From f4d652fa7b5dd350b577521c6bba22c9eb3c13f1 Mon Sep 17 00:00:00 2001
From: Raja Grewal <rg_public@proton.me>
Date: Mon, 15 Jul 2024 14:39:12 +1000
Subject: [PATCH] Update presentation of `quiet loglevel=0`

---
 etc/default/grub.d/40_kernel_hardening.cfg | 12 ++++++++++
 etc/default/grub.d/41_quiet_boot.cfg       | 26 +++++++++++-----------
 2 files changed, 25 insertions(+), 13 deletions(-)

diff --git a/etc/default/grub.d/40_kernel_hardening.cfg b/etc/default/grub.d/40_kernel_hardening.cfg
index fcc5352..0854a4f 100644
--- a/etc/default/grub.d/40_kernel_hardening.cfg
+++ b/etc/default/grub.d/40_kernel_hardening.cfg
@@ -100,6 +100,18 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX debugfs=off"
 ##
 #GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX mce=0"
 
+## Prevent sensitive kernel information leaks in the console during boot.
+## Must be used in combination with the kernel.printk sysctl.
+## See /usr/lib/sysctl.d/30_silent-kernel-printk.conf for implementation.
+##
+## https://www.kernel.org/doc/html/next/core-api/printk-basics.html
+## https://wiki.archlinux.org/title/silent_boot
+##
+## See /etc/default/grub.d/41_quiet_boot.cfg for implementation.
+##
+#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX loglevel=0"
+#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX quiet"
+
 ## Disable support for x86 processes and syscalls.
 ## Unconditionally disables IA32 emulation to substantially reduce attack surface.
 ##
diff --git a/etc/default/grub.d/41_quiet_boot.cfg b/etc/default/grub.d/41_quiet_boot.cfg
index 48a38d4..c06ac8f 100644
--- a/etc/default/grub.d/41_quiet_boot.cfg
+++ b/etc/default/grub.d/41_quiet_boot.cfg
@@ -1,21 +1,21 @@
 ## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
 ## See the file COPYING for copying conditions.
 
-## NOTE:
-## For higher verbosity, delete file /usr/lib/sysctl.d/30_silent-kernel-printk.conf.
-## Alternatively, install the debug-misc package which will undo theses settings.
-
-## LANG=C str_replace is provided by package helper-scripts.
-
-## The following command actually removed "quiet" from the kernel command line.
-## If verbosity is desired, the user might want to keep this line.
-## Remove "quiet" from GRUB_CMDLINE_LINUX_DEFAULT because "quiet" must be first.
-GRUB_CMDLINE_LINUX_DEFAULT="$(echo "$GRUB_CMDLINE_LINUX_DEFAULT" | LANG=C str_replace "quiet" "")"
-
 ## Prevent sensitive kernel information leaks in the console during boot.
+## Must be used in combination with the kernel.printk sysctl.
+## See /usr/lib/sysctl.d/30_silent-kernel-printk.conf for implementation.
 ##
-## https://madaidans-insecurities.github.io/guides/linux-hardening.html#boot-kernel
+## https://www.kernel.org/doc/html/next/core-api/printk-basics.html
 ## https://wiki.archlinux.org/title/silent_boot
 ##
-GRUB_CMDLINE_LINUX_DEFAULT="$GRUB_CMDLINE_LINUX_DEFAULT quiet"
+## For easier debugging, these are not applied to the recovery boot option.
+## Switch the pair of commands to universally apply parameters to all boot options.
+##
 GRUB_CMDLINE_LINUX_DEFAULT="$GRUB_CMDLINE_LINUX_DEFAULT loglevel=0"
+GRUB_CMDLINE_LINUX_DEFAULT="$GRUB_CMDLINE_LINUX_DEFAULT quiet"
+#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX loglevel=0"
+#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX quiet"
+
+## For Increased Log Verbosity:
+## Comment-out the kernel.printk sysctl in /usr/lib/sysctl.d/30_silent-kernel-printk.conf.
+## Alternatively, install the debug-misc package which will undo theses settingss.