From ee8e2bce5c6202b832ced09b57c304f6876071e54a27ec9dc451330b36e4a991 Mon Sep 17 00:00:00 2001
From: "Marc S. Weidner" <msw@coresecret.dev>
Date: Tue, 15 Jul 2025 19:37:16 +0200
Subject: [PATCH] V8.03.864.2025.07.15

Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
---
 docs/BOOTPARAMS.md         | 56 ++++++++++++++++++++++++++++++++++++++
 lib/lib_lb_config_write.sh |  2 +-
 2 files changed, 57 insertions(+), 1 deletion(-)
 create mode 100644 docs/BOOTPARAMS.md

diff --git a/docs/BOOTPARAMS.md b/docs/BOOTPARAMS.md
new file mode 100644
index 0000000..f8ffc3a
--- /dev/null
+++ b/docs/BOOTPARAMS.md
@@ -0,0 +1,56 @@
+---
+gitea: none
+include_toc: true
+---
+
+# 1. CISS.debian.live.builder
+
+**Centurion Intelligence Consulting Agency Information Security Standard**<br>
+*Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
+**Master Version**: 8.03<br>
+**Build**: V8.03.864.2025.07.15<br>
+
+# 2. Hardened Kernel Boot Parameters
+
+Below is a curated set of kernel boot parameters optimized for CISS Debian Installer. These parameters enhance security posture,
+restrict legacy interfaces, enforce memory initialization, and disable speculative side channels. Each parameter is documented 
+with a short rationale.
+
+* ``audit=1``: Enable kernel auditing subsystem.
+* ``audit_backlog_limit=8192``: Set audit event buffer depth.
+* ``cfi=kcfi``: Enable Clang's Control Flow Integrity (if supported by kernel).
+* ``debugfs=off``: Disable debugfs mount, prevents access to kernel internals.
+* ``efi=disable_early_pci_dma``: Prevent early PCI DMA via EFI.
+* ``hardened_usercopy=1``: Harden copy_*_user() functions, mitigate heap/memcpy bugs.
+* ``ia32_emulation=0``: Disable 32-bit x86 binary support on 64-bit kernel.
+* ``init_on_alloc=1``: Zero-initialize heap memory on allocation.
+* ``init_on_free=1``: Zero memory on free to prevent reuse data leaks.
+* ``iommu=force``: Enforce use of IOMMU.
+* ``iommu.strict=1``: Enable strict IOMMU mode (always remap).
+* ``iommu.passthrough=0``: Prevent IOMMU passthrough (forces remapping).
+* ``kfence.sample_interval=100``: Enable low-overhead heap-fence sampling.
+* ``kvm.nx_huge_pages=force``: Enforce NX-bit for KVM hugepages to prevent code execution.
+* ``l1d_flush=on``: Flush L1D cache on VM-entry to mitigate cache side-channels.
+* ``lockdown=confidentiality``: Enable kernel lockdown in confidentiality mode.
+* ``loglevel=0``: Silence all kernel messages (only EMERG shown).
+* ``mitigations=auto,nosmt``: Enable all available speculative mitigations, disable SMT.
+* ``mmio_stale_data=full,force,nosmt``: Mitigate MMIO stale data side channel fully.
+* ``nosmt=force``: Force disable Simultaneous Multithreading (SMT/HT).
+* ``oops=panic``: Trigger kernel panic on oops, ensures halt on fault.
+* ``page_alloc.shuffle=1``: Randomize page allocator freelist order.
+* ``page_poison=1``: Fill freed pages with poison patterns to detect UAF.
+* ``panic=-1``: Prevent automatic reboot after panic.
+* ``pti=on``: Enable Page Table Isolation (Meltdown mitigation).
+* ``random.trust_bootloader=off``: Do not trust RNG state from bootloader.
+* ``random.trust_cpu=off``: Do not trust CPU's RDRAND or RDSEED.
+* ``randomize_kstack_offset=on``: Enable randomized kernel stack offset per syscall.
+* ``randomize_va_space=2``: Enable full ASLR for mmap and heap.
+* ``retbleed=auto,nosmt``: Mitigate Retbleed exploit path via branch prediction.
+* ``rodata=on``: Enforce read-only sections for .rodata.
