Update rule description

Mention that the kernel args configuration is different if using a bootable container image. This commit also unifies the description of removing the argument by defining a new Jinja macro containing the description.
jan-cerny · Dec 12, 2024 · 0dfba74 · 0dfba74
1 parent 32e5fdb
commit 0dfba74
Show file tree

Hide file tree

Showing 5 changed files with 33 additions and 13 deletions.
diff --git a/linux_os/guide/system/bootloader-grub2/grub2_mitigation_argument/rule.yml b/linux_os/guide/system/bootloader-grub2/grub2_mitigation_argument/rule.yml
@@ -9,6 +9,8 @@ description: |-
 
     The mitigations must not be set to "off".
 
+    {{{ describe_grub2_argument_absent("mitigations=off") | indent(4) }}}
+
 rationale: |-
     Hardware vulnerabilities allow programs to steal data that is currently processed on the
     computer. While programs are typically not permitted to read data from other programs, a

diff --git a/linux_os/guide/system/bootloader-grub2/grub2_nosmap_argument_absent/rule.yml b/linux_os/guide/system/bootloader-grub2/grub2_nosmap_argument_absent/rule.yml
@@ -10,10 +10,7 @@ description: |-
     Ensure that Supervisor Mode Access Prevention (SMAP) is not disabled by
     the <tt>nosmap</tt> boot paramenter option.
 
-    Check that the line <pre>GRUB_CMDLINE_LINUX="..."</pre> within <tt>/etc/default/grub</tt>
-    doesn't contain the argument <tt>nosmap</tt>.
-    Run the following command to update command line for already installed kernels:
-    <pre># grubby --update-kernel=ALL --remove-args="nosmap"</pre>
+    {{{ describe_grub2_argument_absent("nosmap") | indent(4) }}}
 
 rationale: |-
     Disabling SMAP can facilitate exploitation of vulnerabilities caused by unintended access and

diff --git a/linux_os/guide/system/bootloader-grub2/grub2_nosmep_argument_absent/rule.yml b/linux_os/guide/system/bootloader-grub2/grub2_nosmep_argument_absent/rule.yml
@@ -10,10 +10,7 @@ description: |-
     Ensure that Supervisor Mode Execution Prevention (SMEP) is not disabled by
     the <tt>nosmep</tt> boot paramenter option.
 
-    Check that the line <pre>GRUB_CMDLINE_LINUX="..."</pre> within <tt>/etc/default/grub</tt>
-    doesn't contain the argument <tt>nosmep</tt>.
-    Run the following command to update command line for already installed kernels:
-    <pre># grubby --update-kernel=ALL --remove-args="nosmep"</pre>
+    {{{ describe_grub2_argument_absent("nosmep") | indent(4) }}}
 
 rationale: |-
     Disabling SMEP can facilitate exploitation of certain vulnerabilities because it allows

diff --git a/linux_os/guide/system/bootloader-grub2/grub2_systemd_debug-shell_argument_absent/rule.yml b/linux_os/guide/system/bootloader-grub2/grub2_systemd_debug-shell_argument_absent/rule.yml
@@ -13,12 +13,10 @@ description: |-
     By default, the <tt>debug-shell</tt> systemd service is already disabled.
 
     Ensure the debug-shell is not enabled by the <tt>systemd.debug-shel=1</tt>
-    boot paramenter option.
+    boot parameter option.
+
+    {{{ describe_grub2_argument_absent("systemd.debug-shell")  | indent(4) }}}
 
-    Check that the line <pre>GRUB_CMDLINE_LINUX="..."</pre> within <tt>/etc/default/grub</tt>
-    doesn't contain the argument <tt>systemd.debug-shell=1</tt>.
-    Run the following command to update command line for already installed kernels:
-    <pre># grubby --update-kernel=ALL --remove-args="systemd.debug-shell"</pre>
 
 rationale: |-
     This prevents attackers with physical access from trivially bypassing security

diff --git a/shared/macros/01-general.jinja b/shared/macros/01-general.jinja
@@ -1069,8 +1069,34 @@ Run the following command to update command line for already installed kernels:
 Configure the default Grub2 kernel command line to contain {{{ arg_name_value }}} as follows:
 <pre># grub2-editenv - set "$(grub2-editenv - list | grep kernelopts) {{{ arg_name_value }}}"</pre>
 {{%- endif -%}}
+{{% if bootable_containers_supported == "true" %}}
+If the system is distributed as a bootable container image, GRUB2 can't be configured using the method described above, but the following method needs to be used instead.
+The kernel arguments should be set in <tt>/usr/lib/bootc/kargs.d</tt> in a TOML file that has the following form:
+<pre>
+# /usr/lib/bootc/kargs.d/10-example.toml
+kargs = ["{{{ arg_name_value }}}"]
+</pre>
+For more details on configuring kernel arguments in bootable container images, please refer to {{{ weblink(link="https://containers.github.io/bootc/building/kernel-arguments.html", text="Bootc documentation") }}}.
+{{%- endif -%}}
 {{%- endmacro -%}}
 
+{{#
+    Describe how to remove a kernel argument from Grub2 default kernel command line.
+
+:param arg_name: The kernel parameter name
+:type arg_name: str
+#}}
+{{%- macro describe_grub2_argument_absent(arg_name) -%}}
+Check that the line <pre>GRUB_CMDLINE_LINUX="..."</pre> within <tt>/etc/default/grub</tt>
+doesn't contain the argument <tt>{{{ arg_name }}}</tt>.
+Run the following command to update command line for already installed kernels:
+<pre># grubby --update-kernel=ALL --remove-args="{{{ arg_name }}}"</pre>
+{{% if bootable_containers_supported == "true" %}}
+If the system is distributed as a bootable container image, GRUB2 can't be configured using the method described above, but the kernel arguments should be configured using TOML files located in the <tt>/usr/lib/bootc/kargs.d</tt> directory.
+Remove all occurences of <tt>{{{ arg_name }}}</tt> from all files in <tt>/usr/lib/bootc/kargs.d</tt>.
+For more details on configuring kernel arguments in bootable container images, please refer to {{{ weblink(link="https://containers.github.io/bootc/building/kernel-arguments.html", text="Bootc documentation") }}}.
+{{%- endif -%}}
+{{%- endmacro -%}}
 
 {{#
     Describe how to check a kernel compile parameter