Differences

This shows you the differences between two versions of the page.

--- linux_hardening_guide:boot_parameters [2025/05/31 15:21] – created peter
+++ linux_hardening_guide:boot_parameters [2025/05/31 15:42] (current) – peter
@@ Line 3: / Line 3: @@
 Boot parameters pass settings to the kernel at boot using your bootloader.
-  * Some settings can be used to increase security, similar to sysctl.
+  * Some settings can be used to increase security, similar to [[Linux Hardening Guide:sysctl|sysctl]].
+Depending on the bootloader being used:
+  * If using GRUB as your bootloader, edit **/etc/default/grub**, and add your parameters to the **GRUB_CMDLINE_LINUX_DEFAULT=** line.
+  * If using Syslinux, edit **/boot/syslinux/syslinux.cfg**, and add them to the **APPEND** line.
+  * If using **systemd-boot**, edit your loader entry, and append them to the end of the **linux** line.
+----
+===== Kernel self-protection =====
+<code bash>
+slab_nomerge
+</code>
+This disables slab merging, which significantly increases the difficulty of heap exploitation by [[https://www.openwall.com/lists/kernel-hardening/2017/06/19/33|preventing overwriting objects from merged caches]] and by [[https://www.openwall.com/lists/kernel-hardening/2017/06/20/10|making it harder to influence slab cache layout]].
+----
+<code bash>
+init_on_alloc=1 init_on_free=1
+</code>
+This enables [[https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=6471384af2a6530696fc0203bafe4de41a23c9ef|zeroing of memory during allocation and free time]], which can help mitigate use-after-free vulnerabilities and erase sensitive information in memory.
+----
+<code bash>
+page_alloc.shuffle=1
+</code>
+This option [[https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=e900a918b0984ec8f2eb150b8477a47b75d17692|randomizes page allocator freelists]], improving security by making page allocations less predictable.
+  * This also improves performance.
+----
+<code bash>
+pti=on
+</code>
+This enables [[https://en.wikipedia.org/wiki/Kernel_page-table_isolation|Kernel Page Table Isolation]], which mitigates Meltdown and prevents some KASLR bypasses.
+----
+<code bash>
+randomize_kstack_offset=on
+</code>
+This option [[https://lkml.org/lkml/2019/3/18/246|randomizes the kernel stack offset on each syscall]], which makes attacks that rely on deterministic kernel stack layout significantly more difficult, such as the [[https://a13xp0p0v.github.io/2020/02/15/CVE-2019-18683.html|exploitation of CVE-2019-18683]].
+----
+<code bash>
+vsyscall=none
+</code>
+This disables [[https://lwn.net/Articles/446528/|vsyscalls]], as they are obsolete and have been replaced with [[https://en.wikipedia.org/wiki/VDSO|vDSO]].
+  * vsyscalls are also at fixed addresses in memory, making them a potential target for ROP attacks.
+----
+<code bash>
+debugfs=off
+</code>
+This disables debugfs, [[https://lkml.org/lkml/2020/7/16/122|which exposes a lot of sensitive information about the kernel]].
+----
+<code bash>
+oops=panic
+</code>
+Sometimes certain kernel exploits will cause what is known as an [[https://en.wikipedia.org/wiki/Linux_kernel_oops|"oops"]].
+  * This parameter will cause the kernel to panic on such oopses, thereby preventing those exploits.
+  * However, sometimes bad drivers cause harmless oopses which would result in your system crashing, meaning this boot parameter can only be used on certain hardware.
+----
+<code bash>
+module.sig_enforce=1
+</code>
+This only allows kernel modules that have been signed with a valid key to be loaded, which increases security by making it much harder to load a malicious kernel module.
+  * This prevents all out-of-tree kernel modules, including DKMS modules from being loaded [[https://www.kernel.org/doc/html/latest/admin-guide/module-signing.html|unless you have signed them]], meaning that modules such as the VirtualBox or Nvidia drivers may not be usable, although that may not be important, depending on your setup.
+----
+<code bash>
+lockdown=confidentiality
+</code>
+The [[https://mjg59.dreamwidth.org/55105.html|kernel lockdown LSM]] can eliminate many methods that user space code could abuse to escalate to kernel privileges and extract sensitive information.
+  * This LSM is necessary to implement a clear security boundary between user space and the kernel.
+  * The above option enables this feature in confidentiality mode, the strictest option.
+  * This implies **module.sig_enforce=1**.
+----
+<code bash>
+mce=0
+</code>
+This causes the kernel to panic on uncorrectable errors in ECC memory which could be exploited.
+  * This is unnecessary for systems without ECC memory.
+----
+<code bash>
+quiet loglevel=0
+</code>
+These parameters prevent information leaks during boot and must be used in combination with the **kernel.printk** sysctl documented at [[Linux Hardening Guide:sysctl|sysctl]].
+----
+===== CPU mitigations =====
+<WRAP info>
+**NOTE:**  It is best to enable all CPU mitigations that are applicable to your CPU as to ensure that you are not affected by known vulnerabilities.
+  * This is a list that enables all built-in mitigations:
+</WRAP>
+<code bash>
+spectre_v2=on spec_store_bypass_disable=on tsx=off tsx_async_abort=full,nosmt mds=full,nosmt l1tf=full,force nosmt=force kvm.nx_huge_pages=force
+</code>
+----
+===== Result =====
+If you have followed all of the above recommendations, excluding your specific CPU mitigations, you will have:
+<code bash>
+slab_nomerge init_on_alloc=1 init_on_free=1 page_alloc.shuffle=1 pti=on vsyscall=none debugfs=off oops=panic module.sig_enforce=1 lockdown=confidentiality mce=0 quiet loglevel=0
+</code>
+<WRAP info>
+**NOTE:**  You need to regenerate your GRUB configuration file to apply these if using GRUB as your bootloader.
+</WRAP>
+----