V8.03.864.2025.07.15
All checks were successful
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Successful in 2m4s
All checks were successful
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Successful in 2m4s
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
This commit is contained in:
56
docs/BOOTPARAMS.md
Normal file
56
docs/BOOTPARAMS.md
Normal file
@@ -0,0 +1,56 @@
|
||||
---
|
||||
gitea: none
|
||||
include_toc: true
|
||||
---
|
||||
|
||||
# 1. CISS.debian.live.builder
|
||||
|
||||
**Centurion Intelligence Consulting Agency Information Security Standard**<br>
|
||||
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
|
||||
**Master Version**: 8.03<br>
|
||||
**Build**: V8.03.864.2025.07.15<br>
|
||||
|
||||
# 2. Hardened Kernel Boot Parameters
|
||||
|
||||
Below is a curated set of kernel boot parameters optimized for CISS Debian Installer. These parameters enhance security posture,
|
||||
restrict legacy interfaces, enforce memory initialization, and disable speculative side channels. Each parameter is documented
|
||||
with a short rationale.
|
||||
|
||||
* ``audit=1``: Enable kernel auditing subsystem.
|
||||
* ``audit_backlog_limit=8192``: Set audit event buffer depth.
|
||||
* ``cfi=kcfi``: Enable Clang's Control Flow Integrity (if supported by kernel).
|
||||
* ``debugfs=off``: Disable debugfs mount, prevents access to kernel internals.
|
||||
* ``efi=disable_early_pci_dma``: Prevent early PCI DMA via EFI.
|
||||
* ``hardened_usercopy=1``: Harden copy_*_user() functions, mitigate heap/memcpy bugs.
|
||||
* ``ia32_emulation=0``: Disable 32-bit x86 binary support on 64-bit kernel.
|
||||
* ``init_on_alloc=1``: Zero-initialize heap memory on allocation.
|
||||
* ``init_on_free=1``: Zero memory on free to prevent reuse data leaks.
|
||||
* ``iommu=force``: Enforce use of IOMMU.
|
||||
* ``iommu.strict=1``: Enable strict IOMMU mode (always remap).
|
||||
* ``iommu.passthrough=0``: Prevent IOMMU passthrough (forces remapping).
|
||||
* ``kfence.sample_interval=100``: Enable low-overhead heap-fence sampling.
|
||||
* ``kvm.nx_huge_pages=force``: Enforce NX-bit for KVM hugepages to prevent code execution.
|
||||
* ``l1d_flush=on``: Flush L1D cache on VM-entry to mitigate cache side-channels.
|
||||
* ``lockdown=confidentiality``: Enable kernel lockdown in confidentiality mode.
|
||||
* ``loglevel=0``: Silence all kernel messages (only EMERG shown).
|
||||
* ``mitigations=auto,nosmt``: Enable all available speculative mitigations, disable SMT.
|
||||
* ``mmio_stale_data=full,force,nosmt``: Mitigate MMIO stale data side channel fully.
|
||||
* ``nosmt=force``: Force disable Simultaneous Multithreading (SMT/HT).
|
||||
* ``oops=panic``: Trigger kernel panic on oops, ensures halt on fault.
|
||||
* ``page_alloc.shuffle=1``: Randomize page allocator freelist order.
|
||||
* ``page_poison=1``: Fill freed pages with poison patterns to detect UAF.
|
||||
* ``panic=-1``: Prevent automatic reboot after panic.
|
||||
* ``pti=on``: Enable Page Table Isolation (Meltdown mitigation).
|
||||
* ``random.trust_bootloader=off``: Do not trust RNG state from bootloader.
|
||||
* ``random.trust_cpu=off``: Do not trust CPU's RDRAND or RDSEED.
|
||||
* ``randomize_kstack_offset=on``: Enable randomized kernel stack offset per syscall.
|
||||
* ``randomize_va_space=2``: Enable full ASLR for mmap and heap.
|
||||
* ``retbleed=auto,nosmt``: Mitigate Retbleed exploit path via branch prediction.
|
||||
* ``rodata=on``: Enforce read-only sections for .rodata.
|
||||
* ``slab_nomerge``: Disable merging of similar slab caches.
