How to add sysrq_always_enabled and audit=0 kernel parameters to an AppVM in QubesOS 4.0 ?
Current /proc/cmdline inside the VM is:
[user@dev01-w-s-f-fdr28 ~]$ cat /proc/cmdline
root=/dev/mapper/dmroot ro nomodeset console=hvc0 rd_NO_PLYMOUTH rd.plymouth.enable=0 plymouth.enable=0 nopat
tl;dr: Run this in dom0: qvm-prefs --set vmnamehere kernelopts 'nopat sysrq_always_enabled audit=0'
In Qubes OS (4.0), if you want to add new kernel parameters for a specific VM (AppVM or TemplateVM) you can (only?) do so from dom0.
First, see what kernel parameters are already added(because you need to specify them when you set the new ones), in dom0 execute:
$ qvm-prefs --get dev01-w-s-f-fdr28 kernelopts
nopat
(dev01-w-s-f-fdr28 is the name of my VM, but don't let that confuse you)
Note that nomodeset console=hvc0 rd_NO_PLYMOUTH rd.plymouth.enable=0 plymouth.enable=0 (seen in OP) are not reported. You can find them set in file /usr/share/qubes/templates/libvirt/xen.xml which is not something you're expected to ever modify:
[ctor@dom0 usr]$ grep -C1 'nomodeset console=hvc0 rd_NO_PLYMOUTH rd.plymouth.enable=0 plymouth.enable=0' /usr/share/qubes/templates/libvirt/xen.xml
{% if vm.kernel %}
<cmdline>root=/dev/mapper/dmroot ro nomodeset console=hvc0 rd_NO_PLYMOUTH rd.plymouth.enable=0 plymouth.enable=0 {{ vm.kernelopts }}</cmdline>
{% endif %}
To set the new kernel parameters you have to remember to also specify the existing ones(reported by --get above ie. nopat), in dom0 execute:
$ qvm-prefs --set dev01-w-s-f-fdr28 kernelopts 'nopat sysrq_always_enabled audit=0'
Verify, in dom0:
$ qvm-prefs --get dev01-w-s-f-fdr28 kernelopts
nopat sysrq_always_enabled audit=0
Restart the VM(aka qube), then verify inside the VM:
[user@dev01-w-s-f-fdr28 ~]$ cat /proc/cmdline
root=/dev/mapper/dmroot ro nomodeset console=hvc0 rd_NO_PLYMOUTH rd.plymouth.enable=0 plymouth.enable=0 nopat sysrq_always_enabled audit=0