In part 1 we checked .config, in part 2 sysctl settings. The third layer is boot parameters — flags passed to the kernel at startup.

Kernel Checker now has a Cmdline tab. Checks are based on recommendations from KSPP, grsecurity, CLIP OS, and CIS Benchmark.

Cmdline — Boot Parameters

Cmdline parameters are flags passed to the kernel at boot. Some of them disable security features — sometimes intentionally (debugging), sometimes through default bootloader configuration.

Examples of dangerous parameters:

nokaslr          — disables kernel ASLR
nopti            — disables Page Table Isolation (Meltdown)
nospectre_v2     — disables Spectre v2 mitigation
nosmep           — disables SMEP (Supervisor Mode Execution Prevention)
nosmap           — disables SMAP (Supervisor Mode Access Prevention)

To check your parameters:

cat /proc/cmdline > cmdline.txt

Upload the file under the Cmdline tab. Checks are for x86_64 architecture.

A typical /proc/cmdline looks like:

BOOT_IMAGE=/vmlinuz-6.12.0 root=/dev/sda1 ro quiet splash

If there’s no nokaslr, nopti, or similar flags — you’re probably fine. The checker will verify it precisely.

Where to change cmdline?

GRUB — edit /etc/default/grub:

GRUB_CMDLINE_LINUX_DEFAULT="quiet splash"

Make sure there’s no nokaslr, nopti, or other disabling flags. After editing:

sudo update-grub

systemd-boot — edit the entry in /boot/loader/entries/:

options root=/dev/sda1 rw quiet

Three Layers

A complete kernel security check covers three layers:

  1. Kconfig — what’s compiled in (.config)
  2. Cmdline — what’s enabled/disabled at boot (/proc/cmdline)
  3. Sysctl — what’s set at runtime (sysctl -a)

Each layer can override the previous one. You can have CONFIG_RANDOMIZE_BASE=y in your config, but nokaslr in cmdline effectively disables it.

That’s why it’s worth checking all three.