|
||||
* ``vdso32=0``: Disable 32-bit vdso mapping (x86 compatibility).
|
||||
* ``vsyscall=none``: Disable vsyscall legacy mapping.
|
||||
|
||||
---
|
||||
**[no tracking | no logging | no advertising | no profiling | no bullshit](https://coresecret.eu/)**
|
||||
<!-- vim: set number et ts=2 sw=2 sts=2 ai tw=128 ft=markdown -->
|
||||
@@ -39,7 +39,7 @@ lb_config_write() {
|
||||
--binary-filesystem fat32 \
|
||||
--binary-image iso-hybrid \
|
||||
--bootappend-install "auto=true priority=critical clock-setup/utc=true console-setup/ask_detect=false debian-installer/country=US debian-installer/language=en debian-installer/locale=en_US.UTF-8 keyboard-configuration/xkb-keymap=de keyboard-configuration/model=pc105 localechooser/supported-locales=en_US.UTF-8 time/zone=Etc/UTC splash audit_backlog_limit=8192 audit=1 cfi=kcfi debugfs=off efi=disable_early_pci_dma efi_no_storage_paranoia hardened_usercopy=1 ia32_emulation=0 init_on_alloc=1 init_on_free=1 iommu=force kfence.sample_interval=100 kvm.nx_huge_pages=force l1d_flush=on lockdown=confidentiality loglevel=0 mce=0 mitigations=auto,nosmt mmio_stale_data=full,nosmt oops=panic page_alloc.shuffle=1 page_poison=1 panic=-1 pti=on random.trust_bootloader=off random.trust_cpu=off randomize_kstack_offset=on randomize_va_space=2 retbleed=auto,nosmt rodata=on tsx=off vdso32=0 vsyscall=none" \
|
||||
--bootappend-live "boot=live verify-checksums components nocomponents=cdi-starter locales=en_US.UTF-8 keyboard-layouts=de keyboard-model=pc105 keyboard-options= keyboard-variants= noeject nopersistence ramdisk-size=1024M splash swap=true timezone=Etc/UTC toram audit_backlog_limit=8192 audit=1 cfi=kcfi debugfs=off efi=disable_early_pci_dma efi_no_storage_paranoia hardened_usercopy=1 ia32_emulation=0 init_on_alloc=1 init_on_free=1 iommu=force kfence.sample_interval=100 kvm.nx_huge_pages=force l1d_flush=on lockdown=confidentiality loglevel=0 mce=0 mitigations=auto,nosmt mmio_stale_data=full,nosmt oops=panic page_alloc.shuffle=1 page_poison=1 panic=-1 pti=on random.trust_bootloader=off random.trust_cpu=off randomize_kstack_offset=on randomize_va_space=2 retbleed=auto,nosmt rodata=on tsx=off vdso32=0 vsyscall=none" \
|
||||
--bootappend-live "boot=live components keyboard-layouts=de keyboard-model=pc105 keyboard-options= keyboard-variants= locales=en_US.UTF-8 nocomponents=cdi-starter noeject nopersistence ramdisk-size=1024M splash swap=true timezone=Etc/UTC toram verify-checksums audit_backlog_limit=8192 audit=1 cfi=kcfi debugfs=off efi=disable_early_pci_dma hardened_usercopy=1 ia32_emulation=0 init_on_alloc=1 init_on_free=1 iommu.passthrough=0 iommu.strict=1 iommu=force kfence.sample_interval=100 kvm.nx_huge_pages=force l1d_flush=on lockdown=confidentiality loglevel=0 mitigations=auto,nosmt mmio_stale_data=full,force,nosmt nosmt=force oops=panic page_alloc.shuffle=1 page_poison=1 panic=-1 pti=on random.trust_bootloader=off random.trust_cpu=off randomize_kstack_offset=on randomize_va_space=2 retbleed=auto,nosmt rodata=on slab_nomerge vdso32=0 vsyscall=none" \
|
||||
--bootloaders grub-efi \
|
||||
--cache true \
|
||||
--checksums sha512 sha256 md5 \
|
||||
|
||||
Reference in New Issue
Block a user