[BUG] kargs — 1. different order of kargs settings in general, 2. different section of one specific setting (standard vs. unstable)

[zWhdmB5T]

issue (coming from secureblue/secureblue#1438)

1. different order of kargs settings in general

kargs settings are in different order in

• https://secureblue.dev/articles/kargs
• https://github.com/secureblue/secureblue/blob/live/files/justfiles/common/kargs.just

it's confusing somehow!

Compare

    init_on_alloc=1: Zero newly allocated pages and heaps, mitigating use-after-free vulnerabilities.
    init_on_free=1: Fills freed pages and heaps with zeroes, mitigating use-after-free vulnerabilities.
    iommu=force and intel_iommu=on: Mitigate DMA attacks by enabling IOMMU.
    iommu.passthrough=0: Disable IOMMU bypass.
    iommu.strict=1: Synchronously invalidate IOMMU hardware TLBs.
    kvm-intel.vmentry_l1d_flush=always: Enables unconditional flushes, required for complete l1d vulnerability mitigation.
    l1d_flush=on: Enable the mechanism to flush the L1D cache on context switch.
    l1tf=full,force: Force enables all available mitigations for the L1TF vulnerability.
    lockdown=confidentiality: Enable kernel lockdown in the strictest mode.
    loglevel=0: Only log level 0 (system is unusable) messages to the console.
    mitigations=auto,nosmt: Automatically mitigate all known CPU vulnerabilities, including disabling SMT if necessary.
    module.sig_enforce=1: Only allows kernel modules that have been signed with a valid key to be loaded.
    oops=panic: Treat oopses as fatal, preventing attacks that depend on repeated oopses.
    page_alloc.shuffle=1: Enables page allocator freelist randomization, reducing page allocation predictability.
    pti=on: Enable kernel page table isolation.
    randomize_kstack_offset=on: Randomize kernel stack offset on each syscall, making certain types of attacks more difficult.
    random.trust_bootloader=off: Disable trusting the use of the seed passed by the bootloader.
    random.trust_cpu=off: Disable CPU-based entropy sources, as it’s not auditable and has resulted in vulnerabilities.
    rd.shell=0, rd.emergency=halt: Prevent initramfs malware injection
    slab_nomerge: Disables the merging of slabs, increasing difficulty of heap exploitation.
    spec_store_bypass_disable=on: Disable spec store bypass for all programs.
    spectre_v2=on: Turn on spectre_v2 mitigations at boot time for all programs.
    vdso32=0: Disable 32-bit vDSO.
    vsyscall=none: Disable vsyscall as it is both obsolete and enables an ROP attack vector.

vs.

      --append-if-missing=init_on_alloc=1 \
      --append-if-missing=init_on_free=1 \
      --append-if-missing=slab_nomerge \
      --append-if-missing=page_alloc.shuffle=1 \
      --append-if-missing=randomize_kstack_offset=on \
      --append-if-missing=vsyscall=none \
      --append-if-missing=random.trust_cpu=off \
      --append-if-missing=random.trust_bootloader=off \
      --append-if-missing=iommu=force \
      --append-if-missing=intel_iommu=on \
      --append-if-missing=iommu.passthrough=0 \
      --append-if-missing=iommu.strict=1 \
      --append-if-missing=pti=on \
      --append-if-missing=vdso32=0 \
      --append-if-missing=lockdown=confidentiality \
      --append-if-missing=mitigations=auto,nosmt \
      --append-if-missing=spectre_v2=on \
      --append-if-missing=spec_store_bypass_disable=on \
      --append-if-missing=l1d_flush=on \
      --append-if-missing=l1tf=full,force \
      --append-if-missing=kvm-intel.vmentry_l1d_flush=always \
      --append-if-missing=loglevel=0 \
      --append-if-missing=rd.shell=0 \
      --append-if-missing=rd.emergency=halt

or

      --delete-if-present="init_on_alloc=1" \
      --delete-if-present="init_on_free=1" \
      --delete-if-present="slab_nomerge" \
      --delete-if-present="page_alloc.shuffle=1" \
      --delete-if-present="randomize_kstack_offset=on" \
      --delete-if-present="vsyscall=none" \
      --delete-if-present="lockdown=confidentiality" \
      --delete-if-present="random.trust_cpu=off" \
      --delete-if-present="random.trust_bootloader=off" \
      --delete-if-present="iommu=force" \
      --delete-if-present="intel_iommu=on" \
      --delete-if-present="amd_iommu=force_isolation" \
      --delete-if-present="iommu.passthrough=0" \
      --delete-if-present="iommu.strict=1" \
      --delete-if-present="pti=on" \
      --delete-if-present="vdso32=0" \
      --delete-if-present="module.sig_enforce=1" \
      --delete-if-present="mitigations=auto,nosmt" \
      --delete-if-present="efi=disable_early_pci_dma" \
      --delete-if-present="debugfs=off" \
      --delete-if-present="spectre_v2=on" \
      --delete-if-present="spec_store_bypass_disable=on" \
      --delete-if-present="l1d_flush=on" \
      --delete-if-present="gather_data_sampling=force" \
      --delete-if-present="ia32_emulation=0" \
      --delete-if-present="l1tf=full,force" \
      --delete-if-present="kvm-intel.vmentry_l1d_flush=always" \
      --delete-if-present="nosmt=force" \
      --delete-if-present="oops=panic" \
      --delete-if-present="loglevel=0" \
      --delete-if-present="rd.shell=0" \
      --delete-if-present="rd.emergency=halt"

2. different section of one specific setting (standard vs. unstable)

• https://secureblue.dev/articles/kargs : oops=panic in section "standard"
• https://github.com/secureblue/secureblue/blob/live/files/justfiles/common/kargs.just : oops=panic in section "unstable"

[RoyalOughtness]

Thanks, PRs welcome 🙂