Finalize boot params

Signed-off-by: Tommy <contact@tommytran.io>
2024-09-16 12:44:42 -04:00 · 2022-09-05 02:26:22 -04:00 · 2022-09-05 02:26:22 -04:00 · 700e399e07
commit 700e399e07
parent 379e38d9ad
5 changed files with 8 additions and 73 deletions
--- a/Docker-Compose.yml
+++ b/Docker-Compose.yml
@ -144,23 +144,7 @@ kernel_arguments:
    - tsx_async_abort=full,nosmt
    - kvm.nx_huge_pages=force
    - nosmt=force
-    - l1d_flush=on
-    - mmio_stale_data=full,nosmt
-    - random.trust_bootloader=off
-    - random.trust_cpu=off
-    - intel_iommu=on 
-    - amd_iommu=on
-    - iommu.passthrough=0
-    - iommu.strict=1
-    - slab_nomerge
-    - init_on_alloc=1 
-    - init_on_free=1
-    - pti=on
-    - vsyscall=none
-    - page_alloc.shuffle=1
-    - randomize_kstack_offset=on
-    - extra_latent_entropy
-    - debugfs=off
+    - sysctl.kernel.dmesg_restrict=1
    - sysctl.fs.protected_fifos=2
    - sysctl.fs.protected_regular=2
    - sysctl.fs.protected_symlinks=1
--- a/Generic.yml
+++ b/Generic.yml
@ -162,23 +162,7 @@ kernel_arguments:
    - tsx_async_abort=full,nosmt
    - kvm.nx_huge_pages=force
    - nosmt=force
-    - l1d_flush=on
-    - mmio_stale_data=full,nosmt
-    - random.trust_bootloader=off
-    - random.trust_cpu=off
-    - intel_iommu=on 
-    - amd_iommu=on
-    - iommu.passthrough=0
-    - iommu.strict=1
-    - slab_nomerge
-    - init_on_alloc=1 
-    - init_on_free=1
-    - pti=on
-    - vsyscall=none
-    - page_alloc.shuffle=1
-    - randomize_kstack_offset=on
-    - extra_latent_entropy
-    - debugfs=off
+    - sysctl.kernel.dmesg_restrict=1
    - sysctl.fs.protected_fifos=2
    - sysctl.fs.protected_regular=2
    - sysctl.fs.protected_symlinks=1
@ -217,5 +201,4 @@ kernel_arguments:
    - sysctl.vm.swappiness=1
    - sysctl.kernel.perf_event_paranoid=3
    - sysctl.net.ipv6.conf.all.accept_ra=0
-    - sysctl.net.ipv6.conf.default.accept_ra=0
-
+    - sysctl.net.ipv6.conf.default.accept_ra=0
--- a/GitLab.yml
+++ b/GitLab.yml
@ -164,23 +164,7 @@ kernel_arguments:
    - tsx_async_abort=full,nosmt
    - kvm.nx_huge_pages=force
    - nosmt=force
-    - l1d_flush=on
-    - mmio_stale_data=full,nosmt
-    - random.trust_bootloader=off
-    - random.trust_cpu=off
-    - intel_iommu=on 
-    - amd_iommu=on
-    - iommu.passthrough=0
-    - iommu.strict=1
-    - slab_nomerge
-    - init_on_alloc=1 
-    - init_on_free=1
-    - pti=on
-    - vsyscall=none
-    - page_alloc.shuffle=1
-    - randomize_kstack_offset=on
-    - extra_latent_entropy
-    - debugfs=off
+    - sysctl.kernel.dmesg_restrict=1
    - sysctl.fs.protected_fifos=2
    - sysctl.fs.protected_regular=2
    - sysctl.fs.protected_symlinks=1
@ -219,4 +203,4 @@ kernel_arguments:
    - sysctl.vm.swappiness=1
    - sysctl.kernel.perf_event_paranoid=3
    - sysctl.net.ipv6.conf.all.accept_ra=0
-    - sysctl.net.ipv6.conf.default.accept_ra=0
+    - sysctl.net.ipv6.conf.default.accept_ra=0
--- a/OnlyOffice.yml
+++ b/OnlyOffice.yml
@ -163,23 +163,7 @@ kernel_arguments:
    - tsx_async_abort=full,nosmt
    - kvm.nx_huge_pages=force
    - nosmt=force
-    - l1d_flush=on
-    - mmio_stale_data=full,nosmt
-    - random.trust_bootloader=off
-    - random.trust_cpu=off
-    - intel_iommu=on 
-    - amd_iommu=on
-    - iommu.passthrough=0
-    - iommu.strict=1
-    - slab_nomerge
-    - init_on_alloc=1 
-    - init_on_free=1
-    - pti=on
-    - vsyscall=none
-    - page_alloc.shuffle=1
-    - randomize_kstack_offset=on
-    - extra_latent_entropy
-    - debugfs=off
+    - sysctl.kernel.dmesg_restrict=1
    - sysctl.fs.protected_fifos=2
    - sysctl.fs.protected_regular=2
    - sysctl.fs.protected_symlinks=1
@ -218,4 +202,4 @@ kernel_arguments:
    - sysctl.vm.swappiness=1
    - sysctl.kernel.perf_event_paranoid=3
