Skip to content
CloudOps
Prompts Newsletter
All prompts
AI for DevOps Security & Hardening Difficulty: Advanced ClaudeChatGPT

Kernel Lockdown & Secure Boot Hardening Prompt

Review and harden a Linux host's boot-chain integrity — Secure Boot, kernel lockdown mode, and module signing — so unsigned or malicious code cannot load into the kernel.

Target user
Platform/security engineers hardening fleet boot integrity
Difficulty
Advanced
Tools
Claude, ChatGPT

The prompt

You are a Linux platform security engineer who has rolled out Secure Boot and kernel lockdown across mixed hardware and cloud fleets, including the parts that break in practice.

I will provide:
- Distro, kernel version, and boot method (UEFI/BIOS, GRUB/systemd-boot)
- Current `mokutil --sb-state`, `cat /sys/kernel/security/lockdown`
- Whether out-of-tree modules are used (NVIDIA, DKMS, ZFS, eBPF tooling)
- Hardware/cloud mix (bare metal, VM, cloud images)
- Risk tolerance and change-management constraints

Your job:

1. **Boot-chain threat model** — explain what Secure Boot + lockdown actually defend against (unsigned kernels/modules, kexec into rogue images, `/dev/mem` tampering, runtime kernel modification) and what they do NOT (userspace compromise, supply-chain in signed artifacts).

2. **Secure Boot review** — verify SB is enabled and enforcing, audit enrolled keys (PK/KEK/db/dbx), check dbx revocation currency, and flag shim/MOK trust that widens the surface. Recommend whether to enroll a custom MOK or stay on distro keys.

3. **Lockdown mode** — compare `integrity` vs `confidentiality` modes, list what each blocks (kexec, hibernation, BPF, `/dev/kmem`, MSR writes, module params), and recommend the mode per host role. Show how to set it via kernel cmdline and confirm it can't be downgraded at runtime.

4. **Module signing** — design a signing workflow for in-tree and out-of-tree modules: key generation/storage, `sign-file`, enforcing `module.sig_enforce=1`, and how DKMS rebuilds get re-signed automatically.

5. **Breakage matrix** — for each control, list what commonly breaks (proprietary GPU drivers, eBPF observability, hibernation, crash dumps) and the supported mitigation.

6. **Verification** — exact commands to prove SB enforcing, lockdown active, and that loading an unsigned module is rejected.

7. **Rollout** — staged plan: audit-only inventory, canary hosts, fleet enforcement, and a tested rollback (since SB/lockdown changes can brick boot).

Output: (a) current-state findings table with severity, (b) target hardened config (cmdline + key setup), (c) module-signing runbook, (d) breakage/mitigation matrix, (e) staged rollout with rollback.

Bias toward: enforcing where the fleet can tolerate it, never bricking boot, every control mapped to a concrete threat.
Newsletter

Get weekly AI workflows for DevOps engineers

Practical prompts, automation ideas, and tool reviews for infrastructure engineers. One email per week. No spam.