From 33e7ba4f402b3f917b03dff777797f6621e7c11c Mon Sep 17 00:00:00 2001
From: Aminda Suomalainen <suomalainen@aminda.eu>
Date: Mon, 7 Jul 2025 11:42:23 +0300
Subject: [PATCH] grub.d: add luks-disable-debugshell.cfg.FIXME

Ref: https://insinuator.net/2025/07/insecure-boot-injecting-initramfs-from-a-debug-shell/
---
 etc/default/grub.d/luks-disable-debugshell.cfg.FIXME | 8 ++++++++
 1 file changed, 8 insertions(+)
 create mode 100644 etc/default/grub.d/luks-disable-debugshell.cfg.FIXME

diff --git a/etc/default/grub.d/luks-disable-debugshell.cfg.FIXME b/etc/default/grub.d/luks-disable-debugshell.cfg.FIXME
new file mode 100644
index 00000000..f046cd09
--- /dev/null
+++ b/etc/default/grub.d/luks-disable-debugshell.cfg.FIXME
@@ -0,0 +1,8 @@
+# Disable access to emergency root/debug shell upon wrong password entered.
+# https://insinuator.net/2025/07/insecure-boot-injecting-initramfs-from-a-debug-shell/
+
+# Debian
+#GRUB_CMDLINE_LINUX_DEFAULT="$GRUB_CMDLINE_LINUX_DEFAULT panic=0"
+
+# Fedora
+#GRUB_CMDLINE_LINUX_DEFAULT="$GRUB_CMDLINE_LINUX_DEFAULT rd.shell=0 rd.emergency=halt"