Linux Hardening Guide - Boot parameters

Boot parameters pass settings to the kernel at boot using your bootloader.

• Some settings can be used to increase security, similar to sysctl.

Depending on the bootloader being used:

• If using GRUB as your bootloader, edit /etc/default/grub, and add your parameters to the GRUB_CMDLINE_LINUX_DEFAULT= line.
• If using Syslinux, edit /boot/syslinux/syslinux.cfg, and add them to the APPEND line.
• If using systemd-boot, edit your loader entry, and append them to the end of the linux line.

slab_nomerge

This disables slab merging, which significantly increases the difficulty of heap exploitation by preventing overwriting objects from merged caches and by making it harder to influence slab cache layout.

init_on_alloc=1 init_on_free=1

This enables zeroing of memory during allocation and free time, which can help mitigate use-after-free vulnerabilities and erase sensitive information in memory.

page_alloc.shuffle=1

This option randomizes page allocator freelists, improving security by making page allocations less predictable.

• This also improves performance.

pti=on

This enables Kernel Page Table Isolation, which mitigates Meltdown and prevents some KASLR bypasses.

randomize_kstack_offset=on

This option randomizes the kernel stack offset on each syscall, which makes attacks that rely on deterministic kernel stack layout significantly more difficult, such as the exploitation of CVE-2019-18683.

vsyscall=none

This disables vsyscalls, as they are obsolete and have been replaced with vDSO.

• vsyscalls are also at fixed addresses in memory, making them a potential target for ROP attacks.

debugfs=off

This disables debugfs, which exposes a lot of sensitive information about the kernel.

oops=panic

Sometimes certain kernel exploits will cause what is known as an "oops".

• This parameter will cause the kernel to panic on such oopses, thereby preventing those exploits.
• However, sometimes bad drivers cause harmless oopses which would result in your system crashing, meaning this boot parameter can only be used on certain hardware.

module.sig_enforce=1

This only allows kernel modules that have been signed with a valid key to be loaded, which increases security by making it much harder to load a malicious kernel module.

• This prevents all out-of-tree kernel modules, including DKMS modules from being loaded unless you have signed them, meaning that modules such as the VirtualBox or Nvidia drivers may not be usable, although that may not be important, depending on your setup.

lockdown=confidentiality

The kernel lockdown LSM can eliminate many methods that user space code could abuse to escalate to kernel privileges and extract sensitive information.

• This LSM is necessary to implement a clear security boundary between user space and the kernel.
• The above option enables this feature in confidentiality mode, the strictest option.
• This implies module.sig_enforce=1.

mce=0

This causes the kernel to panic on uncorrectable errors in ECC memory which could be exploited.

• This is unnecessary for systems without ECC memory.

quiet loglevel=0

These parameters prevent information leaks during boot and must be used in combination with the kernel.printk sysctl documented at sysctl.

spectre_v2=on spec_store_bypass_disable=on tsx=off tsx_async_abort=full,nosmt mds=full,nosmt l1tf=full,force nosmt=force kvm.nx_huge_pages=force

If you have followed all of the above recommendations, excluding your specific CPU mitigations, you will have:

slab_nomerge init_on_alloc=1 init_on_free=1 page_alloc.shuffle=1 pti=on vsyscall=none debugfs=off oops=panic module.sig_enforce=1 lockdown=confidentiality mce=0 quiet loglevel=0

—-