This has been implemented a while ago.
Documented just now. Quote Dracut Emergency Shell:
dracut emergency shell is disabled by default in Kicksecure for security reasons. This is implemented in file
/etc/default/grub.d/41_recovery_restrict.cfg.To re-enable the dracut emergency shell, which can be useful for debugging, see wiki chapter Recovery Mode.
related forum discussion:
One could say, it’s easy for a physical attacker to re-enable dracut recovery console using a kernel parameter change - which is even documented - hence defeating the purpose. That is correct - at time of writing. Protecting the kernel command line is the job of verified boot. Related:
- wiki: Verified Boot
- forum: Verified Boot
Developers need it sometimes to debug boot issues, unbootable systems or instruct users on how to do that.
Once verified boot is implemented, only the device owner shall have this capability.