You are not logged in.
root@host /proc # cat cmdline
BOOT_IMAGE=/boot/vmlinuz-6.1.0-26-amd64 root=UUID=...... ro nvidia-drm.modeset=1 quiet kaslr pti=on slab_nomerge page_poison=1 slub_debug=FPZ nosmt
root@host /proc # grep CMDLINE /etc/default/grub
GRUB_CMDLINE_LINUX_DEFAULT="quiet"
GRUB_CMDLINE_LINUX="nvidia-drm.modeset=1"
everything behind
quiet
is not in the grub settings.
Kernel complains because kaslr is unknown to it.
2024-11-01T19:14:44.792356+01:00 host kernel: [ 0.013968] Kernel command line: BOOT_IMAGE=/boot/vmlinuz-6.1.0-26-amd64 root=UUID=e26f69aa-878b-46ca-8a16-c90ac9e06e62 ro nvidia-drm.modeset=1 quiet kaslr pti=on slab_nomerge page_poison=1 slub_debug=FPZ nosmt
2024-11-01T19:14:44.792357+01:00 host kernel: [ 0.014070] Unknown kernel command line parameters "kaslr BOOT_IMAGE=/boot/vmlinuz-6.1.0-26-amd64 pti=on", will be passed to user space.
2024-11-01T19:14:44.793285+01:00 host kernel: [ 3.354434] kaslr
where do these settings come from and what I have to test and get rid off false entries?
Last edited by bai4Iej2need (2024-11-01 20:44:09)
The devil, you know, is better than the angel, you don't know. by a British Citizen, I don't know too good.
One generation abandons the enterprises of another like stranded vessels. By Henry David Thoreau, WALDEN, Economy. Line 236 (Gutenberg text Version)
broken by design :
https://bugs.debian.org/cgi-bin/bugrepo … bug=958390
Offline
I would first of all check the complete contents of /etc/default/grub, and then try a
# update-grub
Maybe something that is caused by the NVidea driver?
Checked on my system, I do not see such a thing with my AMD graphics.
Last edited by rolfie (2024-11-01 19:05:51)
Offline
Did that but result remains the same.
This stems from debian package hardening-runtime
which I installed some time ago. see there (if installed)
cat /usr/share/doc/hardening-runtime/README.Debian
cat /etc/default/grub.d/01_hardening.cfg
# Linux command line options recommended by the KSPP
# https://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project/Recommended_Settings#kernel_command_line_options
GRUB_CMDLINE_LINUX_DEFAULT="$GRUB_CMDLINE_LINUX_DEFAULT kaslr pti=on slab_nomerge page_poison=1 slub_debug=FPZ nosmt"
# Other interesting options are:
# - intel_iommu=on (sometimes intel_iommu=on,igfx_off) for enabing I/OMMU
# When done editing the file, rebuild grub configuration with: update-grub
now must find out why kernel refuses its parameter
Last edited by bai4Iej2need (2024-11-01 20:36:53)
The devil, you know, is better than the angel, you don't know. by a British Citizen, I don't know too good.
One generation abandons the enterprises of another like stranded vessels. By Henry David Thoreau, WALDEN, Economy. Line 236 (Gutenberg text Version)
broken by design :
https://bugs.debian.org/cgi-bin/bugrepo … bug=958390
Offline
the hardening-runtime package is out-of-date and should be uninstalled.
in particular, the boot option kaslr no longer exists as kaslr is the
default. however, there is a 'nokaslr' kernel parameter:
nokaslr [KNL,EARLY]
When CONFIG_RANDOMIZE_BASE is set, this disables
kernel and module base offset ASLR (Address Space
Layout Randomization).
i have 6.10 kernel from backports and its boot options can be found here:
https://www.kernel.org/doc/html/v6.10/a … tions.html
the 6.10 kernel params can be found here:
https://www.kernel.org/doc/html/v6.10/a … eters.html
just change the kernel version in the above URLs to what your kernel is
and take a look.
a good, more up-to-date, hardening guide can be found here and here:
https://wiki.archlinux.org/title/Hardening_Guides
https://gist.github.com/dante-robinson/ … 87633ff8ca
additionally, page_poison is no longer recommended and should be replaced
with 'init_on_alloc=1 init_on_free=1' and, related to this, change to
slub_debug=ZF instead of slub_debug=FPZ
for reference, my personalised 'hardened' grub command line is:
ipv6.disable=1 ia32_emulation=0 page_alloc.shuffle=1 \
pti=on init_on_free=1 slab_nomerge slub_debug=ZF vsyscall=none"
on a practical note, hardening devuan/debian is really hard :-) so not
really worth it. the biggest weakness is the browser, not the kernel.
try to harden firefox (apparmor, firejail, VM) first.
if you are really motivated then checkout the firefox hardening guides
such as arkenfox user.js. this involves a lot of work and is for the paranoid.
if you are really interested in hardening linux then try to make the
system read-only. that's a nice, long-term project. see alpine linux.
Offline