    - sysctl.net.ipv6.conf.all.accept_ra=0
-    - sysctl.net.ipv6.conf.default.accept_ra=0
+    - sysctl.net.ipv6.conf.default.accept_ra=0
--- a/2
+++ b/2
@ -1 +1 @@
-spectre_v2=on spec_store_bypass_disable=on l1tf=full,force mds=full,nosmt tsx=off tsx_async_abort=full,nosmt kvm.nx_huge_pages=force nosmt=force l1d_flush=on mmio_stale_data=full,nosmt random.trust_bootloader=off random.trust_cpu=off intel_iommu=on amd_iommu=on iommu.passthrough=0 iommu.strict=1 slab_nomerge init_on_alloc=1 init_on_free=1 pti=on vsyscall=none page_alloc.shuffle=1 randomize_kstack_offset=on extra_latent_entropy debugfs=off sysctl.fs.protected_fifos=2 sysctl.fs.protected_regular=2 sysctl.fs.protected_symlinks=1 sysctl.fs.protected_hardlinks=1 sysctl.net.core.bpf_jit_harden=2 sysctl.kernel.kexec_load_disabled=1 sysctl.kernel.kptr_restrict=2 sysctl.vm.mmap_rnd_bits=32 sysctl.vm.mmap_rnd_compat_bits=16 sysctl.kernel.yama.ptrace_scope=2 sysctl.fs.suid_dumpable=0 sysctl.kernel.randomize_va_space=2 sysctl.net.ipv4.tcp_rfc1337=1 sysctl.net.ipv4.conf.all.accept_redirects=0 sysctl.net.ipv4.conf.default.accept_redirects=0 sysctl.net.ipv4.conf.all.secure_redirects=0 sysctl.net.ipv4.conf.default.secure_redirects=0 sysctl.net.ipv6.conf.all.accept_redirects=0 sysctl.net.ipv6.conf.default.accept_redirects=0 sysctl.net.ipv4.conf.all.send_redirects=0 sysctl.net.ipv4.conf.default.send_redirects=0 sysctl.net.ipv4.icmp_echo_ignore_all=1 sysctl.net.ipv6.icmp.echo_ignore_all=1 sysctl.net.ipv4.icmp_ignore_bogus_error_responses=1 sysctl.net.ipv4.tcp_syncookies=1 sysctl.net.ipv4.conf.all.accept_source_route=0 sysctl.net.ipv4.conf.default.accept_source_route=0 sysctl.net.ipv6.conf.all.accept_source_route=0 sysctl.net.ipv6.conf.default.accept_source_route=0 sysctl.net.ipv4.conf.default.rp_filter=1 sysctl.net.ipv4.conf.all.rp_filter=1 sysctl.net.ipv4.tcp_timestamps=0 sysctl.kernel.sysrq=132 sysctl.dev.tty.ldisc_autoload=0 sysctl.vm.unprivileged_userfaultfd=0 sysctl.vm.swappiness=1 sysctl.kernel.perf_event_paranoid=3 sysctl.net.ipv6.conf.all.accept_ra=0 sysctl.net.ipv6.conf.default.accept_ra=0
+spectre_v2=on spec_store_bypass_disable=on l1tf=full,force mds=full,nosmt tsx=off tsx_async_abort=full,nosmt kvm.nx_huge_pages=force nosmt=force sysctl.kernel.dmesg_restrict=1 sysctl.fs.protected_fifos=2 sysctl.fs.protected_regular=2 sysctl.fs.protected_symlinks=1 sysctl.fs.protected_hardlinks=1 sysctl.net.core.bpf_jit_harden=2 sysctl.kernel.kexec_load_disabled=1 sysctl.kernel.kptr_restrict=2 sysctl.vm.mmap_rnd_bits=32 sysctl.vm.mmap_rnd_compat_bits=16 sysctl.kernel.yama.ptrace_scope=2 sysctl.fs.suid_dumpable=0 sysctl.kernel.randomize_va_space=2 sysctl.net.ipv4.tcp_rfc1337=1 sysctl.net.ipv4.conf.all.accept_redirects=0 sysctl.net.ipv4.conf.default.accept_redirects=0 sysctl.net.ipv4.conf.all.secure_redirects=0 sysctl.net.ipv4.conf.default.secure_redirects=0 sysctl.net.ipv6.conf.all.accept_redirects=0 sysctl.net.ipv6.conf.default.accept_redirects=0 sysctl.net.ipv4.conf.all.send_redirects=0 sysctl.net.ipv4.conf.default.send_redirects=0 sysctl.net.ipv4.icmp_echo_ignore_all=1 sysctl.net.ipv6.icmp.echo_ignore_all=1 sysctl.net.ipv4.icmp_ignore_bogus_error_responses=1 sysctl.net.ipv4.tcp_syncookies=1 sysctl.net.ipv4.conf.all.accept_source_route=0 sysctl.net.ipv4.conf.default.accept_source_route=0 sysctl.net.ipv6.conf.all.accept_source_route=0 sysctl.net.ipv6.conf.default.accept_source_route=0 sysctl.net.ipv4.conf.default.rp_filter=1 sysctl.net.ipv4.conf.all.rp_filter=1 sysctl.net.ipv4.tcp_timestamps=0 sysctl.kernel.sysrq=132 sysctl.dev.tty.ldisc_autoload=0 sysctl.vm.unprivileged_userfaultfd=0 sysctl.vm.swappiness=1 sysctl.kernel.perf_event_paranoid=3 sysctl.net.ipv6.conf.all.accept_ra=0 sysctl.net.ipv6.conf.default.accept_ra=0