Add missing GRUB command lines for disabled boot parameters

2025-06-07 19:22:42 -04:00 · 2024-08-03 00:09:42 +10:00 · 2024-08-03 00:09:42 +10:00 · e53d24fc48
commit e53d24fc48
parent de6f3ea74a
1 changed files with 3 additions and 3 deletions
--- a/etc/default/grub.d/40_kernel_hardening.cfg
+++ b/etc/default/grub.d/40_kernel_hardening.cfg
@ -135,7 +135,7 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX debugfs=off"
 ## TODO: Debian 13 Trixie
 ## Applicable when using Linux kernel >= 6.2 (retained here for future-proofing and completeness).
 ##
-#cfi=kcfi
+#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX cfi=kcfi"
 ## Disable support for x86 processes and syscalls.
 ## Unconditionally disables IA32 emulation to substantially reduce attack surface.
@ -144,7 +144,7 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX debugfs=off"
 ##
 ## Applicable when using Linux kernel >= 6.7 (retained here for future-proofing and completeness).
 ##
-#ia32_emulation=0
+#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX ia32_emulation=0"
 ## 2. Direct Memory Access:
 ##
@ -222,4 +222,4 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX extra_latent_entropy"
 ##
 ## Enabling makes redundant many network hardening sysctl's in /usr/lib/sysctl.d/990-security-misc.conf.
 ##
-#ipv6.disable=1
+#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX ipv6.disable=1"