security-misc/etc/default/grub.d/40_remount_secure.cfg

## Copyright (C) 2023 - 2024 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
## See the file COPYING for copying conditions.

## Definitions:
## KSPP=yes: compliant with recommendations by the KSPP
## KSPP=partial: partially compliant with recommendations by the KSPP
## KSPP=no: not (currently) compliant with recommendations by the KSPP
## If there is no explicit KSPP compliance notice, the setting is not mentioned by the KSPP.

## Remount Secure provides enhanced security via mount options:
## https://www.kicksecure.com/wiki/Security-misc#Remount_Secure

## Option A (No Security):
## Disable Remount Secure.
##
#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX remountsecure=0"

## Option B (Low Security):
## Re-mount with nodev and nosuid only.
##
#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX remountsecure=1"

## Option C (Medium Security):
## Re-mount with nodev, nosuid, and noexec for most mount points, excluding /home.
##
#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX remountsecure=2"

## Option D (Highest Security):
## Re-mount with nodev, nosuid, and noexec for all mount points including /home.
##
#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX remountsecure=3"
Update Copyright (C) to 2024 2024-05-11 10:18:36 +07:00			`## Copyright (C) 2023 - 2024 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>`
implement remount-secure 2023-10-22 20:36:03 +07:00			`## See the file COPYING for copying conditions.`

Add KSPP notice definitions 2024-08-26 08:34:12 +07:00			`## Definitions:`
			`## KSPP=yes: compliant with recommendations by the KSPP`
			`## KSPP=partial: partially compliant with recommendations by the KSPP`
Add KSPP=no definition 2024-09-26 20:09:21 +07:00			`## KSPP=no: not (currently) compliant with recommendations by the KSPP`
Clarify KSPP compliance header for the undocumented case 2024-10-14 09:54:30 +07:00			`## If there is no explicit KSPP compliance notice, the setting is not mentioned by the KSPP.`
Add KSPP notice definitions 2024-08-26 08:34:12 +07:00
spelling 2024-07-17 22:40:51 +07:00			`## Remount Secure provides enhanced security via mount options:`
implement remount-secure 2023-10-22 20:36:03 +07:00			`## https://www.kicksecure.com/wiki/Security-misc#Remount_Secure`

Refactor existing kernel parameters for clarity 2024-07-14 22:56:25 +07:00			`## Option A (No Security):`
comments 2023-10-23 03:12:26 +07:00			`## Disable Remount Secure.`
Refactor existing kernel parameters for clarity 2024-07-14 22:56:25 +07:00			`##`
fix 2023-10-23 03:22:08 +07:00			`#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX remountsecure=0"`
implement remount-secure 2023-10-22 20:36:03 +07:00
Refactor existing kernel parameters for clarity 2024-07-14 22:56:25 +07:00			`## Option B (Low Security):`
			`## Re-mount with nodev and nosuid only.`
			`##`
fix 2023-10-23 03:22:08 +07:00			`#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX remountsecure=1"`
comments 2023-10-23 03:12:26 +07:00
Refactor existing kernel parameters for clarity 2024-07-14 22:56:25 +07:00			`## Option C (Medium Security):`
			`## Re-mount with nodev, nosuid, and noexec for most mount points, excluding /home.`
			`##`
fix 2023-10-23 03:22:08 +07:00			`#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX remountsecure=2"`
comments 2023-10-23 03:12:26 +07:00
spelling 2024-07-17 22:40:51 +07:00			`## Option D (Highest Security):`
minor 2024-07-17 19:39:20 +07:00			`## Re-mount with nodev, nosuid, and noexec for all mount points including /home.`
Refactor existing kernel parameters for clarity 2024-07-14 22:56:25 +07:00			`##`
fix 2023-10-23 03:22:08 +07:00			`#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX remountsecure=3"`