detects heap out-of-bounds access, use-after-free, and #
# invalid-free errors. KFENCE is designed to be enabled in production kernels, and has #
# near zero performance overhead. Compared to KASAN, KFENCE trades performance for #
# precision. The main motivation behind KFENCEs design is that with enough total uptime #
# KFENCE will detect bugs in code paths not typically exercised by non-production test #
# workloads. One way to quickly achieve a large enough total uptime is when the tool is #
# deployed across a large fleet of machines. #
# https://docs.kernel.org/dev-tools/kfence.html #
###########################################################################################
VAR_GRUB_CMDLINE_LINUX="${VAR_GRUB_CMDLINE_LINUX} kfence.sample_interval=100"
###########################################################################################
# CFI Ensures that only controlled, predefined transitions are possible in the #
# programs' control flow. kcfi (Kernel Control Flow Integrity): Specific implementation of#
# CFI for the Linux kernel that is particularly robust and provides accurate control flow #
# validation. kcfi relies on compiler-based technologies (e.g., LLVM) that insert special #
# checks and instrumentation into the kernel code. #
# https://kspp.github.io/Recommended_Settings#kernel-command-line-options #
###########################################################################################
VAR_GRUB_CMDLINE_LINUX="${VAR_GRUB_CMDLINE_LINUX} cfi=kcfi"
###########################################################################################
# Remove additional (32-bit) attack surface, unless you really need them. #
# https://www.kernel.org/doc/html/v6.10/admin-guide/kernel-parameters.html #
# https://kspp.github.io/Recommended_Settings#kernel-command-line-options #
###########################################################################################
VAR_GRUB_CMDLINE_LINUX="${VAR_GRUB_CMDLINE_LINUX} ia32_emulation=0"
###########################################################################################
# Removes mapping for 32-bit VDSO (for ia32binaries). On 32-bit processes that rely on #
# VDSO, this causes a fallback to classic syscalls (slower) or errors. On a system #
# without CONFIG_IA32_EMULATION or with ia32_emulation=0, vdso32=0 is effective but #
# redundant. #
###########################################################################################
VAR_GRUB_CMDLINE_LINUX="${VAR_GRUB_CMDLINE_LINUX} vdso32=0"
###########################################################################################
# Checks every copy_to_user() / copy_from_user()operation. Prevents kernels from #
# accidentally copying unallocated memory to userspace. Stop exploits that trigger #
# buffer overflows or use-after-free via copy_*_user(), for example. Effect: Detects #
# heap/SLOB abuse, overwrites. Leads to BUG() & stack trace if suspicious access is #
# detected. #
###########################################################################################
VAR_GRUB_CMDLINE_LINUX="${VAR_GRUB_CMDLINE_LINUX} hardened_usercopy=1"
###########################################################################################
# Sets the minimum log output of the kernel at boot time to level 0 (= KERN_EMERG). #
###########################################################################################
VAR_GRUB_CMDLINE_LINUX="${VAR_GRUB_CMDLINE_LINUX} loglevel=0"
grub_finalize_string
do_in_target "${TARGET}" update-grub
do_log "info" "true" "Setting GRUB kernel parameters: ${VAR_GRUB_CMDLINE_LINUX}"
return 0
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
Reference in New Issue View Git Blame Copy Permalink