From f4bd3d92825f018622b5670a8853172d933b2935 Mon Sep 17 00:00:00 2001 From: Aminda Suomalainen Date: Mon, 7 Jul 2025 11:35:56 +0300 Subject: [PATCH] n/essentialsoftware: disable root emergency shell for invalid luks password Ref: https://insinuator.net/2025/07/insecure-boot-injecting-initramfs-from-a-debug-shell/ --- n/essentialsoftware.md | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/n/essentialsoftware.md b/n/essentialsoftware.md index b234759..c21f00a 100644 --- a/n/essentialsoftware.md +++ b/n/essentialsoftware.md @@ -197,8 +197,9 @@ sudo rpm-ostree override remove firefox firefox-langpacks sudo systemctl enable rpm-ostreed-automatic.timer --now # Disable bootsplash and kernel message hiding, adjust rootfs fstab, # REMEMBER TO REMOVE SSD FOR NON-SSD setups! Legacy interface names (eth0, -# wlan0) are also nice. Ensure CPU vulnerability mitigation while at kargs too. -sudo rpm-ostree kargs --delete=rhgb --delete=quiet --delete=rootflags=subvol=root --append=rootflags=subvol=root,noatime,compress-force=zstd:0,ssd --append=net.ifnames=0 --append=mitigations=auto,nosmt +# wlan0) are also nice, like is not letting invalid LUKS password drop into +# root emergency shell. Ensure CPU vulnerability mitigation while at kargs too. +sudo rpm-ostree kargs --delete=rhgb --delete=quiet --delete=rootflags=subvol=root --append=rootflags=subvol=root,noatime,compress-force=zstd:0,ssd --append=net.ifnames=0 --append=rd.shell=0 --append=rd.emergency=halt --append=mitigations=auto,nosmt # Another reminder to not use flag SSD above if there is no SSD on the system. # I would additionally use lockdown=confidentiality (or lockdown=integrity if # less privacy and security was required, but that prevents shipped osnoise