Merge branch 'master' into panic_limits

etc/default/grub.d/40_kernel_hardening.cfg

@@ -188,15 +188,14 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX vdso32=0"
 ## The default implementation is FineIBT as of Linux kernel 6.2.
 ## The Intel-developed IBT (Indirect Branch Tracking) is only used if supported by the CPU.
 ## kCFI is software-only while FineIBT is a hybrid software/hardware implementation.
-## FineIBT may result in some performance benefits as it only performs checking at destinations.
+## FineIBT may result in some performance benefits as it only performs hash checks at the destinations.
+## kCFI mandates hash validation at the source (which is randomized), making it more difficult to bypass.
 ## FineIBT is considered weaker against attacks that can write arbitrary executables into memory.
-## Upstream hardening work has provided users the ability to disable FineIBT based on requests.
-## Choice of CFI implementation is highly dependent on user threat model as there are pros/cons to both.
-## Do not modify from the default setting if unsure of implications.
 ##
-## https://lore.kernel.org/all/20221027092842.699804264@infradead.org/
+## https://lwn.net/Articles/891976/
 ## https://lore.kernel.org/lkml/202210010918.4918F847C4@keescook/T/#u
 ## https://lore.kernel.org/lkml/202210182217.486CBA50@keescook/T/
+## https://lore.kernel.org/all/20221027092842.699804264@infradead.org/
 ## https://lore.kernel.org/lkml/202407150933.E1871BE@keescook/
 ## https://isopenbsdsecu.re/mitigations/forward_edge_cfi/
 ## https://docs.kernel.org/next/x86/shstk.html
@@ -207,12 +206,9 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX vdso32=0"
 ## KSPP=yes
 ## KSPP sets the kernel parameter.
 ##
-## TODO: Debian 13 Trixie
-## Applicable when using Linux kernel >= 6.2 (retained here for future-proofing and completeness).
-##
-#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX cfi=kcfi"
+GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX cfi=kcfi"
 
-## Disable support for x86 processes and syscalls.
+## Disable support for all 32-bit x86 processes and syscalls.
 ## Unconditionally disables IA32 emulation to substantially reduce attack surface.
 ##
 ## https://lore.kernel.org/all/20230623111409.3047467-7-nik.borisov@suse.com/
@@ -220,10 +216,7 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX vdso32=0"
 ## KSPP=yes
 ## KSPP does not set CONFIG_COMPAT, CONFIG_IA32_EMULATION, CONFIG_X86_X32, CONFIG_X86_X32_ABI, and CONFIG_MODIFY_LDT_SYSCALL.
 ##
-## TODO: Debian 13 Trixie
-## Applicable when using Linux kernel >= 6.7 (retained here for future-proofing and completeness).
-##
-#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX ia32_emulation=0"
+GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX ia32_emulation=0"
 
 ## Disable EFI persistent storage feature.
 ## Disable Error Record Serialization Table (ERST) support as a form of defense-in-depth.

etc/default/grub.d/41_recovery_restrict.cfg

@@ -7,14 +7,17 @@
 ## KSPP=no: not (currently) compliant with recommendations by the KSPP
 ## If there is no explicit KSPP compliance notice, the setting is not mentioned by the KSPP.
 
-## Disable access to single-user (recovery) mode.
+## Disable access to the GRUB single-user (recovery) mode menu entries.
 ##
 ## https://forums.kicksecure.com/t/remove-linux-recovery-mode-boot-option-from-default-grub-boot-menu/727
 ##
 GRUB_DISABLE_RECOVERY="true"
 
 ## Disable access to Dracut's recovery console.
+## Prevents the emergency shell from starting automatically during boot failures.
 ##
+## https://insinuator.net/2025/07/insecure-boot-injecting-initramfs-from-a-debug-shell/
+## https://serverfault.com/questions/554853/how-can-i-secure-the-dracut-shell
 ## https://forums.kicksecure.com/t/harden-dracut-initramfs-generator-by-disabling-recovery-console/724
 ##
 GRUB_CMDLINE_LINUX_DEFAULT="$GRUB_CMDLINE_LINUX_DEFAULT rd.emergency=halt"