====== Linux Hardening Guide - Boot parameters ======

Boot parameters pass settings to the kernel at boot using your bootloader.

  * Some settings can be used to increase security, similar to [[Linux Hardening Guide:sysctl|sysctl]].


Depending on the bootloader being used:

  * If using GRUB as your bootloader, edit **/etc/default/grub**, and add your parameters to the **GRUB_CMDLINE_LINUX_DEFAULT=** line.
  * If using Syslinux, edit **/boot/syslinux/syslinux.cfg**, and add them to the **APPEND** line.
  * If using **systemd-boot**, edit your loader entry, and append them to the end of the **linux** line.

----

===== Kernel self-protection =====

<code bash>
slab_nomerge
</code>

This disables slab merging, which significantly increases the difficulty of heap exploitation by [[https://www.openwall.com/lists/kernel-hardening/2017/06/19/33|preventing overwriting objects from merged caches]] and by [[https://www.openwall.com/lists/kernel-hardening/2017/06/20/10|making it harder to influence slab cache layout]].

----

<code bash>
init_on_alloc=1 init_on_free=1
</code>

This enables [[https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=6471384af2a6530696fc0203bafe4de41a23c9ef|zeroing of memory during allocation and free time]], which can help mitigate use-after-free vulnerabilities and erase sensitive information in memory. 

----

<code bash>
page_alloc.shuffle=1
</code>

This option [[https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=e900a918b0984ec8f2eb150b8477a47b75d17692|randomizes page allocator freelists]], improving security by making page allocations less predictable.

  * This also improves performance. 

----

<code bash>
pti=on
</code>

This enables [[https://en.wikipedia.org/wiki/Kernel_page-table_isolation|Kernel Page Table Isolation]], which mitigates Meltdown and prevents some KASLR bypasses.

----

<code bash>
randomize_kstack_offset=on
</code>

This option [[https://lkml.org/lkml/2019/3/18/246|randomizes the kernel stack offset on each syscall]], which makes attacks that rely on deterministic kernel stack layout significantly more difficult, such as the [[https://a13xp0p0v.github.io/2020/02/15/CVE-2019-18683.html|exploitation of CVE-2019-18683]].

----

<code bash>
vsyscall=none
</code>

This disables [[https://lwn.net/Articles/446528/|vsyscalls]], as they are obsolete and have been replaced with [[https://en.wikipedia.org/wiki/VDSO|vDSO]].

  * vsyscalls are also at fixed addresses in memory, making them a potential target for ROP attacks.

----

<code bash>
debugfs=off
</code>

This disables debugfs, [[https://lkml.org/lkml/2020/7/16/122|which exposes a lot of sensitive information about the kernel]].

----

<code bash>
oops=panic
</code>

Sometimes certain kernel exploits will cause what is known as an [[https://en.wikipedia.org/wiki/Linux_kernel_oops|"oops"]].

  * This parameter will cause the kernel to panic on such oopses, thereby preventing those exploits.
  * However, sometimes bad drivers cause harmless oopses which would result in your system crashing, meaning this boot parameter can only be used on certain hardware.

----

<code bash>
module.sig_enforce=1
</code>

This only allows kernel modules that have been signed with a valid key to be loaded, which increases security by making it much harder to load a malicious kernel module.

  * This prevents all out-of-tree kernel modules, including DKMS modules from being loaded [[https://www.kernel.org/doc/html/latest/admin-guide/module-signing.html|unless you have signed them]], meaning that modules such as the VirtualBox or Nvidia drivers may not be usable, although that may not be important, depending on your setup.

----

<code bash>
lockdown=confidentiality
</code>

The [[https://mjg59.dreamwidth.org/55105.html|kernel lockdown LSM]] can eliminate many methods that user space code could abuse to escalate to kernel privileges and extract sensitive information.

  * This LSM is necessary to implement a clear security boundary between user space and the kernel.
  * The above option enables this feature in confidentiality mode, the strictest option. 
  * This implies **module.sig_enforce=1**.

----

<code bash>
mce=0
</code>

This causes the kernel to panic on uncorrectable errors in ECC memory which could be exploited.

  * This is unnecessary for systems without ECC memory. 

----

<code bash>
quiet loglevel=0
</code>

These parameters prevent information leaks during boot and must be used in combination with the **kernel.printk** sysctl documented at [[Linux Hardening Guide:sysctl|sysctl]]. 

----

===== CPU mitigations =====

<WRAP info>
**NOTE:**  It is best to enable all CPU mitigations that are applicable to your CPU as to ensure that you are not affected by known vulnerabilities.

  * This is a list that enables all built-in mitigations:

</WRAP>


<code bash>
spectre_v2=on spec_store_bypass_disable=on tsx=off tsx_async_abort=full,nosmt mds=full,nosmt l1tf=full,force nosmt=force kvm.nx_huge_pages=force
</code>


----

===== Result =====

If you have followed all of the above recommendations, excluding your specific CPU mitigations, you will have:

<code bash>
slab_nomerge init_on_alloc=1 init_on_free=1 page_alloc.shuffle=1 pti=on vsyscall=none debugfs=off oops=panic module.sig_enforce=1 lockdown=confidentiality mce=0 quiet loglevel=0
</code>

<WRAP info>
**NOTE:**  You need to regenerate your GRUB configuration file to apply these if using GRUB as your bootloader.
</WRAP>
 
----