improve: cleanup and document kargs

config/files/usr/share/ublue-os/just/60-custom.just

@@ -3,11 +3,30 @@ import '100-bling.just'
 
 # Add additional boot parameters for hardening (requires reboot)
 set-kargs-hardening:
-    rpm-ostree kargs --append="init_on_alloc=1" --append="init_on_free=1" --append="slab_nomerge" --append="page_alloc.shuffle=1" --append="randomize_kstack_offset=on" --append="vsyscall=none" --append="debugfs=off" --append="lockdown=confidentiality" --append="random.trust_cpu=off" --append="random.trust_bootloader=off" --append="intel_iommu=on" --append="amd_iommu=on" --append="iommu.passthrough=0" --append="iommu.strict=1" --append="pti=on" --append="mitigations=auto,nosmt"
+    rpm-ostree kargs \
+      --append-if-missing="init_on_alloc=1" \
+      --append-if-missing="init_on_free=1" \
+      --append-if-missing="slab_nomerge" \
+      --append-if-missing="page_alloc.shuffle=1" \
+      --append-if-missing="randomize_kstack_offset=on" \
+      --append-if-missing="vsyscall=none" \
+      --append-if-missing="debugfs=off" \
+      --append-if-missing="lockdown=confidentiality" \
+      --append-if-missing="random.trust_cpu=off" \
+      --append-if-missing="random.trust_bootloader=off" \
+      --append-if-missing="iommu=force" \
+      --append-if-missing="intel_iommu=on" \
+      --append-if-missing="amd_iommu=force_isolation" \
+      --append-if-missing="iommu.passthrough=0" \
+      --append-if-missing="iommu.strict=1" \
+      --append-if-missing="pti=on" \
+      --append-if-missing="module.sig_enforce=1" \
+      --append-if-missing="mitigations=auto,nosmt"
 
 set-kargs-hardening-unstable:
     echo "Warning: setting these kargs may lead to boot issues on some hardware."
-    rpm-ostree kargs --append="efi=disable_early_pci_dma" --append="module.sig_enforce=1" 
+    rpm-ostree kargs \
+      --append-if-missing="efi=disable_early_pci_dma"
 
 harden-flatpak:
     flatpak override --user --filesystem=host-os:ro --env=LD_PRELOAD=/var/run/host/usr/lib64/libhardened_malloc.so

config/files/usr/share/ublue-os/just/60-custom.just.readme.md

@@ -0,0 +1,70 @@
+
+**Zero newly allocated pages and heaps, mitigating use-after-free vulnerabilities**
+
+`init_on_alloc=1` 
+
+**Fills freed pages and heaps with zeroes, mitigating use-after-free vulnerabilities**
+
+`init_on_free=1` 
+
+**Disables the merging of slabs, increasing difficulty of heap exploitation**
+
+`slab_nomerge`
+
+**Enables page allocator freelist randomization, reducing page allocation predictability**
+
+`page_alloc.shuffle=1` 
+
+**Randomize kernel stack offset on each syscall, making certain types of attacks more difficult**
+
+`randomize_kstack_offset=on` 
+
+**Disable vsyscall as it is both obsolete and enable an ROP attack vector**
+
+`vsyscall=none` 
+
+**Disable debugfs to prevent exposure of sensitive kernel information**
+
+`debugfs=off` 
+
+**Enable kernel lockdown in the strictest mode**
+
+`lockdown=confidentiality` 
+
+**Disable CPU-based entropy sources as it's not auditable and has resulted in vulnerabilities**
+
+`random.trust_cpu=off` 
+
+**Disable trusting the use of the a seed passed by the bootloader**
+
+`random.trust_bootloader=off`
+
+**Mitigate DMA attacks by enabling IOMMU**
+
+`iommu=force` 
+`intel_iommu=on` 
+`amd_iommu=force_isolation` 
+
+**Disable IOMMU bypass**
+
+`iommu.passthrough=0` 
+
+**Synchronously invalidate IOMMU hardware TLBs**
+
+`iommu.strict=1` 
+
+**Enable kernel page table isolation**
+
+`pti=on` 
+
+**Only allows kernel modules that have been signed with a valid key to be loaded**
+
+`module.sig_enforce=1` 
+
+**Automatically mitigate all known CPU vulnerabilities, including disabling SMT if necessary.**
+
+`mitigations=auto,nosmt` 
+
+**Fill IOMMU protection gap by setting the busmaster bit during early boot**
+
+`efi=disable_early_pci_dma`