Kernel Hardening via Boot Parameters¶
Set Boot Parameters via Grub¶
Example config for the Grub boot loader (/etc/default/grub.d/50_hardening.cfg):
GRUB_CMDLINE_LINUX_DEFAULT="init_on_alloc=1 nosmt=force vsyscall=none"
Then update the config:
$ update-grub
Tip
On Debian, the package hardening-runtime can be installed which
configures many of this parameters for you. Look at
/etc/default/grub.d/01_hardening.cfg after installing it.
Boot Parameters¶
init_on_alloc¶
Zero newly allocated pages:
init_on_alloc=1
See:
init_on_allow= in The kernel’s command-line parameters
init_on_free¶
Zero free pages:
init_on_free=1
Warning
Stick with only init_on_alloc if performance is a concern.
See:
init_on_allow= in The kernel’s command-line parameters
nosmt¶
Force-disable symmetric multithreading (AKA hyperthreading):
nosmt=force
See nosmt= in The kernel’s command-line parameters
page_alloc.shuffle¶
Tell page allocator to shuffle free list unconditionally:
page_alloc.shuffle=1
See:
page_alloc.shuffle= in The kernel’s command-line parameters
pti¶
Turn on PTI unconditionally:
pti=on
See:
random.trust_cpu¶
Do not trust CPU as a source of randomness:
random.trust_cpu=off
Concerns about backdoors have been raised and a series of bugs [1,2,3] have been uncovered.
See random.trust_cpu= in The kernel’s command-line parameters
randomize_kstack_offset¶
Randomize offset of kernel stack:
randomize_kstack_offset=1
See random.trust_cpu= in The kernel’s command-line parameters
slub_debug¶
Enable SLUB redzoning and sanity checking:
slub_debug=ZF
slab_nomerge¶
Do not merge slabs with similar size:
slab_nomerge
See slab_nomerge in The kernel’s command-line parameters
vsyscall¶
Disable legacy vsyscall mechanism:
vsyscall=none
See vsyscall= in The kernel’s command-line parameters
Other Resources¶
Kernel Self Protection Project has recommendation for compile-time, boot-time and run-time parameters.