+* ``slab_nomerge``: Disable merging of similar slab caches.
+* ``vdso32=0``: Disable 32-bit vdso mapping (x86 compatibility).
+* ``vsyscall=none``: Disable vsyscall legacy mapping.
+
+---
+**[no tracking | no logging | no advertising | no profiling | no bullshit](https://coresecret.eu/)**
+<!-- vim: set number et ts=2 sw=2 sts=2 ai tw=128 ft=markdown -->
diff --git a/lib/lib_lb_config_write.sh b/lib/lib_lb_config_write.sh
index 3740831..9d95519 100644
--- a/lib/lib_lb_config_write.sh
+++ b/lib/lib_lb_config_write.sh
@@ -39,7 +39,7 @@ lb_config_write() {
     --binary-filesystem fat32 \
     --binary-image iso-hybrid \
     --bootappend-install "auto=true priority=critical clock-setup/utc=true console-setup/ask_detect=false debian-installer/country=US debian-installer/language=en debian-installer/locale=en_US.UTF-8 keyboard-configuration/xkb-keymap=de keyboard-configuration/model=pc105 localechooser/supported-locales=en_US.UTF-8 time/zone=Etc/UTC splash audit_backlog_limit=8192 audit=1 cfi=kcfi debugfs=off efi=disable_early_pci_dma efi_no_storage_paranoia hardened_usercopy=1 ia32_emulation=0 init_on_alloc=1 init_on_free=1 iommu=force kfence.sample_interval=100 kvm.nx_huge_pages=force l1d_flush=on lockdown=confidentiality loglevel=0 mce=0 mitigations=auto,nosmt mmio_stale_data=full,nosmt oops=panic page_alloc.shuffle=1 page_poison=1 panic=-1 pti=on random.trust_bootloader=off random.trust_cpu=off randomize_kstack_offset=on randomize_va_space=2 retbleed=auto,nosmt rodata=on tsx=off vdso32=0 vsyscall=none" \
-    --bootappend-live "boot=live verify-checksums components nocomponents=cdi-starter locales=en_US.UTF-8 keyboard-layouts=de keyboard-model=pc105 keyboard-options= keyboard-variants= noeject nopersistence ramdisk-size=1024M splash swap=true timezone=Etc/UTC toram audit_backlog_limit=8192 audit=1 cfi=kcfi debugfs=off efi=disable_early_pci_dma efi_no_storage_paranoia hardened_usercopy=1 ia32_emulation=0 init_on_alloc=1 init_on_free=1 iommu=force kfence.sample_interval=100 kvm.nx_huge_pages=force l1d_flush=on lockdown=confidentiality loglevel=0 mce=0 mitigations=auto,nosmt mmio_stale_data=full,nosmt oops=panic page_alloc.shuffle=1 page_poison=1 panic=-1 pti=on random.trust_bootloader=off random.trust_cpu=off randomize_kstack_offset=on randomize_va_space=2 retbleed=auto,nosmt rodata=on tsx=off vdso32=0 vsyscall=none" \
+    --bootappend-live "boot=live components keyboard-layouts=de keyboard-model=pc105 keyboard-options= keyboard-variants= locales=en_US.UTF-8 nocomponents=cdi-starter noeject nopersistence ramdisk-size=1024M splash swap=true timezone=Etc/UTC toram verify-checksums audit_backlog_limit=8192 audit=1 cfi=kcfi debugfs=off efi=disable_early_pci_dma hardened_usercopy=1 ia32_emulation=0 init_on_alloc=1 init_on_free=1 iommu.passthrough=0 iommu.strict=1 iommu=force kfence.sample_interval=100 kvm.nx_huge_pages=force l1d_flush=on lockdown=confidentiality loglevel=0 mitigations=auto,nosmt mmio_stale_data=full,force,nosmt nosmt=force oops=panic page_alloc.shuffle=1 page_poison=1 panic=-1 pti=on random.trust_bootloader=off random.trust_cpu=off randomize_kstack_offset=on randomize_va_space=2 retbleed=auto,nosmt rodata=on slab_nomerge vdso32=0 vsyscall=none" \
     --bootloaders grub-efi \
     --cache true \
     --checksums sha512 sha256 md5 \