1
0
mirror of https://github.com/PrivSec-dev/privsec.dev synced 2024-12-22 04:41:33 -05:00

Add hardened boot param

Signed-off-by: Tommy <contact@tommytran.io>
This commit is contained in:
Tommy 2023-09-27 00:30:43 -07:00
parent c4376d44fa
commit 9de2dbfe0b

View File

@ -250,8 +250,6 @@ update-initramfs -c -k all
If you are doing mirroring:
```bash
zfs set org.zfsbootmenu:commandline="quiet loglevel=4" zroot/ROOT
zfs set org.zfsbootmenu:keysource="zroot/ROOT/ubuntu" zroot
cat << EOF >> /etc/fstab
$( blkid | grep /dev/md0 | cut -d ' ' -f 2 ) /boot/efi vfat defaults 0 0
@ -263,6 +261,15 @@ mount /boot/efi
If you are not, just replace `md0` in the commands above with your efi partition.
### Set ZFSBootMenu properties
Next, we will set the kernel boot parameters and the encryption key source for ZFSBootMenu. Here, we will deviate from the official guide and use a hardened boot parameter for better security:
```bash
zfs set org.zfsbootmenu:commandline="quiet loglevel=4 spectre_v2=on spec_store_bypass_disable=on l1tf=full,force mds=full,nosmt tsx=off tsx_async_abort=full,nosmt kvm.nx_huge_pages=force nosmt=force l1d_flush=on mmio_stale_data=full,nosmt random.trust_bootloader=off random.trust_cpu=off intel_iommu=on amd_iommu=on efi=disable_early_pci_dma iommu.passthrough=0 iommu.strict=1 slab_nomerge init_on_alloc=1 init_on_free=1 pti=on vsyscall=none page_alloc.shuffle=1 randomize_kstack_offset=on extra_latent_entropy debugfs=off" zroot/ROOT
zfs set org.zfsbootmenu:keysource="zroot/ROOT/ubuntu" zroot
```
### Install ZFSBootMenu
#### To use it without remote unlocking, just follow the official guide:
@ -349,4 +356,4 @@ exit
umount -n -R /mnt
zpool export zroot
reboot
```
```