The officially official Devuan Forum!

You are not logged in.

#1 2024-11-01 18:50:27

bai4Iej2need
Member
From: Ortenau
Registered: 2021-04-25
Posts: 117  

[SOLVED] kernel command line from pkg hardening-runtime with bug

root@host /proc # cat cmdline 
BOOT_IMAGE=/boot/vmlinuz-6.1.0-26-amd64 root=UUID=...... ro nvidia-drm.modeset=1 quiet kaslr pti=on slab_nomerge page_poison=1 slub_debug=FPZ nosmt
root@host /proc # grep CMDLINE /etc/default/grub
GRUB_CMDLINE_LINUX_DEFAULT="quiet"
GRUB_CMDLINE_LINUX="nvidia-drm.modeset=1"

everything behind

quiet

is not in the grub settings.
Kernel complains because kaslr is unknown to it.

2024-11-01T19:14:44.792356+01:00 host kernel: [    0.013968] Kernel command line: BOOT_IMAGE=/boot/vmlinuz-6.1.0-26-amd64 root=UUID=e26f69aa-878b-46ca-8a16-c90ac9e06e62 ro nvidia-drm.modeset=1 quiet kaslr pti=on slab_nomerge page_poison=1 slub_debug=FPZ nosmt
2024-11-01T19:14:44.792357+01:00 host kernel: [    0.014070] Unknown kernel command line parameters "kaslr BOOT_IMAGE=/boot/vmlinuz-6.1.0-26-amd64 pti=on", will be passed to user space.
2024-11-01T19:14:44.793285+01:00 host kernel: [    3.354434]     kaslr

where do these settings come from and what I have to test and get rid off false entries?

Last edited by bai4Iej2need (2024-11-01 20:44:09)


The devil, you know, is better than the angel, you don't know. by a British Citizen, I don't know too good.
One generation abandons the enterprises of another like stranded vessels. By Henry David Thoreau, WALDEN, Economy. Line 236 (Gutenberg text Version)
broken by design :
https://bugs.debian.org/cgi-bin/bugrepo … bug=958390

Offline

#2 2024-11-01 19:05:16

rolfie
Member
Registered: 2017-11-25
Posts: 1,178  

Re: [SOLVED] kernel command line from pkg hardening-runtime with bug

I would first of all check the complete contents of /etc/default/grub, and then try a

# update-grub

Maybe something that is caused by the NVidea driver?

Checked on my system, I do not see such a thing with my AMD graphics.

Last edited by rolfie (2024-11-01 19:05:51)

Online

#3 2024-11-01 20:36:00

bai4Iej2need
Member
From: Ortenau
Registered: 2021-04-25
Posts: 117  

Re: [SOLVED] kernel command line from pkg hardening-runtime with bug

Did that but result remains the same.
This stems from debian package hardening-runtime
which I installed some time ago. see there (if installed)

cat /usr/share/doc/hardening-runtime/README.Debian
cat /etc/default/grub.d/01_hardening.cfg 
# Linux command line options recommended by the KSPP
# https://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project/Recommended_Settings#kernel_command_line_options
GRUB_CMDLINE_LINUX_DEFAULT="$GRUB_CMDLINE_LINUX_DEFAULT kaslr pti=on slab_nomerge page_poison=1 slub_debug=FPZ nosmt"

# Other interesting options are:
# - intel_iommu=on (sometimes intel_iommu=on,igfx_off) for enabing I/OMMU

# When done editing the file, rebuild grub configuration with: update-grub

now must find out why kernel refuses its parameter

Last edited by bai4Iej2need (2024-11-01 20:36:53)


The devil, you know, is better than the angel, you don't know. by a British Citizen, I don't know too good.
One generation abandons the enterprises of another like stranded vessels. By Henry David Thoreau, WALDEN, Economy. Line 236 (Gutenberg text Version)
broken by design :
https://bugs.debian.org/cgi-bin/bugrepo … bug=958390

Offline

#4 2024-11-02 21:56:17

grunchy
Member
Registered: 2024-01-01
Posts: 15  

Re: [SOLVED] kernel command line from pkg hardening-runtime with bug

the hardening-runtime package is out-of-date and should be uninstalled.

in particular, the boot option kaslr no longer exists as kaslr is the
default. however, there is a 'nokaslr' kernel parameter:

nokaslr         [KNL,EARLY]
                When CONFIG_RANDOMIZE_BASE is set, this disables
                kernel and module base offset ASLR (Address Space
                Layout Randomization).

i have 6.10 kernel from backports and its boot options can be found here:
   https://www.kernel.org/doc/html/v6.10/a … tions.html

the 6.10 kernel params can be found here:
   https://www.kernel.org/doc/html/v6.10/a … eters.html

just change the kernel version in the above URLs to what your kernel is
and take a look.

a good, more up-to-date, hardening guide can be found here and here:
   https://wiki.archlinux.org/title/Hardening_Guides
   https://gist.github.com/dante-robinson/ … 87633ff8ca

additionally, page_poison is no longer recommended and should be replaced
with 'init_on_alloc=1 init_on_free=1' and, related to this, change to
slub_debug=ZF instead of slub_debug=FPZ

for reference, my personalised 'hardened' grub command line is:

   ipv6.disable=1 ia32_emulation=0 page_alloc.shuffle=1   \
   pti=on init_on_free=1 slab_nomerge slub_debug=ZF vsyscall=none"

on a practical note, hardening devuan/debian is really hard :-) so not
really worth it. the biggest weakness is the browser, not the kernel.
try to harden firefox (apparmor, firejail, VM) first.

if you are really motivated then checkout the firefox hardening guides
such as arkenfox user.js. this involves a lot of work and is for the paranoid.

if you are really interested in hardening linux then try to make the
system read-only. that's a nice, long-term project. see alpine linux.

Offline

Board footer