Should this be set in the initramfs?

Some logs are shown before systemd-sysctl executes so using /etc/sysctl.d/ may not be enough.

Yes. Probably both. initramfs for apparmor-profile-everything users and
/etc/sysctl.d/ security-misc.

Why not use an initramfs hook in security-misc? Not everyone will have security-misc and apparmor-profile-everything installed. Users with just security-misc installed will still have some kernel logs shown during early boot.

I guess because a sysctl.d drop-in config file is easy and catches most.
initramfs hook covers only initramfs users. Not dracut. But
security-misc initramfs hook sounds good enough. dracut support can
come later, if ever. Please implement.

We can use a sysctl.d drop-in and an initramfs hook in security-misc so non-initramfs users will still be mostly protected.

https://github.com/Whonix/security-misc/pull/51

Sounds good.

Still wondering if initramfs modification this can be avoided... Still wondering if kernel.printk can be set through a kernel parameter. Looking again at https://github.com/torvalds/linux/blob/master/Documentation/admin-guide/kernel-parameters.txt...

Would the following kernel parameter(s) reach the same goal?

• printk.devkmsg=off
• loglevel=0
• quiet

Just now asked:
How to set sysctl using kernel comand line parameter?

In T950#19228, @madaidan wrote:

https://github.com/Whonix/security-misc/pull/51

Could you please add a feature to easily enable debugging?

What is THE kernel option for "more verbose, debug"? debug? ignore_loglevel? Such as if kernel parameter debug is set, do not use kernel.print in initramfs. Just exit.

Then I could add debug to grub-output-verbose as kernel parameter. (That package is in next version no longer installed by default.) (And that package is useful at least for me to easily enable debugging.)

grub-output-verbose could also drop a snippet which deactivates what /etc/sysctl.d/printk.conf does and reset kernel.print to default or even higher level.

printk.devkmsg=off

This just prevents writing to /dev/kmsg. It doesn't stop kernel logs being displayed during boot.

loglevel=0
quiet

Dunno about these. Need to be tested.

Could you please add a feature to easily enable debugging?

Should I check for the debug kernel parameter or something else?

In T950#19231, @madaidan wrote:

quiet

quiet (Debian default :)) works really well. After sudo apt purge grub-output-verbose and sudo update-grub [1] this is all I am seeing on a VirtualBox serial console.

Loading Linux 4.19.0-6-amd64 ...
Loading initial ramdisk ...
[ 2.093532] sd 4:0:0:0: [sda] Incomplete mode parameter data
[ 2.099586] sd 4:0:0:0: [sda] Assuming drive cache: write through
/dev/sda1: clean, 110434/6553600 files, 1300598/26213632 blocks
[ 4.771736] [drm:vmw_host_log [vmwgfx]] *ERROR* Failed to send host log message.
[ 4.785116] [drm:vmw_host_log [vmwgfx]] *ERROR* Failed to send host log message.
[ 5.880020] [p_lkrg] Loading LKRG...
[ 6.474864] [p_lkrg] LKRG initialized successfully!
[ 14.679246] ram_adjusted_desktop_starter[1624]: [INFO] If your host has little RAM, you are advised to reduce Gateway RAM to 256 MB. No graphical desktop environment will be started in that case. A Gateway without graphical desktop environment works as good as one with, it's just not that convenient. If you want, you can sometimes start a graphical desktop environment by toggling how much RAM is available to Gateway. Documentation about this feature can be found here: https://www.whonix.org/wiki/Desktop
[ 14.688327] ram_adjusted_desktop_starter[1624]: [INFO] Trying to start login manager (graphical desktop environment) lightdm...

[1] grub-output-verbose should run "sudo update-grub" at removal but does not do yet.

The loader of tirdad is currently using dmesg.

## https://github.com/0xsirus/tirdad/issues/5
## /var/log/kern.log is unsuitable. It can during manual testing i.e.
## 'sudo /usr/lib/tirdad/loader' but not when run through systemctl i.e.
## 'sudo systemctl restart tirdad-dkms'.
## https://phabricator.whonix.org/T950
while read -r line; do
  if echo "$line" | grep --quiet --ignore-case "Installing tirdad hook succeeded" ; then
     exit "$exit_code"
  fi
done < <( dmesg --notime --follow )

Setting kernel.printk=3 3 3 3 with sysctl might break it. Hopefully no longer needed as per my previous post. Something to keep in mind.

In T950#19249, @Patrick wrote:

The loader of tirdad is currently using dmesg.

This is no longer the case.

This issue is fixed now due to the quiet boot parameter. kernel.printk=3 3 3 3 isn't needed anymore.

And of course these messages are attributed to whatever Whonix issue someone is having.

• https://www.reddit.com/r/Whonix/comments/g0ebgc/unfamiliar_issue_aborted_icon/
• https://imgur.com/a/IiVaxyc

Maybe from Linux 5.7+ sysctls can be set from Linux boot cmdline. (Related: T984)

/etc/sysctl.d/20-quiet-printk.conf

kernel.printk = 3 3 3 3

followed by sudo update-initramfs -u hides [drm:vmw_host_log [vmwgfx]] *ERROR* Failed to send host log message. Which is progress. But does not hide [sda] Incomplete mode parameter data.

Maybe also thanks to sysctl-initramfs.

I've also tested the following values.

kernel.printk = 2 2 2 2
kernel.printk = 1 1 1 1
kernel.printk = 0 0 0 0

These also did hide [drm:vmw_host_log [vmwgfx]] *ERROR* Failed to send host log message.but did not hide [sda] Incomplete mode parameter data.

https://github.com/Whonix/security-misc/commit/8d2e4b68dcae87b27f519196488e0ed7e8b95ef2

Even kernel parameter quiet loglevel=3 rd.systemd.show_status=auto rd.udev.log_priority=3
(from https://wiki.archlinux.org/index.php/Silent_boot)
does not hide [sda] Incomplete mode parameter data.

More ideas that don't require kernel recompilation?

Setting quiet loglevel=0 in that exact order as per https://github.com/Whonix/security-misc/commit/6485df8126b52a2072824fa442e8d1dd5cb18981 does now hide [sda] Incomplete mode parameter data. However, messages by LKRG are not yet hidden.

[    5.382817] [p_lkrg] Loading LKRG...
[    5.864095] [p_lkrg] LKRG initialized successfully!
[    6.118039] [p_lkrg] ALERT !!! FOUND LESS[1] MODULES IN DB IN MODULE LIST[39] THAN IN CURRENT MODULE LIST[40]
[    6.118231] [p_lkrg] EXTRA MODULE:
[    6.118477] [p_lkrg] ** EXTRA MODULE IS THE SAME AS ON-GOING MODULE ACTIVITY EVENTS **
[    6.118646] [p_lkrg] ALERT !!! FOUND LESS[1] MODULES IN DB IN KOBJ[39] THAN IN CURRENT KOBJ[40]
[    6.118739] [p_lkrg] EXTRA MODULE:
[    6.118978] [p_lkrg] ** EXTRA MODULE IS THE SAME AS ON-GOING MODULE ACTIVITY EVENTS *

More ideas that don't require kernel recompilation?

• https://github.com/Whonix/security-misc/commit/3cd7b144bba1a92ca771b16fc5215073c7561a1a
• https://github.com/Whonix/debug-misc/commit/5a856595c1cf0a4a3b08e6ea75bd2fe2b3f2f398
• https://github.com/Whonix/debug-misc/commit/9e1ea579ca0a2d4399f2e1126b2ae2f583410947
• https://github.com/Whonix/debug-misc/commit/2cac2bed7169ae4d5477cbca1f2916bae110a450