diff --git a/linux_os/guide/system/bootloader-grub2/grub2_mitigation_argument/rule.yml b/linux_os/guide/system/bootloader-grub2/grub2_mitigation_argument/rule.yml
index 19ef226e4d6..78d2204659c 100644
--- a/linux_os/guide/system/bootloader-grub2/grub2_mitigation_argument/rule.yml
+++ b/linux_os/guide/system/bootloader-grub2/grub2_mitigation_argument/rule.yml
@@ -9,6 +9,8 @@ description: |-
The mitigations must not be set to "off".
+ {{{ describe_grub2_argument_absent("mitigations=off") | indent(4) }}}
+
rationale: |-
Hardware vulnerabilities allow programs to steal data that is currently processed on the
computer. While programs are typically not permitted to read data from other programs, a
diff --git a/linux_os/guide/system/bootloader-grub2/grub2_nosmap_argument_absent/rule.yml b/linux_os/guide/system/bootloader-grub2/grub2_nosmap_argument_absent/rule.yml
index 691a8857d01..f54daaf2b3e 100644
--- a/linux_os/guide/system/bootloader-grub2/grub2_nosmap_argument_absent/rule.yml
+++ b/linux_os/guide/system/bootloader-grub2/grub2_nosmap_argument_absent/rule.yml
@@ -10,10 +10,7 @@ description: |-
Ensure that Supervisor Mode Access Prevention (SMAP) is not disabled by
the nosmap boot paramenter option.
- Check that the line GRUB_CMDLINE_LINUX="..."
within /etc/default/grub
- doesn't contain the argument nosmap.
- Run the following command to update command line for already installed kernels:
- # grubby --update-kernel=ALL --remove-args="nosmap"
+ {{{ describe_grub2_argument_absent("nosmap") | indent(4) }}}
rationale: |-
Disabling SMAP can facilitate exploitation of vulnerabilities caused by unintended access and
diff --git a/linux_os/guide/system/bootloader-grub2/grub2_nosmep_argument_absent/rule.yml b/linux_os/guide/system/bootloader-grub2/grub2_nosmep_argument_absent/rule.yml
index d887e29fbf6..fd643ee7192 100644
--- a/linux_os/guide/system/bootloader-grub2/grub2_nosmep_argument_absent/rule.yml
+++ b/linux_os/guide/system/bootloader-grub2/grub2_nosmep_argument_absent/rule.yml
@@ -10,10 +10,7 @@ description: |-
Ensure that Supervisor Mode Execution Prevention (SMEP) is not disabled by
the nosmep boot paramenter option.
- Check that the line GRUB_CMDLINE_LINUX="..."
within /etc/default/grub
- doesn't contain the argument nosmep.
- Run the following command to update command line for already installed kernels:
- # grubby --update-kernel=ALL --remove-args="nosmep"
+ {{{ describe_grub2_argument_absent("nosmep") | indent(4) }}}
rationale: |-
Disabling SMEP can facilitate exploitation of certain vulnerabilities because it allows
diff --git a/linux_os/guide/system/bootloader-grub2/grub2_systemd_debug-shell_argument_absent/rule.yml b/linux_os/guide/system/bootloader-grub2/grub2_systemd_debug-shell_argument_absent/rule.yml
index a8315352e60..5649cb56a45 100644
--- a/linux_os/guide/system/bootloader-grub2/grub2_systemd_debug-shell_argument_absent/rule.yml
+++ b/linux_os/guide/system/bootloader-grub2/grub2_systemd_debug-shell_argument_absent/rule.yml
@@ -13,12 +13,10 @@ description: |-
By default, the debug-shell systemd service is already disabled.
Ensure the debug-shell is not enabled by the systemd.debug-shel=1
- boot paramenter option.
+ boot parameter option.
+
+ {{{ describe_grub2_argument_absent("systemd.debug-shell") | indent(4) }}}
- Check that the line GRUB_CMDLINE_LINUX="..."
within /etc/default/grub
- doesn't contain the argument systemd.debug-shell=1.
- Run the following command to update command line for already installed kernels:
- # grubby --update-kernel=ALL --remove-args="systemd.debug-shell"
rationale: |-
This prevents attackers with physical access from trivially bypassing security
diff --git a/shared/macros/01-general.jinja b/shared/macros/01-general.jinja
index 4089d4d8707..22787371dea 100644
--- a/shared/macros/01-general.jinja
+++ b/shared/macros/01-general.jinja
@@ -1069,8 +1069,34 @@ Run the following command to update command line for already installed kernels:
Configure the default Grub2 kernel command line to contain {{{ arg_name_value }}} as follows:
# grub2-editenv - set "$(grub2-editenv - list | grep kernelopts) {{{ arg_name_value }}}"
{{%- endif -%}}
+{{% if bootable_containers_supported == "true" %}}
+If the system is distributed as a bootable container image, GRUB2 can't be configured using the method described above, but the following method needs to be used instead.
+The kernel arguments should be set in /usr/lib/bootc/kargs.d in a TOML file that has the following form:
+
+# /usr/lib/bootc/kargs.d/10-example.toml
+kargs = ["{{{ arg_name_value }}}"]
+
+For more details on configuring kernel arguments in bootable container images, please refer to {{{ weblink(link="https://containers.github.io/bootc/building/kernel-arguments.html", text="Bootc documentation") }}}.
+{{%- endif -%}}
{{%- endmacro -%}}
+{{#
+ Describe how to remove a kernel argument from Grub2 default kernel command line.
+
+:param arg_name: The kernel parameter name
+:type arg_name: str
+#}}
+{{%- macro describe_grub2_argument_absent(arg_name) -%}}
+Check that the line GRUB_CMDLINE_LINUX="..."
within /etc/default/grub
+doesn't contain the argument {{{ arg_name }}}.
+Run the following command to update command line for already installed kernels:
+# grubby --update-kernel=ALL --remove-args="{{{ arg_name }}}"
+{{% if bootable_containers_supported == "true" %}}
+If the system is distributed as a bootable container image, GRUB2 can't be configured using the method described above, but the kernel arguments should be configured using TOML files located in the /usr/lib/bootc/kargs.d directory.
+Remove all occurences of {{{ arg_name }}} from all files in /usr/lib/bootc/kargs.d.
+For more details on configuring kernel arguments in bootable container images, please refer to {{{ weblink(link="https://containers.github.io/bootc/building/kernel-arguments.html", text="Bootc documentation") }}}.
+{{%- endif -%}}
+{{%- endmacro -%}}
{{#
Describe how to check a kernel compile parameter