Brussels / 3 & 4 February 2024


Kernel command line to configure userspace considered harmful

There was a time when we were happy and care free, and booting our computers off a floppy disk found behind the pub down the road was an exciting and joyful adventure. Alas, those days are past now. Significant effort and investment have gone into securing the boot process of a general purpose PC, and we are nowhere near done. Linux is trailing significantly behind Windows and MacOS in this regard, and we have a long way to go. With TPM support in UKIs, systemd-stub and systemd-boot, the systemd project is trying to do its part in bringing the ecosystem forward.

But we need to talk about the kernel command line. Decades of [over|ab]use have made it into a kitchen sink, used to do anything and everything, and (custom) parsed by everything and anything, including the kernel before ExitBootServices() has been called. The surface attack that opens up for an authenticated writer is unfathomable, and the magnitude of a successful exploitation is simply unknowable. Is it time for the kernel command line to end?

This talk will explore alternatives to let users configure early initrd/userspace services provided by the systemd project, and plead with anybody willing to listen to start using those instead: UKIs, signed addons for UKIs, signed Confext/Sysext images, systemd credentials, SMBIOS Type 11 strings, bootconfig.


Photo of Luca Boccassi Luca Boccassi