The hardening of the dom0 kernel has been strengthened in live modes! Parameters from Secureblue have been added.
I studied Secureblue’s hardening and extracted only the truly useful kernel parameters for dom0 and Qubes (hardening for networking and container workloads isn’t relevant to dom0). Those parameters are now included by default in the live modes (It don’t consume system resources and don’t affect on regular operation in Qubes):
kernel.sysrq=0 Disables SysRq, preventing forced reboots, memory dumps, or password extraction by attackers with physical access, which hinders forensics.
kernel.perf_event_paranoid=3 Blocks unprivileged user access to perf_events, minimizing the attack surface for reconnaissance and exploits, such as side-channel attacks.
kernel.kptr_restrict=2 Hides kernel pointers from /proc and dmesg, complicating exploit development via KASLR bypass and memory analysis by forensic analysts.
kernel.panic=5 Automatically reboots the system 5 seconds after a kernel panic, limiting the time available for memory dumps or forensics during a crash.
fs.protected_regular=2 and fs.protected_fifos=2 Prevent privileged processes from opening/deleting files/FIFOs owned by other users, preventing symlink/toctou attacks and privilege escalation.
kernel.printk=3333 Restricts console logging (levels < 3), reducing real-time sensitive data leaks and DoS from log flooding.
kernel.kexec_load_disabled=1 Disables kexec_load, blocking the loading of an unauthorized kernel by root to bypass protections or achieve persistence.
kernel.io_uring_disabled=2 Completely disables io_uring for all processes, eliminating vulnerabilities used for stealthy rootkits and EDR evasion.
lockdown=confidentiality Activates strict lockdown mode: forbids kernel modification by root, memory leaks, and unauthorized access to the kernel image, strengthening anti-tampering and confidentiality.
module.sig_enforce=1 Allows loading only signed kernel modules, preventing rootkits via unsigned kernel modules even from root.
As a result, we now have an ultra‑hardened dom0 that is considerably safer than Secureblue – isolation, root is read‑only, dom0 kernel and overlay mount are ultra‑hardened, RAM‑wipe everywhere (xen + dracut).
You can also add these parameters to the default Qubes boot