From joshua.brindle at crunchydata.com Tue Sep 1 14:17:25 2020 From: joshua.brindle at crunchydata.com (Joshua Brindle) Date: Tue, 1 Sep 2020 10:17:25 -0400 Subject: [scap-security-guide] alternate bootloader for e.g., KPTI Message-ID: This is my first time emailing here, please let me know if there is somewhere more appropriate. We are using systemd-boot and dracut UEFI images that combine the kernel, cmdline, and initramfs into a single, signed PE binary for secure boot purposes. As such, there is no grub config and content like "Enable Kernel Page-Table Isolation (KPTI)" fails. This can easily be disabled with tailoring, of course, but I would prefer oscap to figure out that I'm using systemd-boot (or just directly booting UEFI images) and check those instead, for example: # objdump -s -j .cmdline /boot/efi/EFI/Linux/linux-4.18.0-193.14.3.el8_2.x86_64-ce46f7361c82415c968ebd1e23f77b4f.efi /boot/efi/EFI/Linux/linux-4.18.0-193.14.3.el8_2.x86_64-ce46f7361c82415c968ebd1e23f77b4f.efi: file format pei-x86-64 Contents of section .cmdline: 30000 726f2072 6573756d 653d4c41 42454c3d ro resume=LABEL= 30010 73776170 20726f6f 743d4c41 42454c3d swap root=LABEL= 30020 726f6f74 20637261 73686b65 726e656c root crashkernel 30030 3d617574 6f207074 693d6f6e 00 =auto pti=on. So the cmdline can be extracted from the UEFI binary and contents checked. I'm new to scap security guide so I'm willing to send PRs for this, but I don't see a mechanism to choose one bootloader over another based on packages installed while running a standard OSPP profile, so any pointers there would be helpful. Thank you.