secureblue/files/system/usr/share/ublue-os/just/60-custom.just.readme.md

## Included in set-kargs-hardening

**Zero newly allocated pages and heaps, mitigating use-after-free vulnerabilities**

`init_on_alloc=1` 

**Fills freed pages and heaps with zeroes, mitigating use-after-free vulnerabilities**

`init_on_free=1` 

**Disables the merging of slabs, increasing difficulty of heap exploitation**

`slab_nomerge`

**Enables page allocator freelist randomization, reducing page allocation predictability**

`page_alloc.shuffle=1` 

**Randomize kernel stack offset on each syscall, making certain types of attacks more difficult**

`randomize_kstack_offset=on` 

**Disable vsyscall as it is both obsolete and enables an ROP attack vector**

`vsyscall=none` 

**Enable kernel lockdown in the strictest mode**

`lockdown=confidentiality` 

**Disable CPU-based entropy sources as it's not auditable and has resulted in vulnerabilities**

`random.trust_cpu=off` 

**Disable trusting the use of the a seed passed by the bootloader**

`random.trust_bootloader=off`

**Mitigate DMA attacks by enabling IOMMU**

`iommu=force` 
`intel_iommu=on` 
`amd_iommu=force_isolation` 

**Disable IOMMU bypass**

`iommu.passthrough=0` 

**Synchronously invalidate IOMMU hardware TLBs**

`iommu.strict=1` 

**Enable kernel page table isolation**

`pti=on` 

**Only allows kernel modules that have been signed with a valid key to be loaded**

`module.sig_enforce=1` 

**Automatically mitigate all known CPU vulnerabilities, including disabling SMT if necessary.**

`mitigations=auto,nosmt` 

## Included in set-kargs-hardening-unstable

**Fill IOMMU protection gap by setting the busmaster bit during early boot**

`efi=disable_early_pci_dma`

**Disable debugfs to prevent exposure of sensitive kernel information**

`debugfs=off`