## Copyright (C) 2024 - 2025 ENCRYPTED SUPPORT LLC <adrelanos@whonix.org>
## See the file COPYING for copying conditions.

## Definitions:
## KSPP=yes: compliant with recommendations by the KSPP
## KSPP=partial: partially compliant with recommendations by the KSPP
## KSPP=no: not (currently) compliant with recommendations by the KSPP
## If there is no explicit KSPP compliance notice, the setting is not mentioned by the KSPP.

## Disable access to the GRUB single-user (recovery) mode menu entries.
##
## https://forums.kicksecure.com/t/remove-linux-recovery-mode-boot-option-from-default-grub-boot-menu/727
##
GRUB_DISABLE_RECOVERY="true"

## Disable access to Dracut's recovery console.
## Prevents the emergency shell from starting automatically during boot failures.
##
## https://insinuator.net/2025/07/insecure-boot-injecting-initramfs-from-a-debug-shell/
## https://serverfault.com/questions/554853/how-can-i-secure-the-dracut-shell
## https://forums.kicksecure.com/t/harden-dracut-initramfs-generator-by-disabling-recovery-console/724
##
GRUB_CMDLINE_LINUX_DEFAULT="$GRUB_CMDLINE_LINUX_DEFAULT rd.emergency=halt"
GRUB_CMDLINE_LINUX_DEFAULT="$GRUB_CMDLINE_LINUX_DEFAULT rd.shell=0"